https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266881#M828554 <HTML><HEAD></HEAD><BODY><P>Terrific! That option should help with many other things as well. Thanks for the info.</P></BODY></HTML> Mon, 24 Aug 2009 20:13:06 GMT stevekives 2009-08-24T20:13:06Z https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266876#M828496 <P>Does anyone know a way to display the ASA default ESMTP inspection settings? </P><P></P><P>The config seems to show nothing more than "inspect esmtp" in the global policy. We needed to liberalize a setting (allow more than 100 recipients) which means implementing our own inspection policy, but we don't seem to have an obvious way of replicating the remaining default inspection limits.</P> Mon, 11 Mar 2019 16:03:36 GMT https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266876#M828496 stevekives 2019-03-11T16:03:36Z https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266877#M828500 <HTML><HEAD></HEAD><BODY><P>For additional esmtp inspection parameters you have to create your own esmtp inspection policy map.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782</A></P></BODY></HTML> Thu, 06 Aug 2009 22:55:04 GMT https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266877#M828500 JORGE RODRIGUEZ 2009-08-06T22:55:04Z https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266878#M828510 <HTML><HEAD></HEAD><BODY><P>We did that part. But we don't know what the other default settings are for ESMTP inspection, so currently all we have is a limit for RCPT entries. </P><P></P><P>To save time and effort it would be nice to replicate the remaining default inspection entries to get some use out of the feature, rather than generating them from scratch through trial and error.</P></BODY></HTML> Fri, 07 Aug 2009 15:07:24 GMT https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266878#M828510 stevekives 2009-08-07T15:07:24Z https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266879#M828525 <HTML><HEAD></HEAD><BODY><P>Problem solved! We figured out how to display the default inspection values, which turns out to be pretty simple:</P><P></P><P># show service-policy inspect esmtp</P><P></P><P>Global policy:</P><P>Service-policy: global_policy</P><P>Class-map: inspection_default</P><P>Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0</P><P>mask-banner, count 0</P><P>match cmd line length gt 512</P><P>drop-connection log, packet 0</P><P>match cmd RCPT count gt 100</P><P>drop-connection log, packet 0</P><P>match body line length gt 998</P><P>log, packet 0</P><P>match header line length gt 998</P><P>drop-connection log, packet 0</P><P>match sender-address length gt 320</P><P>drop-connection log, packet 0</P><P>match MIME filename length gt 255</P><P>drop-connection log, packet 0</P><P>match ehlo-reply-parameter others</P><P>mask, packet 0</P><P></P><P>Making a custom inspection set then becomes pretty straightforward:</P><P></P><P># policy-map type inspect esmtp ESMTP_Policy</P><P> parameters</P><P> allow-tls</P><P> match cmd RCPT count gt 1000 </P><P> reset log</P><P> <ETC></ETC></P><P># policy-map global_policy</P><P># class inspection_default</P><P># no inspect esmtp</P><P># inspect esmtp ESMTP_Policy</P><P></P><P>Now it's much easier to adjust the values as we encounter problems in the logs or brought to us by users.</P></BODY></HTML> Mon, 10 Aug 2009 18:35:23 GMT https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266879#M828525 stevekives 2009-08-10T18:35:23Z https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266880#M828540 <HTML><HEAD></HEAD><BODY><P>One more way ( see the all option in sh run <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>ASA-5510-8x# sh run all | b policy-map</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P> no message-length maximum server</P><P> no message-length maximum client</P><P> dns-guard</P><P> protocol-enforcement</P><P> nat-rewrite</P><P> no id-randomization</P><P> no id-mismatch</P><P> no tsig enforced</P><P>policy-map type inspect http http-pol</P><P> parameters</P><P> body-match-maximum 200</P><P> match request uri regex _default_x-kazaa-network</P><P>policy-map type inspect rtsp _default_rtsp_map</P><P> description Default RTSP policymap</P><P> parameters</P><P>policy-map type inspect h323 _default_h323_map</P><P> description Default H.323 policymap</P><P> parameters</P><P> no rtp-conformance</P><P>policy-map type inspect esmtp _default_esmtp_map</P><P> description Default ESMTP policy-map</P><P> parameters</P><P> mask-banner</P><P> no mail-relay</P><P> no special-character</P><P> no allow-tls</P><P> match cmd line length gt 512</P><P> drop-connection log</P><P> match cmd RCPT count gt 100</P><P> drop-connection log</P><P> match body line length gt 998</P><P> log</P><P> match header line length gt 998</P><P> drop-connection log</P><P> match sender-address length gt 320</P><P> drop-connection log</P><P> match MIME filename length gt 255</P><P> drop-connection log</P><P> match ehlo-reply-parameter others</P><P> mask</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225 _default_h323_map</P><P> inspect h323 ras _default_h323_map</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp _default_esmtp_map</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> inspect icmp</P><P> class sip_class</P><P> inspect sip</P><P> class class-default</P><P>policy-map type inspect sip _default_sip_map</P><P> description Default SIP policymap</P><P> parameters</P><P> im</P><P> no ip-address-privacy</P><P> traffic-non-sip</P><P> no rtp-conformance</P><P>policy-map type inspect dns _default_dns_map</P><P> description Default DNS policy-map</P><P> parameters</P><P> no message-length maximum</P><P> no message-length maximum server</P><P> no message-length maximum client</P><P> dns-guard</P><P> protocol-enforcement</P><P> nat-rewrite</P><P> no id-randomization</P><P> no id-mismatch</P><P> no tsig enforced</P><P>policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map</P><P> description Default IPSEC-PASS-THRU policy-map</P><P> parameters</P><P> esp per-client-max 0 timeout 0:10:00</P><P>!</P><P>service-policy global_policy global</P><P></P></BODY></HTML> Tue, 11 Aug 2009 22:48:46 GMT https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266880#M828540 suschoud 2009-08-11T22:48:46Z https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266881#M828554 <HTML><HEAD></HEAD><BODY><P>Terrific! That option should help with many other things as well. Thanks for the info.</P></BODY></HTML> Mon, 24 Aug 2009 20:13:06 GMT https://community.cisco.com/t5/network-security/esmtp-inspection-default-settings/m-p/1266881#M828554 stevekives 2009-08-24T20:13:06Z