Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1504
Views
0
Helpful
6
Replies

smtp filtering problems

Go to solution
lcaruso
Level 6
Level 6

‎02-11-2011 12:24 PM - edited ‎03-11-2019 12:49 PM

Hi,

Everytime I turn on esmtp filtering for a client using Exchange Server, things end up getting blocked and it never logs anything it blocks.

Here's my map.

policy-map type inspect esmtp secure_smtp_map
 parameters
  no mask-banner
  special-character action drop-connection log
  allow-tls action log
 match sender-address length gt 320 
  drop-connection log
 match MIME filename length gt 255 
  drop-connection log
 match cmd line length gt 512 
  drop-connection log
 match cmd verb VRFY 
  mask log
 match cmd RCPT count gt 100 
  drop-connection log
 match body line length gt 998 
  drop-connection log

Anyone want to guess what it is since there is no logging?

This time  the problem was hotmail users sending to internal Exchange users were getting bounced  with this message:

Reporting-MTA: dns;blu0-omc2-s22.blu0.hotmail.com
Received-From-MTA: dns;BLU156-W41
Arrival-Date: Fri, 11 Feb 2011 10:17:19 -0800
Final-Recipient: rfc822;someone@somewhere.us
Action: failed
Status: 5.3.3
Diagnostic-Code: smtp;500 5.3.3 Unrecognized command

the last time it was an out-of-office autorepsonder with the same map.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎02-12-2011 07:01 AM

Hey Caruso,


Would you please do a "show tech" and grab the part for the service policy? It should open the SMTP inspection and tell us what are the fileds that the inspection is dropping.

Hope it helps.

Mike

Mike

View solution in original post

0 Helpful

Go to solution
aman.diwakar
Level 1
Level 1

‎02-13-2011 02:42 AM

I would do a packet capture on boths sides of the ASA with SMTP filtering enabled and then disabled, sending to HOTMAIL (probably during low-traffic hours) and inspect the SMTP data payload to determine the difference. Capture the full packet and analyze the two. Maybe your params for the below are too agressive (well, they most certainly are, thats why you're getting dropped)

match sender-address length gt 320
  drop-connection log
match cmd line length gt 512
  drop-connection log
match cmd RCPT count gt 100
  drop-connection log
match body line length gt 998
  drop-connection log

View solution in original post

0 Helpful

Go to solution
aman.diwakar
Level 1
Level 1
In response to lcaruso

‎02-14-2011 11:40 PM

well..maybe because there is a large list of mx records for hotmail:

But that shouldnt be a show stopper, here is a list of hotmail mx records, you can double check

65.54.188.72
65.55.92.152
65.55.37.88
65.55.37.120
65.55.37.72
65.55.37.104
65.55.92.136
65.55.92.168
65.55.92.184
65.54.188.94
65.54.188.110
65.54.188.126
65.54.188.126
65.55.92.168
65.55.37.72
65.55.37.104
65.55.37.120
65.55.92.152
65.55.37.88
65.55.92.136
65.55.92.184
65.54.188.72
65.54.188.94
65.54.188.110

Just put them as source and destination address like this

access-list capture permit tcp host 65.54.188.110 eq 25 host

access-list capture permit tcp host host 65.54.188.110 eq 25

capture in access-list capture interface inside

capture out access-list capture interface outside

but..you have to make sure the size option and any other option in the capture command is configured (i havent looked at the capture command syntax in a while)

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎02-12-2011 07:01 AM

Hey Caruso,


Would you please do a "show tech" and grab the part for the service policy? It should open the SMTP inspection and tell us what are the fileds that the inspection is dropping.

Hope it helps.

Mike

Mike
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Maykol Rojas

‎02-12-2011 12:14 PM

Hi,

Thanks for your reply.

When TAC was on the call which lasted a few hours we never saw those counters from show service-policy increment as we sent mail from hotmail accounts, if that's what you mean. As soon as I turned off the policy, incoming hotmail was being received.

I had a similar problem with a different ASA at a different site with the same map. I don't belive the counters are working correctly.We had to turn it off at both sites because it doesn't give reliable reporting when something gets blocked and fails.

And why it doesn't create a syslog entry, well it seems there are a number of things that don't create syslog entries on these ASAs. Probably one of the biggest problems with this platform.Do you suppose we will ever see the day when all drops are logged as syslog entries no matter if they dropped on the outside interface, policy drops, or acl drops?

0 Helpful

Go to solution
aman.diwakar
Level 1
Level 1

‎02-13-2011 02:42 AM

I would do a packet capture on boths sides of the ASA with SMTP filtering enabled and then disabled, sending to HOTMAIL (probably during low-traffic hours) and inspect the SMTP data payload to determine the difference. Capture the full packet and analyze the two. Maybe your params for the below are too agressive (well, they most certainly are, thats why you're getting dropped)

match sender-address length gt 320
  drop-connection log
match cmd line length gt 512
  drop-connection log
match cmd RCPT count gt 100
  drop-connection log
match body line length gt 998
  drop-connection log

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to aman.diwakar

‎02-13-2011 06:13 AM

Thanks for your reply.

I'm still trying to figure out why the TAC engineer on the case decided it was too hard to capture that traffic. He kept telling me there would be too many packets. I'll try it myself and see what happens. Thanks for your suggestion.

0 Helpful

Go to solution
aman.diwakar
Level 1
Level 1
In response to lcaruso

‎02-14-2011 11:40 PM

well..maybe because there is a large list of mx records for hotmail:

But that shouldnt be a show stopper, here is a list of hotmail mx records, you can double check

65.54.188.72
65.55.92.152
65.55.37.88
65.55.37.120
65.55.37.72
65.55.37.104
65.55.92.136
65.55.92.168
65.55.92.184
65.54.188.94
65.54.188.110
65.54.188.126
65.54.188.126
65.55.92.168
65.55.37.72
65.55.37.104
65.55.37.120
65.55.92.152
65.55.37.88
65.55.92.136
65.55.92.184
65.54.188.72
65.54.188.94
65.54.188.110

Just put them as source and destination address like this

access-list capture permit tcp host 65.54.188.110 eq 25 host

access-list capture permit tcp host host 65.54.188.110 eq 25

capture in access-list capture interface inside

capture out access-list capture interface outside

but..you have to make sure the size option and any other option in the capture command is configured (i havent looked at the capture command syntax in a while)

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to aman.diwakar

‎02-15-2011 07:50 PM

ahh...so many mx records...that was his reason.

I'll try your suggestions when I find time. Right now we just had to turn it off so mail would flow.

You made some good suggestions. Appreciate it. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card