Answer
Some firewalls are not RFC complient. For example, customers have told us that if you are running a Cisco PIX Firewall using Mail Guard technology there are problems.
To explain, the firewall intercepts and amends the SMTP protocol exchange between the remote and local servers. In this particular case the Firewall is replacing the SMTP logon banner with a row of asterisks.
A standard SMTP banner looks like this
220 server.gordano.com NTMail (v7.00.0018/AA0000.00.b1a028f6) ready for ESMTP transfer
and the Firewall changes this to read
220 **********************************************************************************
This is perfectly OK and simply masks out the SMTP banner.
The problem arises if the server administrator has amended the SMTP logon banner to return a multi line response. A multi line SMTP banner looks like
220-This is my mail server
220 server.gordano.com NTMail (v7.00.0018/AA0000.00.b1a028f6) ready for ESMTP transfer
Note that the first line of the banner starts with “220-” while the second line starts with “220 “. The space immediately after the 220 indicates it is the last line of a multi line response (as defined in RFC821).
When the Firewall tries to translate this multi line SMTP banner it only translates the 220 on the first line, the 220 on the second line is not translated by the firewall and therefore causes the connection to the remote server to be immediately dropped. The SMTP banner as returned by the Cisco Firewall looks like
220-*************************************************
****************************************************************************************
This means that ANY onbound mail server (not just GMS) will wait for the “220” followed by a space indefinately.
RFC 821 specifies how mail servers talk to each other using the SMTP protocol, section 4.3 of this RFC gives details of how the SMTP banner should be formatted.
It should be noted here that the problem is with the firewall and not with Gordano’s software. In fact, this problem will affect ANY RFC complaint messaging system.
The only solution is to fix the software on the firewall.
A workaround for the problem can be to disable any multi line SMTP responses you have set up within Gordano’s software. This can be set from the Incoming > Miscellaneous page. NOTE: This will not solve the problem – mearly mitigate the effects.
Gordano has informed Cisco of this issue with the Mail Guard software.
Keywords:CISCO, PIX, QUIT, EHLO, HELO, firewall, mail guard