Cisco PIX obstructs anti-spam protocol

Three bugs in older software versions of Cisco PIX security appliances may jointly cause emails with headers signed using Domainkeys Identified Mail (DKIM, RFC 4871) to be rejected. The software contains a module which monitors SMTP transactions and overwrites potentially malicious commands (smtp protocol fixup). Due to three parser bugs, DKIM headers may be overwritten in the process. Interestingly, Cisco is one of the supporters of DKIM.

The sending server’s mail admin will recognise the effects of the bug as lost connections and messages getting stuck in the queues as a result. Those responsible for PIX on the receiving end will find an increased number of

SMTP: Multiple Content-Type headers!

messages, provided that ESMTP debugging is activated.

According to Jim Fenton, who among other things deals with DKIM at Cisco, all three bugs were fixed in versions 7.2(2.19) and 8.0(2.7) of the PIX software. As is customary at Cisco, registered users can download the update to 7.2(2.19). Version 8.0 (2.7) has so far only been available from the "Technical Assistance Center".

Many mail admins recommend disabling "smtp protocol fixup" as a matter of principle, because they regard SMTP header alterations as a potential source of problems. Jim Fenton disagrees: "Since SMTP protocol fixup enables quite a bit of protocol checking besides the Content-Type check that is the subject of these bugs, it's difficult for me to recommend that users disable it other than as a very short-term measure. I would highly recommend that customers obtain updated images and deploy them as soon as practical."

(mba)