[转帖]防火墙后邮件服务器无法进行SMTP认证

钉子

经验分享：防火墙后邮件服务器无法进行SMTP认证<br>
原因：有些防火墙（如CISCO PIX系列）缺省会禁止SMTP扩展命令（如：EHLO 和AUTH）通过。<br>
解决办法：取消防火墙对SMTP扩展命令的过滤<br>
实例：对于Cisco PIX防火墙，执行：no fixup protocol smtp 25即可。<br>
参考内容：<br>
Question/Problem: I have 'Relay for Addresses' set in SMTP Security. I understand that remote users who use IP addresses I do not List must configure their email clients to authenticate (see: IMail - SMTP authentication). However, SMTP AUTH is not working for remote users who have properly configured their email clients.<br>
<br>
Answer/Solution: If you have a firewall or router that "inspects" the traffic on port 25, the "inspection" does not allow Extended SMTP commands (such as EHLO and AUTH) to pass properly. If you disable this "inspection" or otherwise confirm that your firewall or router supports the Extended SMTP commands (ESMTP) this will allow properly configured remote users to authenticate.<br>
<br>
The following was provided by Cisco:<br>
<br>
1) Make sure that you don't have SMTP inspection configured:<br>
<br>
ip inspect name ethernetin cuseeme timeout 3600<br>
ip inspect name ethernetin ftp timeout 3600<br>
ip inspect name ethernetin h323 timeout 3600<br>
ip inspect name ethernetin http timeout 3600<br>
ip inspect name ethernetin rcmd timeout 3600<br>
ip inspect name ethernetin realaudio timeout 3600<br>
### The following line should not exist in your router configuration ###<br>
ip inspect name ethernetin smtp timeout 3600<br>
<br>
Removing the last line will take care of the problem. Cisco's only warning<br>
was that removing it would allow for attacks using ESMTP.<br>
<br>
<br>
Question/Problem: Users off our network, with "my server requires<br>
authentication" checked, cannot send mail through our server.<br>
<br>
Answer/Solution: Your firewall or proxy may not support the extended SMTP command set that is required for SMTP authentication. <br>
<br>
You can enable SMTP authentication on a Cisco PIX firewall with the command:<br>
"no fixup protocol smtp 25"<br>
It will now work correctly.<br>
<br>

cowboy

好贴。

antispam

当初是在badwrs2000 的帮助下 解决这个问题的 <br>
但是一直不明白 smtp应该是应用层的 cisco的router和pIX FW对 应用层也起作用？<br>

antispam

一、现象： 当客户端由外网经过防火墙访问邮件服务器时<br>用户的客户端无法进行正常的smtp身份认证，而内网用户（可直接访问邮件服务器，不需经过防火墙）却可以正常地进行smtp身份认证。<br>
<br>
由外网用telnet连接服务器25端口后 显示的是一串*************************<br>
无法像内网用户一样显示220 domain name (IMail xxxxxxx) NT-ESMTP Server X1 <br>
<br>
可以进行helo<br>
但不可以进行ehlo<br>
<br>
二、原因：防火墙或路由器禁止了Extended SMTP commands (such as EHLO and AUTH) <br>
<br>
三、解决办法：<br>
<br>
1、防火墙fixup protocol smtp 25<br>
以cisco fix firewall 为例<br>
<br>
configure中有一行为fixup protocol smtp 25<br>
<br>
键入命令行no fixup protocol smtp 25即可<br>
<br>
2、路由信息中包含ip inspect name ethernetin smtp timeout 3600<br>
将这一条除去即可<br>
<br>
<br>
<br>
<br>
<br>
<font color="green"><br>
附imail knowledgebase原文</font><br>
<font color="blue">Question/Problem:</font> I have 'Relay for Addresses' set in SMTP Security. I understand that remote users who use IP addresses I do not List must configure their email clients to authenticate (see: IMail - SMTP authentication). However, SMTP AUTH is not working for remote users who have properly configured their email clients.<br>
<br>
<font color="blue">Answer/Solution</font>:<font color="red"> If you have a firewall or router that "inspects" the traffic on port 25, the "inspection" does not allow Extended SMTP commands (such as EHLO and AUTH) to pass properly</font>. If you disable this "inspection" or otherwise confirm that your firewall or router supports the Extended SMTP commands (ESMTP) this will allow properly configured remote users to authenticate.<br>
<br>
The following was provided by Cisco:<br>
<br>
1) Make sure that you don't have SMTP inspection configured:<br>
<br>
ip inspect name ethernetin cuseeme timeout 3600<br>
ip inspect name ethernetin ftp timeout 3600<br>
ip inspect name ethernetin h323 timeout 3600<br>
ip inspect name ethernetin http timeout 3600<br>
ip inspect name ethernetin rcmd timeout 3600<br>
ip inspect name ethernetin realaudio timeout 3600<br>
<font color="red">### The following line should not exist in your router configuration ###<br>
ip inspect name ethernetin smtp timeout 3600<br>
<br>
Removing the last line will take care of the problem. Cisco's only warning<br>
was that removing it would allow for attacks using ESMTP.</font><br>
<br>
<br>
<font color="blue">Question/Problem</font>: Users off our network, with "my server requires<br>
authentication" checked, cannot send mail through our server.<br>
<br>
<font color="blue">Answer/Solution</font>: Your firewall or proxy may not support the extended SMTP command set that is required for SMTP authentication. <br>
<br>
You can enable SMTP authentication on a Cisco PIX firewall with the command:<br>
<font color="red">"no fixup protocol smtp 25"</font><br>
It will now work correctly.

elmer_zhang

多谢，好贴！

飘飘浪子

我有类似的情况发生，谢谢~！

jaffas1101

不错 顶！