Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Blocking STARTTLS on a PIX 515 (8.0.4)

My service provider just enabled TLS on their end.  Because of this, our scanning appliances do not work correctly are the SMTP channel is encrypted.  Is there a way on the PIX that I can block the STARTTLS SMTP command?  This way I don't have to do anything with my email server or service provider.  I am currently not using "inspect" for SMTP as the default policy was causing issues with my provider.  Can I set up an "inspect" policy that just blocks STARTTLS and nothing else (not even checking anything else)?

Everyone's tags (2)
1 REPLY
Cisco Employee

Re: Blocking STARTTLS on a PIX 515 (8.0.4)

On the ASA you allow tls in esmtp inspection, but not actually block it. The inspection will block it by default though.

So you have 2 options:

- enable inspection

- have an IPS or router device with FPM match on the STARTTLS command payload to block it (you need to check where that is) in order to callibrate the method).

I hope it helps.

PK

612
Views
0
Helpful
1
Replies
CreatePlease to create content