Re: ESMTP Inspection

Diego Armando Cambronero Arias · ‎06-11-2010

Hello Experts,

We need to exclude a couple of servers from the inspection. It seems that the inspection doen'st allow the remote email servesr to send emails to my server. The Admin of the remote peer states that it's because of the esmtp inspection. I configured the exclution from the inspection for those server however when I do it, My email server stops working.

Here is the configuration i added.

hostname(config)# access-list ESMTP deny ip host 204.56.XX.XX host 196.40.XX.XX

hostname(config)# access-list ESMTP deny ip host 204.56.XX.XX 196.40.XX.XX

hostname(config)# access-list ESMTP deny ip 196.40.XX.XX host 204.56.XX.XX

hostname(config)# access-list ESMTP permit tcp any any eq 25

hostname(config)# class-map ESMTP-POLICY

hostname(config-cmap)# match access-list ESMTP

hostname(config)# policy-map global_policy

hostname(config-pmap)# class inspection_default

hostname(config-pmap)# no inspect esmtp

hostname(config-pmap)# class ESMTP-POLICY

hostname(config-pmap-c)# inspect esmtp

Service Policy is applied globally.

With this configuration I'm only excluding 2 servers of the inspection, However when I applied my server stops working. It doesn't sent of receive email AT ALL

I would really appreciate your help.

edadios · ‎06-11-2010

Try adding the following as well

access-list ESMTP permit tcp any eq 25 any

Actually with default inspection that you have removed for esmtp, you could instead add the final line of permit ip any any, to catch all besides the 2 server you don't want inspected. The final line could instead be "access-list ESMTP permit ip any any"

If you look at the service policy statistics, it will show if traffic is being matched by what you configured. In this case, for the server to work, you are expecting to be matching the permit statements for your server to be functional, and have hit counts on it. As well as having hit counts for the denies for it's communication with the other mail servers that does not like esmtp inspection. If no hitcounts seen, when mail is being sent.

Regards,

Diego Armando Cambronero Arias · ‎06-11-2010

Hello,

Thank you very much for taking a look.

I forgot to mention that I did try that yesterday. But I got the same result.I do not understand why it's not working it a very simple configuration. When I saw the service-policy statistics there where drops in there.

Any Idea

terrygwazdosky · ‎06-11-2010

Have you tried running packet-trace to simulate the traffic? It might be able to tip you off as to where the trouble lies.

Panos Kampanakis · ‎06-11-2010

Are the server ip addresses 196.40.XX.XX, 204.56.XX.XX that you are NOT matching in the class-map ACL translated by the firewall?

If yes then you need to use their local ip address for the ACL to match the denies and thus not hit the ESMTP inspection.

I hope it helps.

PK

edadios · ‎06-11-2010

It is definitely strange that with the permit on the bottom of the acl, you say your server still does not work, since the effect should only have been to do with the host you specified to be denied.

Let us try it this way:

access-list test1 permit ip any any

class-map esmtp-test

match access-list test1

policy-map global_policy
class inspection_default
no inspect esmtp
class esmtp-test
inspect esmtp

If this works for your normal mail server function , then you can start adding to the access-list inserting lines on top of the list for the hosts you want to be denied. And every time you add one acl line, check for the result of mail.

You can also issue the command "show service-policy flow tcp mailhost1 mailhost2 eq smtp" when modifying the access-list to see if it is changing inspection result.

If it does not work, with only permit ip any any, then compare the output of "show service-policy flow tcp mailhost1 mailhost2 eq smtp" when using the class inspection_default, to output of when using class esmtp-test.

Regards,