Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
3
Replies

ASA inpection of ESMTP

robert.mcclain
Level 1
Level 1

‎11-02-2006 08:21 AM - edited ‎02-21-2020 01:16 AM

I'm having a problem with outbound mail connecting to nauticom.com. The application inspection on the ASA is doing something to the packet out the door that nauticom doesn't like. I can telnet to their server on port 25 and try an "ehlo", the server responds with " I don't understand xxx.xxx.xxx" and it is x's that their server sees. I verified that its the ASA because I removed the inspection from the default policy and it worked fine. What is the ASA possibly doing to the packet? What would be the best work around here because I would like the ASA to inspect esmtp packets. I currently inserted a class-map into the policy that inspects inbound only esmtp packets and that works. Is it bad practice not to inspect the outbound packets?

0 Helpful
3 Replies 3

yleduc
Level 1
Level 1

‎11-02-2006 11:50 AM

Just to let you know, we've encountered a problem with the fixup running 7.2.1(20). The bug id is CSCsg52277 and there are currently no fix for it.

As far as telnet on port 25. I believe the fixup does not like the fact that when you are telneting more than 1 packet is received for each letter making up a command as opposed to sending a whole command in one packet.

0 Helpful

robert.mcclain
Level 1
Level 1
In response to yleduc

‎11-02-2006 02:50 PM

Thanks for the update. This helps and explains alot. Although it doesn't happen if I try telneting on port 25 to say Yahoo. Just Nauticom, would this be the way that Nauticom is responding back to the "ehlo" command?

0 Helpful

jgervia_2
Level 1
Level 1

‎11-02-2006 05:23 PM

Robert,

The doc mentions something about unknown commands - this is from the 7.2 command reference (check the last few lines)

"SMTP server responds to client requests with numeric reply codes and optional human readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:

Restricts SMTP requests to seven basic SMTP commands and eight extended commands.

Monitors the SMTP command-response sequence.

Generates an audit trail Audit record 108002 is generated when invalid character embedded in the mail address is replaced. For more information, see RFC 821.

SMTP inspection monitors the command and response sequence for the following anomalous signatures:

Truncated commands.

Incorrect command termination (not terminated with ).

If the PIPE signature is found as a parameter to a MAIL from or RCPT to command, the session is closed. It is not configurable by the user.

Unexpected transition by the SMTP server.

For unknown commands, the security appliance changes all the characters in the packet to X. In this case, the server will generate an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted. "

Now why it's an unknown command I'm not quite sure. Have you tried an actual mail client versus telnet?

--Jason

Please rate this message if it helped.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card