Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

removing 'ip inspect..smtp'

Does anyone know of the risk of removing an 'ip inspect..' statement from an IOS firewall feature set? Particulary the 'ip inspect..smtp or esmtp statement. We are having issue's between exchange servers through our site-to-site vpn and the solution is recomending removing the ip inspect statement for smtp to fix. What is the risk not having that statement?

Thanks,

- Ted

4 REPLIES
Gold

Re: removing 'ip inspect..smtp'

Ted,

IP Inspect for SMTP -

With ip inspect for smtp activated only the smtp commands defined in ietf rfc 821, section 4.5, are allowed through the router; any other smtp commands are blocked. The allowed smtp commands include:

DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.

ip smtp inspection does not support ESMTP, therefore, if you have enabled smtp inspection, and your internal e-mail server uses ESMTP and is experiencing e-mail connection problems, you should disable SMTP application inspection for this connection.

Hope this helps.

New Member

Re: removing 'ip inspect..smtp'

Hello, thanks for the response,

It turns out that, yes, our exchange servers are using esmtp. If I remove the inspect smtp command completely, is there any security risk? Meaning am I opening up a vulnerability to our organization to some smtp exploit?

Thanks,

- Ted

New Member

Re: removing 'ip inspect..smtp'

Hi Ted

I would strongly suggest to enable ip inspect commands. Since you have Exchange Server running esmtp, you need to enable ip inspect esmtp command which was introduced in 12.3(7)T. SMTP/ESMTP cannot coexist. Disable SMTP and enable esmtp. ESMTP adds support for 3 additional commands, AUTH, EHLO, and ETRN.

For detailed explanation about the advantage of ESMTP, here's the link

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455aca.html

New Member

Re: removing 'ip inspect..smtp'

excellent, Thank you all for the responses.

I will be modifying the command to esmtp. I'll let you know how it goes.

thanks again everybody!

- Ted

924
Views
0
Helpful
4
Replies
CreatePlease to create content