08-09-2010 11:16 AM - edited 03-11-2019 11:22 AM
Hi folks,
I would appreciate if someone shed more light on the error we started getting in the router's syslog after enabling SMTP application inspection. Our users started complaining that they don't receive mail from some clients and it really makes me creepy. The exact error that ZBF puts into the syslog looks as follows:
08-08-2010 20:50:42 Local7.Warning 192.168.1.1 48: GIBSGW: .Aug 8 20:50:41: %APPFW-4-SMTP_INTERNAL_ERROR: Error encountered - SMTP commands and reply count mismatch. Closing SMTP session -Initiator address 117.194.195.230 Initiator port 1864 Responder address 192.168.1.10 Responder port 25
192.168.1.10 is the internal mail server and the router makes NAT to forward traffic to it.
The portion of the ZBF configuration looks as follows:
class-map type inspect match-all SMTP-CLMAP
match protocol smtp
class-map type inspect match-any INT2INS-OTHER-CLMAP
match protocol https
match protocol pop3
match protocol imaps
match protocol pcanywheredata
match protocol pcanywherestat
match protocol user-HTTP-8080
match protocol user-RDP-3389
policy-map type inspect INT2INS-POLMAP
class type inspect WEB-CLMAP
inspect
service-policy http HTTP-STRICT-POLMAP
class type inspect IMAP-CLMAP
inspect
service-policy imap IMAP-INSP-POLMAP
class type inspect SMTP-CLMAP
inspect
service-policy smtp SMTP-STRICT-POLMAP
class type inspect INT2INS-OTHER-CLMAP
inspect
class class-default
drop log
Is it an inherent bug of ZBF or the sender's SMTP server doesn't comply with RFC or something that governs SMTP protocole
Eugene
08-09-2010 12:08 PM
Hi,
It's not a bug of ZBF. Some mail server's aren't completely RFC compliant and the inspection corrupts the mail structure.
Regards,
08-09-2010 12:13 PM
Thanks,
How would I know what exactly is not being conformed to? As far as my config goes I only check the file size no other checks or enforcements. Is there any way to debug the session and see what's going on. ZBF is a fairly new concept to me.
Eugene
08-09-2010 11:28 PM
Hi,
By default when you enable SMTP inspection, Appliance performs 3 main tasks:,
- Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
- Monitors the SMTP command-response sequence.
- Generates an audit trail
And also there are additional inspection configuration, you can define.( Ex. you've configured file size)
So when you enable SMTP inspection 3 main tasks are performed by default although you don't configure anything.
You can use;
show policy-map type inspect ? command, to see what's going on. Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide