Hi Sam,

The counters from the match lines aren't expected to add up to the aggregate count for the inspection. The match lines list the number of packets that have matched each of those criteria, while the top line is an aggregate count of the number of TCP/25 packets that have passed through the inspection engine.

In addition to the items listed in the match lines, the inspection also does basic ESMTP protocol enforcement. This means that things like invalid verbs or messages that don't conform to RFC will break when being inspected.

For more information on why the connection is being closed by the inspection, you can look at the output of 'debug esmtp 255'. Also, feel free to open a TAC case if the debug output isn't self-explanatory.

-Mike

Here is a detailed explanation on the counters and also how the esmtp inspection works.

To determine if there are devices on the network sending traffic not RFC compliant we need a capture however issue didn't re-appear.

The ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.

ESMTP is an enhancement to the SMTP protocol and is similar in most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is

similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.

The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.

Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

About the values you get on the service policy:

They are counters for all the features the ESMTP is inspecting for you:

Mask-banner: enforces banner obfuscation

Match cmd line length gt length: allows you to restrict the length of the command line.

Match cmd RCPT count gt count: allows you to restrict the number of recipient addresses.

Match body [line] length gt length: allows you to restrict the body length or body line length

Match header [line] length gt length: allows you to restrict the header length or header line length

Match sender-address length gt length: allows you to restrict the length of a sender's address

Match mime filename length gt length: allows you to restrict the MIME filename length

Match ehlo-reply-parameter extensions: allows you to set the ehlo-reply-parameters

All of them are taking different aspects of the traffic on port 25 and inspecting specific aspects of it.

Each of them will apply an action as below:

The drop-connection keyword drops the packet and closes the connection.

The mask keyword masks out the matching portion of the packet.

The log keyword, which you can use alone or with one of the other keywords, sends a system log message.