I'm trying to block the ESMTP EHLO AUTH response message on an ASA version 9.4(4)16 from coming to the client from the server. The application does not support disabling authentication if the server indicates it is supported, but the server is not managed not by us. Here's what I have:
access-list test-smtp-acl extended permit tcp host 10.200.242.165 host 172.20.119.159
class-map test-smtp-class
match access-list test-smtp-acl
policy-map type inspect esmtp block-auth
parameters
no mask-banner
allow-tls action log
match ehlo-reply-parameter auth
mask log
policy-map global_policy
class test-smtp-class
inspect esmtp block-auth
I know it's matching, because if I turn on "mask-banner" it shows the typical *** instead of the SMTP server name. However, it is allowing the AUTH command through:
220 **************************************************************************************************
250-hostname.example.com Hello [10.200.242.165]
250-SIZE 2136746229
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
Just for kicks, I also said to block PIPELINING, but it allowed that response through too. Any thoughts?