cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4898
Views
5
Helpful
7
Replies

Disable SMTP inspection via FMC

itsupport
Level 1
Level 1

I have an ASA-5508x, adminstered by a vFMC. Both are running 6.2.2.1. Note that this is FTD, not the older ASA software.

I have a server behind the 5508, in a DMZ, that I want to have send email via an SMTP connection to Office 365. The problem I am seeing is with the FTD perfoming "SMTP inspection" mangling the SMTP session. This can be seen when I telnet to port25, and see a heap of asterixes.  ie 220 ***************************************************************************************. This, unfortunatly, prevents my application from being able to start a TLS session, authenticate and relay.  

I am trying to figure out how to turn this off. I have checked the rule that is allowing traffic on port 25, configuring NO intrusion policy and NO file policy, but SMTP inspection still seems to be occuring.

 

How do I disable this, and have SMTP traffic pass unmolested?

It would be preferable if I can do this in a rule, or in some other way make it apply to just a single host, but if it has to be implemted globally that is workable.



 

 

7 Replies 7

Go to FTD CLI and apply this command

configure inspection esmtp disable

Being an FMC, there is no CLI.

I thought I said FTD not FMC. You need to put the command on FTD

That is not how the vFMC/FTD software works. Configuration cannot be done using a CLI.


@Mohammed al Baqari wrote:
I thought I said FTD not FMC. You need to put the command on FTD

 

You asked a question and I gave you an answer. I am not sure whats the
pointing of asking question and then negating the answer.

This is the answer either take it or leave it. But you need to learn about
FTD before responding

For MOST (but not all) features you are right.

 

A few things - such as default inspections - are configurable locally via cli. That applies even when the FTD device is managed by FMC.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp2136048707

 

As noted in the above reference, you should consider using a Flexconfig object in FMC to make this change persistent across policy deployments (if you have version 6.2.3 or later).

OK for anyone else following, I eventually figured this out:

1. Create a Flexconfig policy, apply the Default_Inspection_Protocol_Disable, System defined object.

2. Go to Objects, Flexconfig, Text Object. Edit the disableInspecProtocolList to include ESMPT.

More than a little counterintuitive and convoluted, but works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: