SMTP and Cisco PIX firewall

Some months ago, I configured a complete mail gateway and other services for a client. As for almost every deployment, there were things that had to be investigated and one always learn something new.

One of the most surprising “curiosities” I found was about SMTP. When I telneted the SMTP gateway at port 25 from inside the intranet or localhost, the usual welcome message was displayed. But when I did the same from the internet, I received this weird welcome string:

220 **************************************

And when I tried to issue an ESMTP command (like EHLO), the server said that it wasn’t supported. What the hell??!! It can’t be! Someone or something is changing my packets!

After doing some searching at Google, I discovered who was the little guilty: a Cisco PIX firewall configured with the “fixup protocol smtp 25” option turned on. That was preventing internet users from authenticating and using TLS.

Thank you debian-administration.org guys!