CISCO breaks DKIM on their ASA/PIX (again)

Discussion:

(too old to reply)

Ralf Hildebrandt

2011-12-08 08:53:19 UTC

Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.

I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).

Some interesting info got out:

I've also discussed these results with local Cisco support and they
confirmed it's a known bug (not published) with DKIM and smtp inspection
engine in latest IOS versions.

This should be fixed in some newer IOS version (8.4(10)) which is not
public yet (latest is 8.4(2)).

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
***@charite.de | http://www.charite.de

Rolf E. Sonneveld

2011-12-08 09:20:30 UTC

Permalink

Hi, Ralf,

Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup'
effectively blocks _any_ message carrying a DKIM-signature header?

Post by Ralf Hildebrandt
I've also discussed these results with local Cisco support and they
confirmed it's a known bug (not published) with DKIM and smtp inspection
engine in latest IOS versions.
This should be fixed in some newer IOS version (8.4(10)) which is not
public yet (latest is 8.4(2)).

I've always wondered why they call it 'smtp protocol fixup', they'd
better call it 'smtp protocol breakdown'.

/rolf

Ralf Hildebrandt

2011-12-08 09:20:03 UTC

Permalink

Post by Rolf E. Sonneveld

Post by Ralf Hildebrandt
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).

Do you mean a Cisco ASA/PIX firewall with 'smtp protocol fixup'
effectively blocks _any_ message carrying a DKIM-signature header?

No, it's blocking SOME, but in order to make those pass, I had to
strip off the DKIM Headers, and suddenly they would go through:

smtp_header_checks=pcre:/etc/postfix/no_dkim.pcre

/^DKIM-Signature:/ IGNORE
# this strips a DKIM Signature

Post by Rolf E. Sonneveld
I've always wondered why they call it 'smtp protocol fixup', they'd
better call it 'smtp protocol breakdown'.

One really has to wonder about this.

Robert Schetterer

2011-12-08 09:53:35 UTC

Permalink

Post by Ralf Hildebrandt
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.
I was able to work around the delivery problems by stripping the DKIM
headers on outgoing mails (as so often).
I've also discussed these results with local Cisco support and they
confirmed it's a known bug (not published) with DKIM and smtp inspection
engine in latest IOS versions.
This should be fixed in some newer IOS version (8.4(10)) which is not
public yet (latest is 8.4(2)).

so now its public *g
there really should be a public inform by cisco
and we all have to look at it *grrrr
any big mailers known for this bug?

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Jeroen Geilman

2011-12-09 18:39:18 UTC

Permalink

Post by Ralf Hildebrandt
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.

smtp fixup is evil and should have died out years ago.

People who still use it have no clue how to properly configure mail
servers - all the smtp fixup setting does is to obfuscate (i.e.
*change*) the SMTP conversation parameters: HELO name, ESMTP greeting, etc.

Don't get me wrong - I love ASAs - but they have obvious legacy burdens.

--
J.

Ralf Hildebrandt

2011-12-09 18:57:50 UTC

Permalink

Post by Jeroen Geilman

Post by Ralf Hildebrandt
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.

smtp fixup is evil and should have died out years ago.

No shit, sherlock :)

Jeroen Geilman

2011-12-09 19:01:45 UTC

Permalink

Post by Ralf Hildebrandt

Post by Jeroen Geilman

Post by Ralf Hildebrandt
Over the last few days I discussed SMTP delivery problems with a czech
site which was using Postfix and a CISCO ASA with "smtp protocol
fixup" enabled.

smtp fixup is evil and should have died out years ago.

No shit, sherlock :)

I am in no way implying that you did anything wrong!

It's just that I cringe every time I see this enabled and when I ask
after it the answer is usually a variant on "oh it's a security option
offered by a Cisco firewall, of course we enable it! Why not?"

Cisco themselves are mostly to blame for this by not disabling it by
default - unless they do so by now, I haven't kept up...

--
J.

Wietse Venema

2011-12-09 19:26:08 UTC

Permalink

As far as I know it just "limit" the commands that you can send
to the mail server, you just have to be sure if you are using ESMTP
or SMTP. Here's the link explaining how it works.

Well, that is how it is supposed to work.

In reality, the code has a history of bugs that manifested themselves
as email not going through or email that was corrupted in transit.

An earlier version of the CISCO DKIM bug was caused by mis-parsing
of message headers. It may be related to the current one.

Software such as firewalls that tries to understand every application
protocol on the Internet is likely to run into problems.

Wietse

Ralf Hildebrandt

2011-12-09 19:34:53 UTC

Permalink

Post by Jeroen Geilman
I am in no way implying that you did anything wrong!

I wholeheartedly agree with your last posting :)

Post by Jeroen Geilman
It's just that I cringe every time I see this enabled and when I ask
after it the answer is usually a variant on "oh it's a security
option offered by a Cisco firewall, of course we enable it! Why not?"

Because it suuuuuuux.