PIX ESMTP Application Inspection

Unanswered Question
Apr 9th, 2007

As a PIX 7.2(2) Cisco Command Line Configuration Guide document,

ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer

overflow/underflow attacks. It also provides support for application security and protocol conformance,

which enforce the sanity of the ESMTP messages as well as detect several attacks, block

senders/receivers, and block mail relay.

-> 1. How can a PIX Appliance work doing for detecting abnormal packets ?

For what kinf of interelation between a parameter in lower part with a PIX function (detect attack including spam, phising, malformed attacks, buffer overflow/underflow attacks)?

- configure mail realy

- body line length

- commnad line length

- Sender address length

- command recipient count

- MIME file length

-> 2. If a PIX was configured as a default inspection policy(for a factory default),

Can it be possible that a PIX blocks a packet by default inspection?

(I didn't change any config of application inspection to a PIX.

pix appliance has a factory default inspection config.)

Could you tell me whether a packet going through a pix is denied by default inspection policy or not?

additionaly, I'm wordering whether ESMTP Commands (AUTH, EHLO, DATA, HELO, NOOP ..)feature etc..) are restricted or not in default ESMTP Inspection Policy

-> 3. If a PIX was configured like below (factory default), which type of a packet(inbound or outbound) will be affected by default Inspection Rule ?

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

(Will outgoing smtp or esmtp packet be effected by a PIX, If there is no mail server in inside network zone ?)

-> 4. Could you let me know a proper parameter value of a ESMTP Inspection Policy ?

or a recommended value considered a various environment in case by case?

What is somthing needed to know or consider for a settup ESMTP Inspection configuration.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thomas.chen Mon, 04/16/2007 - 06:45

If you use Transport Layer Security (TLS) encryption for e-mail communication then the ESMTP inspection feature (enabled by default) in the PIX drops the packets. In order to allow the e-mails with TLS enabled, disable the ESMTP inspection feature as this output shows.

pix(config)#policy-map global_policy

pix(config-pmap)#class inspection_default

pix(config-pmap-c)#no inspect esmtp




This Discussion