Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2713
Views
0
Helpful
6
Replies

ASA and inspect esmtp

Go to solution
ttran
Level 1
Level 1

‎11-05-2009 08:57 AM - edited ‎03-11-2019 09:36 AM

Our ASA is running code 8.0.4 and our smtp mail inbound and outbound working fine, then it was broken. Check the ASA and the inspect esmtp is on by default and this working before. The mail library was updated and nothing is working. Researched and found out that by removing inspect esmtp and mail is working again. I would like to keep the inspect esmtp on for security purpose but need to find a work around solution. Please let me know if there is a work around for this.

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkharban
Level 1
Level 1

‎11-05-2009 03:36 PM

Hi,

Kindly understand the functionality of 'inspect esmtp' first.

Please visit the following link for information on the same:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425

Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500.

To rectify this please make a custom esmtp policy map like one configured in the below given example:

policy-map type inspect esmtp _default_esmtp_map

match ehlo-reply-parameter others

mask

Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.

Hope this helps!

Thanks,

Manish

View solution in original post

0 Helpful
6 Replies 6

Go to solution
mkharban
Level 1
Level 1

‎11-05-2009 03:36 PM

Hi,

Kindly understand the functionality of 'inspect esmtp' first.

Please visit the following link for information on the same:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425

Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500.

To rectify this please make a custom esmtp policy map like one configured in the below given example:

policy-map type inspect esmtp _default_esmtp_map

match ehlo-reply-parameter others

mask

Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.

Hope this helps!

Thanks,

Manish

0 Helpful

Go to solution
ttran
Level 1
Level 1
In response to mkharban

‎11-06-2009 06:48 AM

Manish,

You are certainly helping alot and thank you for the link and this is good. Just to clear my confusing since I read so many different documents so I will keep the inspect esmtp on the global policy and add the custom esmtp as in the example or remove the the inspect esmtp and add the custom esmtp. Please let me know.

0 Helpful

Go to solution
mkharban
Level 1
Level 1
In response to ttran

‎11-06-2009 09:28 AM

Hi,

We will have to keep only the custom inspection turned on in order to get this working. Kindly apply the same and let me know how it goes.

Hope this helps!

Thanks,

Manish

0 Helpful

Go to solution
ttran
Level 1
Level 1
In response to mkharban

‎11-06-2009 10:01 AM

Hi Manish,

Thanks for verification. I will apply the custom inspection like your example. Just a note on the policy-map the esmtp after the word inspect should not have the underscore to default correct?

0 Helpful

Go to solution
mkharban
Level 1
Level 1
In response to ttran

‎11-06-2009 10:45 AM

Hi,

You can alter the name according to yourself. I just stated that as an example.

Thanks,

Manish

0 Helpful

Go to solution
ttran
Level 1
Level 1
In response to mkharban

‎11-10-2009 06:52 AM

Manish,

It is working. Thank you. 5 for you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card