09-11-2017 09:45 AM - edited 02-21-2020 06:17 AM
Installed an ASA-5506x on a client site - when a vendor sends the email using TLS they get < #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) 'TLS Unavailable' (delivery attempts: 0)>'. Disabled the esmtp fixup protocol with no sucess. Tried allowing TLS using:
policy-map type inspect esmtp esmtp_map
parameters
allow-tls action log
policy-map global_policy
class inspection_default
inspect esmtp esmtp_map
And then they receive "Remote Server returned '500 5.3.3 Unrecognized command'".
Any idea on what I'm missing? Thanks.
09-11-2017 10:36 AM
Can you communicate with that service locally? I mean if you are on the same network is this service enabled on the server
09-11-2017 10:44 AM
We can - the network used to use a Netgear FVS-318 as the firewall and TLS email came through fine, only change was replacing the Netgear with the Cisco. All other email flow is normal.
Jack
09-11-2017 11:10 AM
I would need the configuration and if possible enable logging on the ASA to check if there is something being blocked
09-11-2017 11:23 AM
Here is the config:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname xxxxxx
domain-name xxx.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xx.xx.xx.xx
255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.21.63.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name xxx.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-172.21.63.11
host 172.21.63.11
access-list 101 extended permit tcp any object obj-172.21.63.11 eq smtp
access-list 101 extended permit tcp any object obj-172.21.63.11 eq www
access-list 101 extended permit tcp any object obj-172.21.63.11 eq https
access-list 101 extended permit tcp any object obj-172.21.63.11 eq pptp
access-list 101 extended permit gre any any
access-list 101 extended permit tcp any object obj-172.21.63.11 eq 8585
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network obj-172.21.63.11
nat (any,any) static xxx.xxx.xxx.xxx
!
nat (inside,outside) after-auto source dynamic any interface
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 172.21.63.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.21.63.5-172.21.63.254 inside
!
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:866d293a9fbafdf3017c9d528e7e3046
: end
09-12-2017 04:05 AM
09-12-2017 09:19 AM
It looks like the remote server establishes a connection:
Sep 12 2017 09:52:01 302013 172.21.63.11 47405 12.34.36.36 25 Built outbound TCP connection 2354351 for outside:12.xx.xx.xx/25 (12.xx.xx.xx/25) to inside:172.21.63.11/47405 (96.xx.xx.xx/47405)
Then drops it:
6 Sep 12 2017 09:52:04 106015 172.21.63.11 47405 12.xx.xx.xx 25 Deny TCP (no connection) from 172.21.63.11/47405 to 12.xx.xx.xx/25 flags RST on interface inside
With the details showing:
%ASA-6-106015
09-14-2017 05:13 AM
Please run the filter on the ASDM monitoring logging option one more time when you attempt the connection.
Use the filter option because that deny no connection refers to a connection that has already been closed.
I would also suggest to try to establish a telnet session over port 25 to a another public mail server to see if you get a response.
telnet test.smtp.org 25
This is the result that you should get
220 test.smtp.org ESMTP Sendmail 8.16.0.16 ready at Thu, 14 Sep 2017 12:12:31 GMT; see http://test.smtp.org/
If you don't get a response I would suggest to talk to your ISP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide