Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3254
Views
0
Helpful
6
Replies

ESMTP connection dropped

Go to solution
david.fernandez.fernandez
Level 1
Level 1

‎05-31-2013 02:06 AM - edited ‎03-11-2019 06:51 PM

hello,

We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it.

When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped.

When I went to see ASA log and see this log report:

ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100

tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet.

So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?

Thank you very much.

Regards.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to david.fernandez.fernandez

‎05-31-2013 03:28 AM

Hi,

I am not sure if its some default limt value then. To be honest I havent had to change these configurations that much.

I would imagine that the limit could be raised with a configuration. The value naturally depends on you.

policy-map type inspect esmtp ESMTP

match cmd RCPT count gt 200

  drop-connection log

policy-map global_policy

class inspection_default

  inspect esmtp ESMTP

But I have to say I am not sure if that is all that you need.

You would have to first remove the existing "inspect esmtp" which might affect some traffic.

- Jouni

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Karsten Iwen

‎05-31-2013 04:52 AM

I just looked it up and there is (also to my suprise) a default for this parameter. The complete defaults for ESMTP are these values:

policy-map type inspect esmtp _default_esmtp_map

description Default ESMTP policy-map

parameters

  mask-banner

  no mail-relay

  no special-character

  no allow-tls

match cmd line length gt 512

  drop-connection log

match cmd RCPT count gt 100

  drop-connection log

match body line length gt 998

  log

match header line length gt 998

  drop-connection log

match sender-address length gt 320

  drop-connection log

match MIME filename length gt 255

  drop-connection log

match ehlo-reply-parameter others

  mask

To solve that problem you could disable the whole ESMTP-inspection or overwrite the parameter in question as by Jounis direction.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎05-31-2013 02:13 AM

On the CLI these rules are configured with the policy-maps. There you find a rule where these limits are enforced and where you can change the limits or even disable the checks.

Probably there is a reason that someone configured these policies as they are not a default-config. So you have to decide how your new policy should be and if you post the relevant part of the config, we can assist you in changing the parameters.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Karsten Iwen

‎05-31-2013 04:52 AM

I just looked it up and there is (also to my suprise) a default for this parameter. The complete defaults for ESMTP are these values:

policy-map type inspect esmtp _default_esmtp_map

description Default ESMTP policy-map

parameters

  mask-banner

  no mail-relay

  no special-character

  no allow-tls

match cmd line length gt 512

  drop-connection log

match cmd RCPT count gt 100

  drop-connection log

match body line length gt 998

  log

match header line length gt 998

  drop-connection log

match sender-address length gt 320

  drop-connection log

match MIME filename length gt 255

  drop-connection log

match ehlo-reply-parameter others

  mask

To solve that problem you could disable the whole ESMTP-inspection or overwrite the parameter in question as by Jounis direction.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-31-2013 02:16 AM

Hi,

You probably have a configuration similiar to this under some "policy-map" configuration

match cmd RCPT count gt 100

  drop-connection log


I would imagine you would have to increase the amount if that is the requirement

- Jouni

0 Helpful

Go to solution
david.fernandez.fernandez
Level 1
Level 1
In response to Jouni Forss

‎05-31-2013 03:17 AM

hi

thank you for your answers.

I have checked the running-config and I did not found the parameters, but I leave that configuration part here:

class-map global-class

match access-list global_mpc_5

class-map inspection_default

match default-inspection-traffic

!

<--- More --->

             

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

  drop-connection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

<--- More --->

             

  inspect icmp

  inspect ip-options

class global-class

  csc fail-close

policy-map type inspect http P2P_HTTP

parameters

match request uri regex _default_gator

match request uri regex _default_x-kazaa-network

  drop-connection log

!

service-policy global_policy global

smtp-server 10.0.1.31 10.0.1.34

prompt hostname context

Thank you very much

best regards.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to david.fernandez.fernandez

‎05-31-2013 03:28 AM

Hi,

I am not sure if its some default limt value then. To be honest I havent had to change these configurations that much.

I would imagine that the limit could be raised with a configuration. The value naturally depends on you.

policy-map type inspect esmtp ESMTP

match cmd RCPT count gt 200

  drop-connection log

policy-map global_policy

class inspection_default

  inspect esmtp ESMTP

But I have to say I am not sure if that is all that you need.

You would have to first remove the existing "inspect esmtp" which might affect some traffic.

- Jouni

0 Helpful

Go to solution
david.fernandez.fernandez
Level 1
Level 1
In response to Jouni Forss

‎05-31-2013 05:23 AM

ok,

I have finally gone to default configuration and disable inspect for ESMTP traffic.

Now I see no ESMTP being log or dropped in the ASA log.

I will now see if the email the several recipients works as it should.

thank you both a lot.

best regards.

David.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card