https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601040#M566677 <P>Hi,</P><P></P><P>Everytime I turn on esmtp filtering for a client using Exchange Server, things end up getting blocked and it never logs anything it blocks.</P><P></P><P>Here's my map.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">policy-map type inspect esmtp secure_smtp_map<BR /> parameters<BR />&nbsp; no mask-banner<BR />&nbsp; special-character action drop-connection log<BR />&nbsp; allow-tls action log<BR /> match sender-address length gt 320 <BR />&nbsp; drop-connection log<BR /> match MIME filename length gt 255 <BR />&nbsp; drop-connection log<BR /> match cmd line length gt 512 <BR />&nbsp; drop-connection log<BR /> match cmd verb VRFY <BR />&nbsp; mask log<BR /> match cmd RCPT count gt 100 <BR />&nbsp; drop-connection log<BR /> match body line length gt 998 <BR />&nbsp; drop-connection log<BR /></PRE><P></P><P>Anyone want to guess what it is since there is no logging?</P><P></P><P>This time&nbsp; the problem was hotmail users sending to internal Exchange users were getting bounced&nbsp; with this message:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>Reporting-MTA: dns;blu0-omc2-s22.blu0.hotmail.com<BR />Received-From-MTA: dns;BLU156-W41<BR />Arrival-Date: Fri, 11 Feb 2011 10:17:19 -0800</P><P></P><P><SPAN>Final-Recipient: rfc822;</SPAN><A class="jive-link-email-small" href="mailto:someone@somewhere.us" target="_blank">someone@somewhere.us</A><BR />Action: failed<BR />Status: 5.3.3<BR />Diagnostic-Code: smtp;500 5.3.3 Unrecognized command</P></PRE><P></P><P>the last time it was an out-of-office autorepsonder with the same map.</P> Mon, 11 Mar 2019 19:49:44 GMT lcaruso 2019-03-11T19:49:44Z https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601040#M566677 <P>Hi,</P><P></P><P>Everytime I turn on esmtp filtering for a client using Exchange Server, things end up getting blocked and it never logs anything it blocks.</P><P></P><P>Here's my map.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">policy-map type inspect esmtp secure_smtp_map<BR /> parameters<BR />&nbsp; no mask-banner<BR />&nbsp; special-character action drop-connection log<BR />&nbsp; allow-tls action log<BR /> match sender-address length gt 320 <BR />&nbsp; drop-connection log<BR /> match MIME filename length gt 255 <BR />&nbsp; drop-connection log<BR /> match cmd line length gt 512 <BR />&nbsp; drop-connection log<BR /> match cmd verb VRFY <BR />&nbsp; mask log<BR /> match cmd RCPT count gt 100 <BR />&nbsp; drop-connection log<BR /> match body line length gt 998 <BR />&nbsp; drop-connection log<BR /></PRE><P></P><P>Anyone want to guess what it is since there is no logging?</P><P></P><P>This time&nbsp; the problem was hotmail users sending to internal Exchange users were getting bounced&nbsp; with this message:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>Reporting-MTA: dns;blu0-omc2-s22.blu0.hotmail.com<BR />Received-From-MTA: dns;BLU156-W41<BR />Arrival-Date: Fri, 11 Feb 2011 10:17:19 -0800</P><P></P><P><SPAN>Final-Recipient: rfc822;</SPAN><A class="jive-link-email-small" href="mailto:someone@somewhere.us" target="_blank">someone@somewhere.us</A><BR />Action: failed<BR />Status: 5.3.3<BR />Diagnostic-Code: smtp;500 5.3.3 Unrecognized command</P></PRE><P></P><P>the last time it was an out-of-office autorepsonder with the same map.</P> Mon, 11 Mar 2019 19:49:44 GMT https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601040#M566677 lcaruso 2019-03-11T19:49:44Z https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601041#M566678 <HTML><HEAD></HEAD><BODY><P>Hey Caruso,</P><P></P><P><BR />Would you please do a "show tech" and grab the part for the service policy? It should open the SMTP inspection and tell us what are the fileds that the inspection is dropping.</P><P></P><P>Hope it helps.</P><P></P><P>Mike</P></BODY></HTML> Sat, 12 Feb 2011 15:01:32 GMT https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601041#M566678 Maykol Rojas 2011-02-12T15:01:32Z https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601042#M566679 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for your reply.</P><P></P><P>When TAC was on the call which lasted a few hours we never saw those counters from show service-policy increment as we sent mail from hotmail accounts, if that's what you mean. As soon as I turned off the policy, incoming hotmail was being received.</P><P></P><P>I had a similar problem with a different ASA at a different site with the same map. I don't belive the counters are working correctly.We had to turn it off at both sites because it doesn't give reliable reporting when something gets blocked and fails.</P><P></P><P>And why it doesn't create a syslog entry, well it seems there are a number of things that don't create syslog entries on these ASAs. Probably one of the biggest problems with this platform.Do you suppose we will ever see the day when all drops are logged as syslog entries no matter if they dropped on the outside interface, policy drops, or acl drops?</P></BODY></HTML> Sat, 12 Feb 2011 20:14:52 GMT https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601042#M566679 lcaruso 2011-02-12T20:14:52Z https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601043#M566680 <HTML><HEAD></HEAD><BODY><P>I would do a packet capture on boths sides of the ASA with SMTP filtering enabled and then disabled, sending to HOTMAIL (probably during low-traffic hours) and inspect the SMTP data payload to determine the difference. Capture the full packet and analyze the two. Maybe your params for the below are too agressive (well, they most certainly are, thats why you're getting dropped)</P><P></P><P>match sender-address length gt 320 <BR />&nbsp; drop-connection log<BR />match cmd line length gt 512 <BR />&nbsp; drop-connection log<BR />match cmd RCPT count gt 100 <BR />&nbsp; drop-connection log<BR />match body line length gt 998 <BR />&nbsp; drop-connection log</P></BODY></HTML> Sun, 13 Feb 2011 10:42:43 GMT https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601043#M566680 aman.diwakar 2011-02-13T10:42:43Z https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601044#M566683 <HTML><HEAD></HEAD><BODY><P>Thanks for your reply.</P><P></P><P>I'm still trying to figure out why the TAC engineer on the case decided it was too hard to capture that traffic. He kept telling me there would be too many packets. I'll try it myself and see what happens. Thanks for your suggestion.</P></BODY></HTML> Sun, 13 Feb 2011 14:13:07 GMT https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601044#M566683 lcaruso 2011-02-13T14:13:07Z https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601045#M566684 <HTML><HEAD></HEAD><BODY><P>well..maybe because there is a large list of mx records for hotmail:</P><P></P><P>But that shouldnt be a show stopper, here is a list of hotmail mx records, you can double check</P><P></P><P>65.54.188.72<BR />65.55.92.152<BR />65.55.37.88<BR />65.55.37.120<BR />65.55.37.72<BR />65.55.37.104<BR />65.55.92.136<BR />65.55.92.168<BR />65.55.92.184<BR />65.54.188.94<BR />65.54.188.110<BR />65.54.188.126<BR />65.54.188.126<BR />65.55.92.168<BR />65.55.37.72<BR />65.55.37.104<BR />65.55.37.120<BR />65.55.92.152<BR />65.55.37.88<BR />65.55.92.136<BR />65.55.92.184<BR />65.54.188.72<BR />65.54.188.94<BR />65.54.188.110</P><P></P><P>Just put them as source and destination address like this</P><P></P><P>access-list capture permit tcp host 65.54.188.110 eq 25 host <YOURMAILSERVER></YOURMAILSERVER></P><P>access-list capture permit tcp host <YOURMAILSERVER> host 65.54.188.110 eq 25</YOURMAILSERVER></P><P></P><P>capture in access-list capture interface inside</P><P>capture out access-list capture interface outside</P><P></P><P>but..you have to make sure the size option and any other option in the capture command is configured (i havent looked at the capture command syntax in a while)</P></BODY></HTML> Tue, 15 Feb 2011 07:40:13 GMT https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601045#M566684 aman.diwakar 2011-02-15T07:40:13Z https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601046#M566685 <HTML><HEAD></HEAD><BODY><P>ahh...so many mx records...that was his reason.</P><P></P><P>I'll try your suggestions when I find time. Right now we just had to turn it off so mail would flow.</P><P></P><P>You made some good suggestions. Appreciate it. Thanks.</P></BODY></HTML> Wed, 16 Feb 2011 03:50:58 GMT https://community.cisco.com/t5/network-security/smtp-filtering-problems/m-p/1601046#M566685 lcaruso 2011-02-16T03:50:58Z