cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12949
Views
0
Helpful
5
Replies

ASA ESMTP inspection stopping outbound mail

Cipher2011
Level 1
Level 1

I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.

I've taken multiple inside and outside packet traces...

One trace shows the following at the end of the TCP stream:

X

421 4.4.2 service timed out.

QUIT

Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.

Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.

Has anyone experienced this or have an idea how to fix the issue? Most everything I find when searching on this subject says to disable ESMTP inspection. However, that isn't a good permanent solution.

Current Custom ESMTP Policy:

policy-map type inspect esmtp esmtp_tls_enable

description Custom ESMTP policy-map w/ TLS enabled

parameters

  no mask-banner

  allow-tls action log

match cmd line length gt 512

  log

match cmd RCPT count gt 100

  log

match body line length gt 998

  log

match header line length gt 998

  log

match MIME filename length gt 255

  log

match sender-address length gt 320

  log

match ehlo-reply-parameter others

  mask

5 Replies 5

Cipher2011
Level 1
Level 1

I may have found the problem. I had applied the custom ESMTP policy to the "policy-map global_policy" instead of the external interface. I now have the ESMTP inspection applied to the external interface and mail seems to be flowing.

Can someone confirm that this was the correct action to take? What is the best practice here?

I now have the following custom policy applied only to the outside interface. ESMTP inspection is not being performed globally or on other interfaces.

Current Custom ESMTP Policy:

policy-map type inspect esmtp esmtp_tls_enable

description Custom ESMTP policy-map w/ TLS enabled

parameters

  no mask-banner

  allow-tls action log

match cmd line length gt 512

  log

match cmd RCPT count gt 100

  log

match body line length gt 998

  log

match header line length gt 998

  log

match MIME filename length gt 255

  log

match sender-address length gt 320

  log

match ehlo-reply-parameter others

  mask

Hi,

Based on your description, it looks like the inspection engine was masking some commands. By default the ESMTP inspection engine allows only a specific set of commands as listed below:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1224614

It's possible that the server is sending some unknown commands tat the ASA masked causing the outbound e-mail connection to break. But saying that, what does not make sense is the fact that applying the inspection on the external interface resolves the issue.

The best way to move ahead will be to get working and non-working captures on the ASA from the inside and outside interfaces and compare them to see what's going on. If you are able to reproduce this behavior, do get the captures and open a TAC case to have this looked into.

Hope this helps!

Regards,

Prapanch

Hi Bro

The best way of course is to disable the ESMTP inspection, or remove the drop-connection keyword, and just remain the log keyword, but that’s not why you’re here, am I right?

The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank space) and "<" ‚">" are only allowed if they are used to define a mail address (">" must be preceded by "<"). It's very possible that the Email Server is sending some unknown commands that cause the Cisco ASA to behave in this manner.

Are you applying the custom ESMTP policy to the "policy-map global_policy"? If yes, could you remove it and apply the custom ESMTP policy to the inside interface instead. Let me know how it goes.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1224614

Warm regards,
Ramraj Sivagnanam Sivajanam

Peter Thomas
Level 1
Level 1

Had the same problem with my hosted ASA and a mail relay sitting behind it.

Disabling the ESMTP policy resolved the problem as the "allow-tls" command was "dated" according to my hosted provider.

Tony Larsen
Level 1
Level 1

I had the same problem too.

no inspect esmtp

Review Cisco Networking for a $25 gift card