06-14-2011 11:01 AM - edited 03-11-2019 01:45 PM
I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.
I've taken multiple inside and outside packet traces...
One trace shows the following at the end of the TCP stream:
X
421 4.4.2 service timed out.
QUIT
Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.
Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.
Has anyone experienced this or have an idea how to fix the issue? Most everything I find when searching on this subject says to disable ESMTP inspection. However, that isn't a good permanent solution.
Current Custom ESMTP Policy:
policy-map type inspect esmtp esmtp_tls_enable
description Custom ESMTP policy-map w/ TLS enabled
parameters
no mask-banner
allow-tls action log
match cmd line length gt 512
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
match header line length gt 998
log
match MIME filename length gt 255
log
match sender-address length gt 320
log
match ehlo-reply-parameter others
mask
06-14-2011 11:27 AM
I may have found the problem. I had applied the custom ESMTP policy to the "policy-map global_policy" instead of the external interface. I now have the ESMTP inspection applied to the external interface and mail seems to be flowing.
Can someone confirm that this was the correct action to take? What is the best practice here?
I now have the following custom policy applied only to the outside interface. ESMTP inspection is not being performed globally or on other interfaces.
Current Custom ESMTP Policy:
policy-map type inspect esmtp esmtp_tls_enable
description Custom ESMTP policy-map w/ TLS enabled
parameters
no mask-banner
allow-tls action log
match cmd line length gt 512
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
match header line length gt 998
log
match MIME filename length gt 255
log
match sender-address length gt 320
log
match ehlo-reply-parameter others
mask
06-29-2011 01:02 PM
Hi,
Based on your description, it looks like the inspection engine was masking some commands. By default the ESMTP inspection engine allows only a specific set of commands as listed below:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1224614
It's possible that the server is sending some unknown commands tat the ASA masked causing the outbound e-mail connection to break. But saying that, what does not make sense is the fact that applying the inspection on the external interface resolves the issue.
The best way to move ahead will be to get working and non-working captures on the ASA from the inside and outside interfaces and compare them to see what's going on. If you are able to reproduce this behavior, do get the captures and open a TAC case to have this looked into.
Hope this helps!
Regards,
Prapanch
08-29-2012 06:39 AM
Hi Bro
The best way of course is to disable the ESMTP inspection, or remove the drop-connection keyword, and just remain the log keyword, but that’s not why you’re here, am I right?
The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank space) and "<" ‚">" are only allowed if they are used to define a mail address (">" must be preceded by "<"). It's very possible that the Email Server is sending some unknown commands that cause the Cisco ASA to behave in this manner.
Are you applying the custom ESMTP policy to the "policy-map global_policy"? If yes, could you remove it and apply the custom ESMTP policy to the inside interface instead. Let me know how it goes.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1224614
03-26-2013 01:59 AM
Had the same problem with my hosted ASA and a mail relay sitting behind it.
Disabling the ESMTP policy resolved the problem as the "allow-tls" command was "dated" according to my hosted provider.
03-03-2014 11:09 AM
I had the same problem too.
no inspect esmtp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide