Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

5510 Inspect esmtp problem with exchange server

We recently installed a set of 5510 IOS 7.04 to replace our old pix515Es. Things have been fine until we found we had problem exchange email with this one company since we upgraded to ASA5510.

We and this other company both use Exchange server. When they telnet to our server port 25 or me telnet to theirs, esmtp inspection will replace the banner with a bunch of "xxxxxx". However, neither side will accept the HELO or EHLO, or any command. Here is the result:

220-**************************************************

220 ****************************************************************************

******************************************

500 5.3.3 Unrecognized command

500 5.3.3 Unrecognized command

If I turn off "inspect esmtp", the email servers will talk and I can telnet to their port 25 fine.

I checked the bugtool but didn't find any esmtp bug in v7.0(4).

Here are my questions:

1. if esmtp inspect has a bug, why I only have one instance so far?

2. am I wrong using telnet to troubleshoot? One place in cisco manual states that you need both line feed and carriage return when issue SMTP commands in an interactive mode through esmtp inspection.

3. any quick and easy commands to check the smtp traffic on the 5510 without being inundated by syslog?

Thanks a lot in advance!

5 REPLIES

Re: 5510 Inspect esmtp problem with exchange server

Hi .. you can use Telnet to troubleshoot but you need to comply to the below rules .. by looking at the output of your test it seems that the commands entered is one of the unsupported ones. In regards to the banner that is the default behaviour of the esmtp inspection ..

"Other extended SMTP commands, such as ATRN, STARTLS, ONEX, VERB, CHUNKING, and private

extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by

the internal server. This results in a message such as ?500 Command unknown: 'XXX'.? Incomplete

commands are discarded.

If you enter the inspect smtp command, the security appliance automatically converts the command into

the inspect esmtp command, which is the configuration that is shown if you enter the show

running-config command.

The inspect esmtp command changes the characters in the server SMTP banner to asterisks except for

the ?2?, ?0?, ?0? characters. Carriage return (CR) and linefeed (LF) characters are ignored.

With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following

rules are not observed: SMTP commands must be at least four characters in length; must be terminated

with carriage return and line feed; and must wait for a response before issuing the next reply. "

I hope it helps .. please rate it if it does !!

New Member

Re: 5510 Inspect esmtp problem with exchange server

Thanks for the quick quote. I read it, too. The commands we used are the basic SMTP commands, like HELO, EHLO, HELP, etc.. I tried to append a line feed before carriage return at the end of each command line to no avail.

Put Telnet aside, I think my main question is why Inspect esmtp disrupted our communication with this exchange server and not others, assuming there are at least some other exchange servers out there that we SMTP with.

My other question is how to troubleshoot SMTP Inspection on the ASA in an effective manner.

Daniel

New Member

Re: 5510 Inspect esmtp problem with exchange server

I've encounter similiar. Here is Microsofts solution:

http://support.microsoft.com/?kbid=320027

Please rate if it helps.

Thanks,

J

New Member

Re: 5510 Inspect esmtp problem with exchange server

Well, that link again is for PIX firewalls. No specific solutions for the new ASA5500 series. Besides, I already turned off SMTP inspection. But this is not a solution, just a work around.

There should be a Cisco solution to make esmtp inspection work, since it is the whole point of having it.

Thanks for being so responsive.

daniel

New Member

Re: 5510 Inspect esmtp problem with exchange server

Finally found the root cause but no true fix yet. Lots of questions.

We found through packet capturing at the ASA device that our exchange server is using chunking command BDAT (instead of DATA) to send the message body to you, because the other exchange (and all exchange server by default) advertises it as a command supported. BDAT is defined in RFC 1830/3030 as an alternative to DATA for efficiently transferring large MIME messages. Somehow it has not been widely adopted yet. In fact, Microsoft?s own ISA server doesn?t even support it by default (though you can enable particular esmtp verbs in smtp filtering). Cisco?s ASA supports 7 standard and 8 extend SMTP commands, DBAT not being on the list. As a result, the BDAT command is changed into XXXX every time it passes through the ASA device, causing the other exchange server to respond with a ?command unrecognized? error.

There are documents on MS web site on how to turn off certain ESMTP verbs in the AD and Exchange environment. But I can't find one to turn off BDAT on a standalone SMTP server on window 2000 which is running as our mail gateway.

For those of you who are MS exchange experts, please help!

For those of you experts who are affiliated with Cisco, here is the question:

Why doesn't Cisco support BDAT, since it's much more efficient than DATA in transferring large MIME messages?

Why does Cisco SMTP inspection only block chunking partially by only XXXXX out the BDAT command? It should XXXX out the "chunking" advertisement from the receiving SMTP server as well. That way, the sending SMTP won't even try BDAT in the first place.

4393
Views
5
Helpful
5
Replies