topic Re: Disable SMTP inspection via FMC in Network Security

Disable SMTP inspection via FMC

itsupport — Tue, 12 Mar 2019 11:08:21 GMT

I have an ASA-5508x, adminstered by a vFMC. Both are running 6.2.2.1. Note that this is FTD, not the older ASA software.

I have a server behind the 5508, in a DMZ, that I want to have send email via an SMTP connection to Office 365. The problem I am seeing is with the FTD perfoming "SMTP inspection" mangling the SMTP session. This can be seen when I telnet to port25, and see a heap of asterixes. ie 220 ***************************************************************************************. This, unfortunatly, prevents my application from being able to start a TLS session, authenticate and relay.

I am trying to figure out how to turn this off. I have checked the rule that is allowing traffic on port 25, configuring NO intrusion policy and NO file policy, but SMTP inspection still seems to be occuring.

How do I disable this, and have SMTP traffic pass unmolested?

It would be preferable if I can do this in a rule, or in some other way make it apply to just a single host, but if it has to be implemted globally that is workable.

Re: Disable SMTP inspection via FMC

Mohammed al Baqari — Thu, 09 Aug 2018 09:01:23 GMT

Go to FTD CLI and apply this command

configure inspection esmtp disable

Re: Disable SMTP inspection via FMC

itsupport — Fri, 10 Aug 2018 02:24:33 GMT

Being an FMC, there is no CLI.

Re: Disable SMTP inspection via FMC

Mohammed al Baqari — Fri, 10 Aug 2018 02:27:23 GMT

I thought I said FTD not FMC. You need to put the command on FTD

Re: Disable SMTP inspection via FMC

itsupport — Fri, 10 Aug 2018 03:49:58 GMT

That is not how the vFMC/FTD software works. Configuration cannot be done using a CLI.

@Mohammed al Baqari wrote:
I thought I said FTD not FMC. You need to put the command on FTD

Re: Disable SMTP inspection via FMC

Mohammed al Baqari — Fri, 10 Aug 2018 09:19:19 GMT

You asked a question and I gave you an answer. I am not sure whats the
pointing of asking question and then negating the answer.

This is the answer either take it or leave it. But you need to learn about
FTD before responding

Re: Disable SMTP inspection via FMC

Marvin Rhoads — Fri, 10 Aug 2018 11:15:03 GMT

For MOST (but not all) features you are right.

A few things - such as default inspections - are configurable locally via cli. That applies even when the FTD device is managed by FMC.

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp2136048707

As noted in the above reference, you should consider using a Flexconfig object in FMC to make this change persistent across policy deployments (if you have version 6.2.3 or later).

Re: Disable SMTP inspection via FMC

itsupport — Tue, 14 Aug 2018 06:29:25 GMT

OK for anyone else following, I eventually figured this out:

1. Create a Flexconfig policy, apply the Default_Inspection_Protocol_Disable, System defined object.

2. Go to Objects, Flexconfig, Text Object. Edit the disableInspecProtocolList to include ESMPT.

More than a little counterintuitive and convoluted, but works.