Blocking STARTTLS on a PIX 515 (8.0.4)

Unanswered Question

My service provider just enabled TLS on their end.  Because of this, our scanning appliances do not work correctly are the SMTP channel is encrypted.  Is there a way on the PIX that I can block the STARTTLS SMTP command?  This way I don't have to do anything with my email server or service provider.  I am currently not using "inspect" for SMTP as the default policy was causing issues with my provider.  Can I set up an "inspect" policy that just blocks STARTTLS and nothing else (not even checking anything else)?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Mon, 01/11/2010 - 17:45

On the ASA you allow tls in esmtp inspection, but not actually block it. The inspection will block it by default though.

So you have 2 options:

- enable inspection

- have an IPS or router device with FPM match on the STARTTLS command payload to block it (you need to check where that is) in order to callibrate the method).

I hope it helps.



This Discussion

Related Content