cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2268
Views
5
Helpful
1
Replies

Exchange 2007 in DMZ and ESMTP inspection

rcoote5902_2
Level 2
Level 2

Hello,

We are upgrading from an old Exchange 2003 server to Exchange 2007.  We are not a large organization so we're using a 2 server model, edge transport in the DMZ and all other functions on another server on the inside network.  During testing we are finding we are unable to send mail as long as the default inspection policy on our ASA is applied to esmtp.  As soon as I disable it, the mail flows.

We're running ASA 5520 and software version 8.2(2)9.

I've not been able to find any information on how to resolve this, other than disabling esmtp inspection.

If we leave the esmtp inspection disabled, is this a serious risk?

1 Accepted Solution

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hello,

The ESMTP inspection is simply responsible for protocol enforcement (i.e. command checking), so it's not a huge risk to leave it disabled (or to exempt the inspection for traffic between your Exchange servers).

The reason things are failing is likely because the Exchange servers are using certain commands that the ASA's inspection doesn't support. Depending on the commands, you might be able to configure your servers not to use them if you want to re-enable the inspection (you'd need to do some packet captures to see which commands are being used in the SMTP session).

Here is a quick description of the ESMTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1742723

Hope that helps.

-Mike

View solution in original post

1 Reply 1

mirober2
Cisco Employee
Cisco Employee

Hello,

The ESMTP inspection is simply responsible for protocol enforcement (i.e. command checking), so it's not a huge risk to leave it disabled (or to exempt the inspection for traffic between your Exchange servers).

The reason things are failing is likely because the Exchange servers are using certain commands that the ASA's inspection doesn't support. Depending on the commands, you might be able to configure your servers not to use them if you want to re-enable the inspection (you'd need to do some packet captures to see which commands are being used in the SMTP session).

Here is a quick description of the ESMTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1742723

Hope that helps.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: