Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ESMTP inspection policy map

I have a question regarding the operation of ESMTP inspection.  My customer wants to allow messages with header lengths greater than 998.  I created an ESMTP inspection policy map with a single match clause on the header length and an action of log.  I added that to the main policy map with the statement

inspect esmtp <map-name>

Email then stopped flowing, both RFC-compliant and non-compliant.  In the ensuing TAC case, we found that there was a silent extension to the inspect esmtp command, pointing to a hidden default insepction policy map.  This map had multiple match clauses, header length being one of them.  The expalnation from the TAC engineer was that, by effectively removing the other match clauses, inspection took the default action, which is to drop the connection.  My problem is that the actions specified in the default map also specify drop, and log.  So, as far as I can, the only difference should have been there was no kogging on the missing match clauses.

The only exception to this is the EHLO 'other' parameters, which are masked.  Could this have been the reason why all emails stopped flowing?  Reverting to the default fixed the problem, but I still don't see why it broke, unless it's that EHLO clause.  The customer is running Exchange.

As a final note, I would urge Cisco that, in cases where the parser adds default parameter to otherwise visible commands, that these parameters be made visible.  Hiding entire commands that don't normally need to be seen is fine, but it's too easy to inadvertently overwrite something, as I did in the case above.   It almost foreces you to do a 'show run all' all the time to double-check, which is counter-productive.  This applies particularly to commands that impact something as sensitive as email

Thanks for any clarification

CreatePlease to create content