https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263350#M763807 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Kindly understand the functionality of 'inspect esmtp' first. </P><P></P><P>Please visit the following link for information on the same:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425</A></P><P></P><P>Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500. </P><P></P><P>To rectify this please make a custom esmtp policy map like one configured in the below given example:</P><P></P><P>policy-map type inspect esmtp _default_esmtp_map</P><P>match ehlo-reply-parameter others</P><P> mask</P><P></P><P>Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.</P><P></P><P>Hope this helps!</P><P></P><P>Thanks, </P><P>Manish</P></BODY></HTML> Thu, 05 Nov 2009 23:36:56 GMT mkharban 2009-11-05T23:36:56Z https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263349#M763805 <P>Our ASA is running code 8.0.4 and our smtp mail inbound and outbound working fine, then it was broken. Check the ASA and the inspect esmtp is on by default and this working before. The mail library was updated and nothing is working. Researched and found out that by removing inspect esmtp and mail is working again. I would like to keep the inspect esmtp on for security purpose but need to find a work around solution. Please let me know if there is a work around for this.</P><P>Thank you.</P> Mon, 11 Mar 2019 16:36:43 GMT https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263349#M763805 ttran 2019-03-11T16:36:43Z https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263350#M763807 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Kindly understand the functionality of 'inspect esmtp' first. </P><P></P><P>Please visit the following link for information on the same:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719425</A></P><P></P><P>Assuming the receiving MTA is indicating that it supports Binary Chunking, and that implies that the binary data (BDAT) verb is also supported. However, the ASA does not support the BDAT verb and will XXXX it out. When the receiving MTA gets the Xed out command, it will send back a 500 (Unrecognized command) to the sending MTA. The sending MTA (in the case of Microsoft) then Resets (RSET) the connection. This causes mails to be unable to be sent. The problem here is with the ASA. This can be clearly seen by applying captures on the outside interface of the firewall with an error code of 500. </P><P></P><P>To rectify this please make a custom esmtp policy map like one configured in the below given example:</P><P></P><P>policy-map type inspect esmtp _default_esmtp_map</P><P>match ehlo-reply-parameter others</P><P> mask</P><P></P><P>Please apply this policy map on the outside interface. This will ensure esmtp inspection being turned on and also allowing BDAT connection to pass through the firewall masking them instead of Xing them.</P><P></P><P>Hope this helps!</P><P></P><P>Thanks, </P><P>Manish</P></BODY></HTML> Thu, 05 Nov 2009 23:36:56 GMT https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263350#M763807 mkharban 2009-11-05T23:36:56Z https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263351#M763810 <HTML><HEAD></HEAD><BODY><P>Manish,</P><P>You are certainly helping alot and thank you for the link and this is good. Just to clear my confusing since I read so many different documents so I will keep the inspect esmtp on the global policy and add the custom esmtp as in the example or remove the the inspect esmtp and add the custom esmtp. Please let me know.</P></BODY></HTML> Fri, 06 Nov 2009 14:48:29 GMT https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263351#M763810 ttran 2009-11-06T14:48:29Z https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263352#M763811 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We will have to keep only the custom inspection turned on in order to get this working. Kindly apply the same and let me know how it goes.</P><P></P><P>Hope this helps!</P><P></P><P>Thanks,</P><P>Manish</P></BODY></HTML> Fri, 06 Nov 2009 17:28:33 GMT https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263352#M763811 mkharban 2009-11-06T17:28:33Z https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263353#M763812 <HTML><HEAD></HEAD><BODY><P>Hi Manish,</P><P></P><P>Thanks for verification. I will apply the custom inspection like your example. Just a note on the policy-map the esmtp after the word inspect should not have the underscore to default correct?</P></BODY></HTML> Fri, 06 Nov 2009 18:01:28 GMT https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263353#M763812 ttran 2009-11-06T18:01:28Z https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263354#M763814 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>You can alter the name according to yourself. I just stated that as an example.</P><P></P><P>Thanks,</P><P>Manish</P></BODY></HTML> Fri, 06 Nov 2009 18:45:24 GMT https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263354#M763814 mkharban 2009-11-06T18:45:24Z https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263355#M763816 <HTML><HEAD></HEAD><BODY><P>Manish,</P><P></P><P>It is working. Thank you. 5 for you.</P></BODY></HTML> Tue, 10 Nov 2009 14:52:53 GMT https://community.cisco.com/t5/network-security/asa-and-inspect-esmtp/m-p/1263355#M763816 ttran 2009-11-10T14:52:53Z