Re: Cisco ASA 5520 blocks SMTP when using TLS

nikolaj777 · ‎06-11-2009

Hi,

We have a Cisco ASA 5520 in our setup and in the dmz we have a postfix server, where we have applied a certificate and configured postfix to use that certificate.

When connecting from outlook 2007 using TLS from the inside and to the postfix server in the dmz it works, but when connecting from the outside to the postfix server it does not work.

When going from outside to the postfix traffic is passing through the asa 5520, but when going from the inside to the postfix server traffic is passing through a PIX501.

The ASA is running:

Cisco Adaptive Security Appliance Software Version 7.0(7)

Device Manager Version 5.0(7)

This is our inspection policy:

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect rsh

inspect sqlnet

inspect xdmcp

inspect netbios

inspect tftp

policy-map policy_global

policy-map type

!

service-policy global_policy global

smtp-server <ip1> <ip2>

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

We have also allowed traffic on port 25 and that works for non TLS traffic.

We really need TLS to be allowed through the ASA.

Can somebody help with an answer?

Thanks.

ray_stone · ‎06-12-2009

Open tcp port 465 for the postfix server on outside interface then check it. it must be work.

nikolaj777 · ‎06-12-2009

Thanks for your reply.

I tried that and it does not work.

I just upgraded the ASA 5520 ASDM to 6.1.(3) and ASA firmware to 8.0.(4)to get the TLS features for the inspection map.

I disabled inspection for encrypted traffic over TLS on an ESMTP session.

Still no luck..

Any ideas?

ray_stone · ‎06-12-2009

Can you pls send ASA logs and tell the IP of postfix Server.

nikolaj777 · ‎06-12-2009

I have tried both with and without inspection of esmtp. Both does not work.

Attached is my running config

nikolaj777 · ‎06-12-2009

I found the error.

The error was not in the ASA it was in my Cisco 1811 which is in my office an through which I connect to the internet from the office.

The C1811 also had an inspection policy enabled for esmtp, and it was that policy that stripped out the TLS from the smtp traffic.

when I disablet the esmtp in my C1811 it worked.

ray_stone · ‎06-13-2009

Experts: If the inspection policy was enabled for the ESMTP then will it blocked the traffic, if it is then why??? I am bit confused as when we do fixup protocol like ftp, http and etc then it works so why we needed to disable the ESMTP ispection on Router? Pls explain.

nikolaj777 · ‎06-13-2009

Hi,

The problem was not with the ASA in our datacenter, but with my router here at the office.

When I disabled esmtp inspection on the router here at the office, it worked.

At first I just focused on the ASA, but all along the error was at my local router here in the office.

We do not have any mailservers here in the local office, so esmtp inspection is not needed.

Thanks for your help.

ray_stone · ‎06-13-2009

Hi,

If the ESMTP inspection was enabled on router then why it was blocking the inbound traffic from outside as i understand "ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer overflow/underflow attacks. It also provides support for application security and protocol conformance, which enforce the sanity of the ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay"

Pls explain!!

nikolaj777 · ‎06-13-2009

When you have esmtp inspection enabled it does all those things you write, but when using TLS it does not work (the inspection engine strips out the TLS information of the traffic since it things that the protocol is not adhered to) unless you do a fixup command, but since we do not need smtp inspection at the remote office we disabled it.

ray_stone · ‎06-13-2009

If the TLS is not related to ESMTP then why you did disable the inspection as TLS use different port tcp 465. Pls explain.

nikolaj777 · ‎06-13-2009

TLS is related to smtp. You enable TLS to be able to make sure that the smtp authentication of the user is not sent in clear text. Further you enable TLS to be able to pass data encrypted.

Using TLS for SMTP authentication will not use port 465. It uses the standard port 25, which is the port smtpd listens on. When you send a EHLO to the mailserver it will present which options it gives the user, such as STARTTLS, AUTH Methods etc....

If you did not have TLS set up, you would risk that the users password and username would be sent in cleartext.

BTW sasl2 is the module you use for postfix to achieve the authentication for the smtpd.

But things are working now.

Thank you for your help.

ray_stone · ‎06-13-2009

Got it.... But if i enable the ESMTP inspection on the ASA FW then it should not be worked as you mentioned reason above. I want to use TLS with inspection enabled so is there any other way to get this functional. Pls explain.

nikolaj777 · ‎06-13-2009

Yes, if you upgrade to the newest firmware (version 8, my ASA is running 8.0(4)) then it support TLS in the esmtp inspection policy.

I think that the support was there from version 7.2 or so, but I am not sure.

ray_stone · ‎06-13-2009

That's fine. If I enable ESMTP inspection on router then what do I need to do to pass the TLS traffic as I don't want to disable ESMTP inspection. Is it possible?