ASA and inspect esmtp

Answered Question

Our ASA is running code 8.0.4 and our smtp mail inbound and outbound working fine, then it was broken. Check the ASA and the inspect esmtp is on by default and this working before. The mail library was updated and nothing is working. Researched and found out that by removing inspect esmtp and mail is working again. I would like to keep the inspect esmtp on for security purpose but need to find a work around solution. Please let me know if there is a work around for this.

Thank you.

Correct Answer by mkharban about 7 years 7 months ago

Hi,


Kindly understand the functionality of 'inspect esmtp' first.


Please visit the following link for information on the same:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425


Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500.


To rectify this please make a custom esmtp policy map like one configured in the below given example:


policy-map type inspect esmtp _default_esmtp_map

match ehlo-reply-parameter others

mask


Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.


Hope this helps!


Thanks,

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mkharban Thu, 11/05/2009 - 15:36
User Badges:

Hi,


Kindly understand the functionality of 'inspect esmtp' first.


Please visit the following link for information on the same:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425


Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500.


To rectify this please make a custom esmtp policy map like one configured in the below given example:


policy-map type inspect esmtp _default_esmtp_map

match ehlo-reply-parameter others

mask


Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.


Hope this helps!


Thanks,

Manish

Manish,

You are certainly helping alot and thank you for the link and this is good. Just to clear my confusing since I read so many different documents so I will keep the inspect esmtp on the global policy and add the custom esmtp as in the example or remove the the inspect esmtp and add the custom esmtp. Please let me know.

mkharban Fri, 11/06/2009 - 09:28
User Badges:

Hi,


We will have to keep only the custom inspection turned on in order to get this working. Kindly apply the same and let me know how it goes.


Hope this helps!


Thanks,

Manish

mkharban Fri, 11/06/2009 - 10:45
User Badges:

Hi,


You can alter the name according to yourself. I just stated that as an example.


Thanks,

Manish

Actions

This Discussion