I have a question regarding the operation of ESMTP inspection. My customer wants to allow messages with header lengths greater than 998. I created an ESMTP inspection policy map with a single match clause on the header length and an action of log. I added that to the main policy map with the statement
inspect esmtp <map-name>
Email then stopped flowing, both RFC-compliant and non-compliant. In the ensuing TAC case, we found that there was a silent extension to the inspect esmtp command, pointing to a hidden default insepction policy map. This map had multiple match clauses, header length being one of them. The expalnation from the TAC engineer was that, by effectively removing the other match clauses, inspection took the default action, which is to drop the connection. My problem is that the actions specified in the default map also specify drop, and log. So, as far as I can, the only difference should have been there was no kogging on the missing match clauses.
The only exception to this is the EHLO 'other' parameters, which are masked. Could this have been the reason why all emails stopped flowing? Reverting to the default fixed the problem, but I still don't see why it broke, unless it's that EHLO clause. The customer is running Exchange.
As a final note, I would urge Cisco that, in cases where the parser adds default parameter to otherwise visible commands, that these parameters be made visible. Hiding entire commands that don't normally need to be seen is fine, but it's too easy to inadvertently overwrite something, as I did in the case above. It almost foreces you to do a 'show run all' all the time to double-check, which is counter-productive. This applies particularly to commands that impact something as sensitive as email
Thanks for any clarification