topic Re: Inspect ESMTP in Network Security

Inspect ESMTP

fargier — Mon, 11 Mar 2019 09:38:56 GMT

Hello,

How you explain that we you apply in configuration command inspect esmtp with pix version 7(2)1, there is some trouble with mail.

I'm using exchange server.

Thank you a lot.

Re: Inspect ESMTP

daviddtran — Tue, 27 Feb 2007 14:28:29 GMT

because that is a "known" issue since version

6.x.

Re: Inspect ESMTP

fargier — Tue, 27 Feb 2007 14:46:00 GMT

I believed that this problem was corrected with pix version 7.

Re: Inspect ESMTP

daviddtran — Tue, 27 Feb 2007 14:49:09 GMT

I am running version 7.2(2) and my exchange

server is win2k3 w/ service pack 1 behind the

firewall and I am having intermittent issue

with mail until I do "no fixup protcol smpt 25"

and the issue goes away.

David

Re: Inspect ESMTP

fargier — Tue, 27 Feb 2007 15:05:16 GMT

I have done the same to correct this problem. But i would like to know why ?? Some smtp doesn't respect RFC ?

Re: Inspect ESMTP

sebastan_bach — Tue, 27 Feb 2007 15:38:51 GMT

hi all in the new ios. pix or ur asa can inspect EMSTP traffic to check for RFC compliance. now ur windows smtp or exchange server doesn;t use basic smtp commands it uses extended smtp commands called as ESMTP. for mail to work properly across firewall with rfc valid commands. set the inspect to ESMTP. i am sure this inspection is there by default.

regards

sebastan

Re: Inspect ESMTP

fargier — Tue, 27 Feb 2007 15:40:18 GMT

i've found that:

CSCsg52277

I'm in 7.2(1) Probably corrected in 7.2(2)..

Re: Inspect ESMTP

suschoud — Mon, 05 Mar 2007 18:38:57 GMT

"I am running version 7.2(2) and my exchange

server is win2k3 w/ service pack 1 behind the

firewall and I am having intermittent issue

with mail until I do "no fixup protcol smpt 25"

and the issue goes away. "

in 7.2.2,there's no command as fixup".

we have inspect commands in 7.x

please correct.

Re: Inspect ESMTP

oxys — Wed, 07 Mar 2007 14:22:48 GMT

In 7.2.x (including the latest 7.2.2 interim releases) there are bugs related to SMTP/ESMTP inspection. PIX inspection engine drops connections if it finds a registered header name, as "Content-type", inside another header of any kind. This can happen if you use SpamAssassin and configure it to save reports inside e-mail header, or a remarkable case is Gmail which uses control headers containing other header names as keywords.

The problem is that RFCs do not forbid the use of a header name inside another header, but PIX/ASA Os 7.2.x incorrectly detects this behaviour as "malicious" because it sees a duplicate header. So it's the PIX that is wrong, not the messages. I opened a TAC case for this bug about one month ago.

The bug is now recognized as CSCsh33982, a level 2 bug. If you look in the Bug Toolkit you'll find the bug and you'll see that it is fixed in version 7.2(2)12 and 8.x. OS 7.2(2)12 is an interim release, but it is not public. Actually, today I installed it and I have found that the bug is not fully fixed: sometimes Gmail inserts two headers with the same keywords inside a message and the ASA/PIX still drops these messages. A new bug has been recognized: CSCsi01498.

So, at the moment, the only correct suggestion I can give you is to disable SMTP/EMSTP inspection if you use PIX/ASA OS 7.2.x. At least remove it for the traffic originated by or directed to your mail server if you don't want to loose messages.

Another note: serious modern e-mail servers allow you to configure security features for their SMTP service comparable or even better than those provided by PIX inspection. Even MS Exchange can be configured properly.

Re: Inspect ESMTP

fargier — Wed, 07 Mar 2007 14:25:31 GMT

Great answer !

Re: Inspect ESMTP

sebastan_bach — Wed, 07 Mar 2007 14:28:36 GMT

hi man u have a great and a detailed understanding of the smtp protocol man not even ccie;s out here know the inner working of things like this. keep it up and keeps us updated on stuff like this.

just curious to know how did u find out this was the problem.

regards

sebastan

Re: Inspect ESMTP

oxys — Wed, 07 Mar 2007 14:41:31 GMT

I discovered the problem at the beginning of january because our e-mail servers could not receive a lot of messages. I understood that it was related to the upgrade of PIX OS from 7.1.x (yes, in 7.1.x ESMTP inspection works, but is less accurate than in 7.2.x) to 7.2.2.

It's not true that I have a deep understanding of SMTP protocol. I debugged PIX behaviour with the help of a Cisco engineer, I analyzed blocked messages, then I studied a lot of RFCs (but I understood only what I needed to understand the problem).

I hope that my message could help you. I hope that the TAC cases I have opened help Cisco fix this 7.2.x OS that I believe is too much buggy.

Re: Inspect ESMTP

sebastan_bach — Wed, 07 Mar 2007 14:43:49 GMT

hi buddy thanks a lot for ur reply.

i guess but the 7.2.2 code was just of bug fixes and suggested by cisco as the stable version.

regards

sebastan