removing 'ip inspect..smtp'

e.maloney · ‎02-22-2006

Does anyone know of the risk of removing an 'ip inspect..' statement from an IOS firewall feature set? Particulary the 'ip inspect..smtp or esmtp statement. We are having issue's between exchange servers through our site-to-site vpn and the solution is recomending removing the ip inspect statement for smtp to fix. What is the risk not having that statement?

Thanks,

- Ted

jmia · ‎02-22-2006

Ted,

IP Inspect for SMTP -

With ip inspect for smtp activated only the smtp commands defined in ietf rfc 821, section 4.5, are allowed through the router; any other smtp commands are blocked. The allowed smtp commands include:

DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.

ip smtp inspection does not support ESMTP, therefore, if you have enabled smtp inspection, and your internal e-mail server uses ESMTP and is experiencing e-mail connection problems, you should disable SMTP application inspection for this connection.

Hope this helps.

e.maloney · ‎02-22-2006

Hello, thanks for the response,

It turns out that, yes, our exchange servers are using esmtp. If I remove the inspect smtp command completely, is there any security risk? Meaning am I opening up a vulnerability to our organization to some smtp exploit?

Thanks,

- Ted

prasadrp · ‎02-22-2006

Hi Ted

I would strongly suggest to enable ip inspect commands. Since you have Exchange Server running esmtp, you need to enable ip inspect esmtp command which was introduced in 12.3(7)T. SMTP/ESMTP cannot coexist. Disable SMTP and enable esmtp. ESMTP adds support for 3 additional commands, AUTH, EHLO, and ETRN.

For detailed explanation about the advantage of ESMTP, here's the link

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455aca.html

e.maloney · ‎02-22-2006

excellent, Thank you all for the responses.

I will be modifying the command to esmtp. I'll let you know how it goes.

thanks again everybody!

- Ted