11-05-2009 08:57 AM - edited 03-11-2019 09:36 AM
Our ASA is running code 8.0.4 and our smtp mail inbound and outbound working fine, then it was broken. Check the ASA and the inspect esmtp is on by default and this working before. The mail library was updated and nothing is working. Researched and found out that by removing inspect esmtp and mail is working again. I would like to keep the inspect esmtp on for security purpose but need to find a work around solution. Please let me know if there is a work around for this.
Thank you.
Solved! Go to Solution.
11-05-2009 03:36 PM
Hi,
Kindly understand the functionality of 'inspect esmtp' first.
Please visit the following link for information on the same:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425
Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500.
To rectify this please make a custom esmtp policy map like one configured in the below given example:
policy-map type inspect esmtp _default_esmtp_map
match ehlo-reply-parameter others
mask
Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.
Hope this helps!
Thanks,
Manish
11-05-2009 03:36 PM
Hi,
Kindly understand the functionality of 'inspect esmtp' first.
Please visit the following link for information on the same:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425
Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500.
To rectify this please make a custom esmtp policy map like one configured in the below given example:
policy-map type inspect esmtp _default_esmtp_map
match ehlo-reply-parameter others
mask
Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.
Hope this helps!
Thanks,
Manish
11-06-2009 06:48 AM
Manish,
You are certainly helping alot and thank you for the link and this is good. Just to clear my confusing since I read so many different documents so I will keep the inspect esmtp on the global policy and add the custom esmtp as in the example or remove the the inspect esmtp and add the custom esmtp. Please let me know.
11-06-2009 09:28 AM
Hi,
We will have to keep only the custom inspection turned on in order to get this working. Kindly apply the same and let me know how it goes.
Hope this helps!
Thanks,
Manish
11-06-2009 10:01 AM
Hi Manish,
Thanks for verification. I will apply the custom inspection like your example. Just a note on the policy-map the esmtp after the word inspect should not have the underscore to default correct?
11-06-2009 10:45 AM
Hi,
You can alter the name according to yourself. I just stated that as an example.
Thanks,
Manish
11-10-2009 06:52 AM
Manish,
It is working. Thank you. 5 for you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide