Multiple multiple emails with no esmtp inspection

rsaeks — Tue, 12 Mar 2019 07:15:24 GMT

Hi all,

I'm running into an issue where we are receiving multiple duplicates of emails (E-Mail volume increasing 10 fold) in our domain. Working with our filtering provider they are saying it is an issue with esmtp inspection / fixup smtp settings on our ASA since the SMTP server login banner is being replaced by all *'s.

I've gone through the ASA config multiple times and made sure we are not inspecting any SMTP protocols and have not seen the problem. When telnetting to our filtering device from the internal interface I receive the banner as expected. I'm wondering if anyone has seen this issue and if there are any tips on what to check out. This has only recently started and we have not made any changes with our firewall config, so it is rather puzzling.

Thanks for any input that you can provide!

If you can telnet to their

Philip D'Ath — Tue, 09 Feb 2016 00:16:21 GMT

If you can telnet to their server on port 25 and see a plain banner than it is not likely to be SMTP inspection.

Ask them to send a screenshot of what they see.

Can you post just your service policies so we can confirm SMTP inspection is off?

The output of show service

rsaeks — Tue, 09 Feb 2016 16:27:13 GMT

The output of show service-policy is blank and

The banner displayed is: 220 *****************************************************

We are also working along with our ISP to see if there is anything they can help with. It's a bizarre one!

This is just like a Cisco

Philip D'Ath — Tue, 09 Feb 2016 18:16:36 GMT

This is just like a Cisco router for Cisco firewall doing (E)SMTP inspection.

Can you post your firewall config? Do you have any routers running IOS firewall? If so, can you post their config please.

Below is the cleaned up

rsaeks — Wed, 10 Feb 2016 03:50:27 GMT

Below is the cleaned up output from our ASA. We do have a router but it is not running an IOS firewall.

ASA:

hostname GCS-FW-INTERNET
name 192.168.48.55 GSSPRES01
name X.X.X.X Security_Monitoring
name 192.168.41.7 SouthOffice description SouthOffice
name 17.0.0.0 AppleAPNS
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.20.1.2 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
nameif guest_inet
security-level 10
ip address 10.2.1.1 255.255.254.0
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name glencoeschools.org
same-security-traffic permit intra-interface
object-group service glenmanage tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
port-object eq 311
port-object eq 331
port-object eq 548
port-object eq 660
port-object eq 687
port-object eq 10000
object-group service mdaemon tcp
port-object eq smtp
port-object eq pop3
port-object eq imap4
port-object eq ident
port-object eq https
port-object eq 465
port-object eq 587
port-object eq 7071
port-object eq 993
object-group service schooldude tcp
port-object eq www
port-object eq 3011
port-object eq 1911
object-group network sipsource
network-object X.X.X.X 255.255.255.255
object-group network SIP-Interface
network-object X.X.X.X 255.255.255.255
object-group service jabber tcp
description 8443
port-object eq 8443
object-group network gws-sip
network-object host X.X.X.X
object-group network Block-IP-Ranges
network-object 105.220.0.0 255.255.0.0
network-object 105.221.0.0 255.255.0.0
network-object 105.222.0.0 255.255.0.0
network-object 105.223.0.0 255.255.0.0
network-object 105.224.0.0 255.255.0.0
network-object 105.225.0.0 255.255.0.0
network-object 105.226.0.0 255.255.0.0
network-object 105.227.0.0 255.255.0.0
network-object 105.228.0.0 255.255.0.0
network-object 105.229.0.0 255.255.0.0
object-group network securityCameras
network-object host 192.168.42.3
network-object host 192.168.57.3
network-object host 192.168.51.7
object-group service SecurityCameras
description Security Camera Ports
service-object tcp eq ftp
service-object tcp eq www
service-object udp eq ntp
object-group service APNS tcp
description Apple Push Notifications
port-object eq 2195
port-object eq 2196
port-object eq 5223
port-object eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
access-list internet_in extended permit tcp any host 63.X.X.X object-group mdaemon
access-list internet_in extended permit tcp any host 63.X.X.Y object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging timestamp
logging buffer-size 1040000
logging monitor debugging
logging buffered debugging
logging trap notifications
logging asdm debugging
logging host inside 192.168.40.209 17/5544
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu guest_inet 1500
mtu management 1500
ip local pool VPN_Pool 172.20.1.10-172.20.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.0.0 255.255.0.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (guest_inet) 1 10.2.0.0 255.255.254.0
nat (guest_inet) 1 10.2.0.0 255.255.254.0 outside
static (inside,outside) tcp 63.X.X.Y smtp 192.168.40.9 smtp netmask 255.255.255.255
static (inside,outside) tcp 63.X.X.X smtp 192.168.40.8 smtp netmask 255.255.255.255
static (inside,outside) tcp 63.X.X.X pop3 192.168.40.8 pop3 netmask 255.255.255.255
static (inside,outside) tcp 63.X.X.X imap4 192.168.40.8 imap4 netmask 255.255.255.255
static (inside,outside) tcp 63.X.X.X ident 192.168.40.8 ident netmask 255.255.255.255
static (inside,outside) tcp 63.X.X.X 7071 192.168.40.8 7071 netmask 255.255.255.255
static (inside,outside) tcp 63.X.X.X 3000 192.168.40.8 3000 netmask 255.255.255.255
static (inside,outside) tcp 63.X.X.X https 192.168.40.8 https netmask 255.255.255.255
access-group internet_in in interface outside
access-group outside_access_out out interface outside
access-group guest_inet_access_in in interface guest_inet
!
router eigrp 7159
no auto-summary
network X.X.X.X 255.255.255.240
network 172.20.1.0 255.255.255.0
network 192.168.40.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.168.40.200 community ***** version 2c
snmp-server host inside 192.168.40.217 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.40.1 source inside prefer
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4bc8f4be3357f45680fa141e97167f4e
: end

It is not this device doing

Philip D'Ath — Wed, 10 Feb 2016 04:16:06 GMT

It is not this device doing the inspection. Do you have any other firewalls or routers it could be?