Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3643
Views
16
Helpful
5
Replies

ESMTP size violation

gregbeifuss
Level 1
Level 1

‎02-24-2011 07:58 PM - edited ‎03-11-2019 12:56 PM

I've recently started seeing messages like this on my firewall (separating my internal mail server from my DMZ antispam device). I'm not sure if this is tied in to any firewall IOS upgrades I've recently completed (recently went from 8.2.x to 8.3.1 to 8.4.1).

In between these messages, I see plenty of traffic on port 25 and mail is being received/delivered. I can't say for sure *all* mail is being received/delivered and there does seem to be a longer delay on messages in the mailserver queue.

%ASA-7-108006: Detected ESMTP size violation from inside:192.168.4.22/11142 to dmz:192.168.2.77/25; declared size is: 3997, actual size is 4256

%ASA-7-108006: Detected ESMTP size violation from dmz:192.168.2.77/60462 to inside:192.168.4.21/25; declared size is: 19681, actual size is 19708

%ASA-7-108006: Detected ESMTP size violation from dmz:192.168.2.77/45901 to inside:192.168.4.21/25; declared size is: 9214, actual size is 9216

I'm not sure if the ASA is just complaining, or actually dropping these packets - how can I find out more information on what the firewall is actually doing and what can I do to remedy this error?

Thanks,

Greg

Labels:
0 Helpful
5 Replies 5

Roman Rodichev
Level 7
Level 7

‎02-24-2011 08:14 PM

remove "inspect esmtp" from the policy-map

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-24-2011 08:23 PM

Hi,

This event is generated when an ESMTP message size exceeds the size declared in the  RCPT command.

You can check the RCPT command in the configuration of the ESMTP policy map.

If using the default:

sh run all policy-map _default_esmtp_map

Federico.

gregbeifuss
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-25-2011 07:52 AM

According to the Cisco documentation, RCPT deals with the number of recipient email addresses in the message, not the overall size. "RCPT count gt recipients_number Specifies the number of recipient email addresses." per the Cisco ASA 5500 Series Command Reference, 8.4. "match cmd".

I've ended up removing the inspect statement for ESMTP, as the Cisco documentation has no guidance on how I can get around this 'size violation'. I was hoping I could customize the inspect statement.

gaudreas
Level 1
Level 1
In response to gregbeifuss

‎01-16-2012 11:11 AM

You need to create a custom policy for esmtp and remove this check

match ehlo-reply-parameter others

  mask

Andrey Nikonenko
Level 1
Level 1
In response to gaudreas

‎01-27-2012 01:13 AM

You can remove this log message with option mask in custom policy for esmtp:

match ehlo-reply-parameter size

  mask

Full custom policy like this:

policy-map type inspect esmtp custom-smtp

parameters

  no mask-banner

  no mail-relay

  no special-character

  allow-tls

match cmd line length gt 512

  drop-connection log

match cmd RCPT count gt 100

  drop-connection log

match body line length gt 998

  log

match header line length gt 998

  drop-connection log

match sender-address length gt 320

  drop-connection log

match MIME filename length gt 255

  drop-connection log

match ehlo-reply-parameter size

  mask

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card