Exchange 2007 in DMZ and ESMTP inspection

Answered Question
Aug 16th, 2010

Hello,

We are upgrading from an old Exchange 2003 server to Exchange 2007.  We are not a large organization so we're using a 2 server model, edge transport in the DMZ and all other functions on another server on the inside network.  During testing we are finding we are unable to send mail as long as the default inspection policy on our ASA is applied to esmtp.  As soon as I disable it, the mail flows.

We're running ASA 5520 and software version 8.2(2)9.

I've not been able to find any information on how to resolve this, other than disabling esmtp inspection.

If we leave the esmtp inspection disabled, is this a serious risk?

I have this problem too.
0 votes
Correct Answer by mirober2 about 6 years 3 months ago

Hello,

The ESMTP inspection is simply responsible for protocol enforcement (i.e. command checking), so it's not a huge risk to leave it disabled (or to exempt the inspection for traffic between your Exchange servers).

The reason things are failing is likely because the Exchange servers are using certain commands that the ASA's inspection doesn't support. Depending on the commands, you might be able to configure your servers not to use them if you want to re-enable the inspection (you'd need to do some packet captures to see which commands are being used in the SMTP session).

Here is a quick description of the ESMTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1742723

Hope that helps.

-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
mirober2 Mon, 08/16/2010 - 09:54

Hello,

The ESMTP inspection is simply responsible for protocol enforcement (i.e. command checking), so it's not a huge risk to leave it disabled (or to exempt the inspection for traffic between your Exchange servers).

The reason things are failing is likely because the Exchange servers are using certain commands that the ASA's inspection doesn't support. Depending on the commands, you might be able to configure your servers not to use them if you want to re-enable the inspection (you'd need to do some packet captures to see which commands are being used in the SMTP session).

Here is a quick description of the ESMTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1742723

Hope that helps.

-Mike

Actions

This Discussion

Related Content