Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1016
Views
0
Helpful
2
Replies

ESMTP inspection clarifications

Go to solution
gautamzone
Level 1
Level 1

ā€Ž11-20-2010 12:50 PM - edited ā€Ž03-11-2019 12:12 PM

Dear friends,

A few clarifications on ESMTP inspection class maps.

1. What exactly is  Match invalid-recipients? I dont know the meaning of this match clause even from command reference?

2. Under ESMTP inspection, there are two conflicting commands for recipient addresses:

Match cmd RCPT count gt bytes

match  header length to_fields count gt

Aren't both more or less the same?

Can i get some clarifications on these 2 points?

Thanks a lot

Gautam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

ā€Ž11-20-2010 09:33 PM

Gautham,

1. invalid recipient count: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2031823

mail server---(I)ASA(0)--client

I believe this counter is tracked by the inspection for all the 5.5.0 smtp;550 Invalid recipient the server sends to the client (on the same connection) for all the RCPT TO: the client sends. If this counter is reached the value set then it sends a syslog message below.

ASA-6-108005: ESMTP Classification: Received ESMTP Response from inside:10.1.1.1/25 to outside:10.11.44.2/3311; matched Class 22: invalid-recipients count gt 10

2. Match cmd RCPT count gt  
To match the number of recipient addresses

To match the number of recipient addresses, enter the following command:
hostname(config-pmap-p)# match cmd RCPT count gt count
Where count is the number of recipient addresses. 

3. match header length to_fields count gt

To match the header to-fields count, enter the following command:
hostname(config-pmap-p)# match header to-fields count gt count
Where count is the number of recipients in the to-field of the header

I believe you are correct. 2 and 3 appear to be the same.  Just tracked in diff. places.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html

-KS

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

ā€Ž11-20-2010 09:33 PM

Gautham,

1. invalid recipient count: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2031823

mail server---(I)ASA(0)--client

I believe this counter is tracked by the inspection for all the 5.5.0 smtp;550 Invalid recipient the server sends to the client (on the same connection) for all the RCPT TO: the client sends. If this counter is reached the value set then it sends a syslog message below.

ASA-6-108005: ESMTP Classification: Received ESMTP Response from inside:10.1.1.1/25 to outside:10.11.44.2/3311; matched Class 22: invalid-recipients count gt 10

2. Match cmd RCPT count gt  
To match the number of recipient addresses

To match the number of recipient addresses, enter the following command:
hostname(config-pmap-p)# match cmd RCPT count gt count
Where count is the number of recipient addresses. 

3. match header length to_fields count gt

To match the header to-fields count, enter the following command:
hostname(config-pmap-p)# match header to-fields count gt count
Where count is the number of recipients in the to-field of the header

I believe you are correct. 2 and 3 appear to be the same.  Just tracked in diff. places.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html

-KS

0 Helpful

Go to solution
gautamzone
Level 1
Level 1
In response to Kureli Sankar

ā€Ž11-22-2010 12:18 PM

Thanks a lot Kureli for the detailed explanation

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card