topic ESMTP connection dropped in Network Security

ESMTP connection dropped

david.fernandez.fernandez — Tue, 12 Mar 2019 01:51:36 GMT

hello,

We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it.

When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped.

When I went to see ASA log and see this log report:

ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100

tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet.

So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?

Thank you very much.

Regards.

ESMTP connection dropped

Karsten Iwen — Fri, 31 May 2013 09:13:01 GMT

On the CLI these rules are configured with the policy-maps. There you find a rule where these limits are enforced and where you can change the limits or even disable the checks.

Probably there is a reason that someone configured these policies as they are not a default-config. So you have to decide how your new policy should be and if you post the relevant part of the config, we can assist you in changing the parameters.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ESMTP connection dropped

Jouni Forss — Fri, 31 May 2013 09:16:20 GMT

Hi,

You probably have a configuration similiar to this under some "policy-map" configuration

match cmd RCPT count gt 100

drop-connection log

I would imagine you would have to increase the amount if that is the requirement

- Jouni

ESMTP connection dropped

david.fernandez.fernandez — Fri, 31 May 2013 10:17:36 GMT

thank you for your answers.

I have checked the running-config and I did not found the parameters, but I leave that configuration part here:

class-map global-class

match access-list global_mpc_5

class-map inspection_default

match default-inspection-traffic

<--- More --->

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect im impolicy

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

<--- More --->

inspect icmp

inspect ip-options

class global-class

csc fail-close

policy-map type inspect http P2P_HTTP

parameters

match request uri regex _default_gator

match request uri regex _default_x-kazaa-network

drop-connection log

service-policy global_policy global

smtp-server 10.0.1.31 10.0.1.34

prompt hostname context

Thank you very much

best regards.

Re: ESMTP connection dropped

Jouni Forss — Fri, 31 May 2013 10:28:23 GMT

Hi,

I am not sure if its some default limt value then. To be honest I havent had to change these configurations that much.

I would imagine that the limit could be raised with a configuration. The value naturally depends on you.

policy-map type inspect esmtp ESMTP

match cmd RCPT count gt 200

drop-connection log

policy-map global_policy

class inspection_default

inspect esmtp ESMTP

But I have to say I am not sure if that is all that you need.

You would have to first remove the existing "inspect esmtp" which might affect some traffic.

- Jouni

Re: ESMTP connection dropped

Karsten Iwen — Fri, 31 May 2013 11:52:44 GMT

I just looked it up and there is (also to my suprise) a default for this parameter. The complete defaults for ESMTP are these values:

policy-map type inspect esmtp _default_esmtp_map

description Default ESMTP policy-map

parameters

mask-banner

no mail-relay

no special-character

no allow-tls

match cmd line length gt 512

drop-connection log

match cmd RCPT count gt 100

drop-connection log

match body line length gt 998

log

match header line length gt 998

drop-connection log

match sender-address length gt 320

drop-connection log

match MIME filename length gt 255

drop-connection log

match ehlo-reply-parameter others

mask

To solve that problem you could disable the whole ESMTP-inspection or overwrite the parameter in question as by Jounis direction.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: ESMTP connection dropped

david.fernandez.fernandez — Fri, 31 May 2013 12:23:26 GMT

ok,

I have finally gone to default configuration and disable inspect for ESMTP traffic.

Now I see no ESMTP being log or dropped in the ASA log.

I will now see if the email the several recipients works as it should.

thank you both a lot.

best regards.

David.