Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
0
Replies

ASA - esmtp inspecting - block AUTH

Matt Glosson
Level 1
Level 1

‎03-29-2018 02:04 PM - edited ‎02-21-2020 07:34 AM

I'm trying to block the ESMTP EHLO AUTH response message on an ASA version 9.4(4)16 from coming to the client from the server. The application does not support disabling authentication if the server indicates it is supported, but the server is not managed not by us. Here's what I have:

 

access-list test-smtp-acl extended permit tcp host 10.200.242.165 host 172.20.119.159

class-map test-smtp-class
 match access-list test-smtp-acl

policy-map type inspect esmtp block-auth
 parameters
  no mask-banner
  allow-tls action log
 match ehlo-reply-parameter auth
  mask log

policy-map global_policy
 class test-smtp-class
  inspect esmtp block-auth

I know it's matching, because if I turn on "mask-banner" it shows the typical *** instead of the SMTP server name. However, it is allowing the AUTH command through:

220 **************************************************************************************************
250-hostname.example.com Hello [10.200.242.165]
250-SIZE 2136746229
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST

Just for kicks, I also said to block PIPELINING, but it allowed that response through too. Any thoughts?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card