More SMTP errors after installing new ASA

Unanswered Question
Feb 5th, 2008
User Badges:

Hello,


I installed a new ASA5510 in place of our old PIX515E last Thursday night. Since then, our GroupWise server has been showing a significantly higher level of deferred email. The logs are full of messages similar to the excepts I've pasted below.


We are at a loss and trying to track down the problem. Do you have any thoughts on what might be happening?


Thanks,

- Steve Kadish


02-04-08 21:24:04 0 MSG 32517 Analyzing result file: VCCNW2/GRPWISE:\VCNY_DO\WPGATE\GWIA\result\r7a729cc.049

02-04-08 21:24:04 0 MSG 32517 Detected error on SMTP command

02-04-08 21:24:04 0 MSG 32517 Command: aol.com

02-04-08 21:24:04 0 MSG 32517 Response: 450 Host down (aol.com)

02-04-08 21:24:04 0 MSG 32518 Analyzing result file: VCCNW2/GRPWISE:\VCNY_DO\WPGATE\GWIA\result\r7a734a1.018

02-04-08 21:24:04 0 MSG 32518 Detected error on SMTP command

02-04-08 21:24:04 0 MSG 32518 Command: millerscott.com

02-04-08 21:24:04 0 MSG 32518 Response: 421 secure00.secure-transact.net: SMTP command timeout - closing connection


02-04-08 21:42:42 6 DMN: MSG 32591 Send Failure: 421 calmail.berkeley.edu: SMTP command timeout - closing connection


02-04-08 21:56:22 7 DMN: MSG 32624 Send Failure: 450 Host down (hvc.rr.com)

02-04-08 21:57:11 33 DMN: MSG 32707 Send Failure: 421 Exceeded allowable connection time, disconnecting.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rstevek Tue, 02/05/2008 - 09:31
User Badges:

Hi all,


I found the information below in a Cisco.com knowledgebase article. Turning off inspect for ESMTP solved our problem; as soon as it was off, our mail server started sending and receiving the deferred mail. However, I'm not sure what the consequences of turning off the inspection are; could this introduce some other problems or security holes?


Thanks,

- Steve


SMTP TLS Configuration

Note: If you use Transport Layer Security (TLS) encryption for e-mail communication then the ESMTP inspection feature (enabled by default) in the PIX drops the packets. In order to allow the e-mails with TLS enabled, disable the ESMTP inspection feature as this output shows.


pix(config)#policy-map global_policy

pix(config-pmap)#class inspection_default

pix(config-pmap-c)#no inspect esmtp

pix(config-pmap-c)#exit

pix(config-pmap)#exit


markisaac Tue, 07/01/2008 - 12:47
User Badges:

Steve,


Thank you for posting this. This resolved my issue with TLS.

Actions

This Discussion