Solved: Turning off ESMTP inspection in the ASA

tmarlow · ‎10-24-2007

We have an ASA5550 running 7.2 code and we have had to turn off the inspect esmtp to get all mail to pass. At first, I thought maybe an extended command that wasn't supported was the problem, but this is the synopsis from our server guy:

The SMTP problem was not a command level problem. It appears that the firewall was rejecting the SMTP session mid-transaction. At times I would see our server issue a 354 (ok, send the body) response to the client and then I wouldn't see anything further from the client. Sometimes I would see the beginnings of a message (after our server issued a 354) before the packet stream stopped coming to the mail server. The client would get a pop-up message saying that "The connection to the mail server has been interrupted". I fielded six trouble tickets that had this problem that were all resolved after the fixup-smtp was removed.

At this point the config has just statics and a basic ACL allowing DNS to those servers. I'm looking for some direction, we have the inspection turned off, but I want to turn it on as soon as possible. Thanks for all your help.

didyap · ‎10-30-2007

Check by giving command "inspect esmtp 25" which is equivalent to "inspect smtp" in earlier versions and was replaced by "inspect esmtp" from ver 7.0. You may be hitting cisco bug CSCsh33982, in which case you will have to upgrade to the ASA version 7.2(2.12) or later.

View solution in original post

didyap · ‎10-30-2007

Check by giving command "inspect esmtp 25" which is equivalent to "inspect smtp" in earlier versions and was replaced by "inspect esmtp" from ver 7.0. You may be hitting cisco bug CSCsh33982, in which case you will have to upgrade to the ASA version 7.2(2.12) or later.

tmarlow · ‎10-31-2007

I'm aware of the new esmtp inspection which was enabled and had to be disabled. It looks like that bug matches our problem. Thanks.