Solved: smtp inspection failures not logging

lcaruso · ‎01-05-2011

I have the following policy below for smtp which has been in place onsite for about a week in a new installation and email has been flowing just fine. Then all of a sudden we get a user who cannot contact a certain email address.

We test from other locations and get an auto responder message from an exchange server. I have him try it while I'm watching the logs in the asdm real time log viewer at the debugging level with 2000 rows and nothing is logged and he gets the same error message back from the exchange server.

I then disable the smtp policy and he gets the auto responder message successfully.

Questions:

1. Why is nothing logged?

2. Without a log message for this specific event, how can I figure out which part of the policy is somehow blocking an exchange server auto responder message?

policy-map type inspect esmtp secure_smtp_map

parameters

no mask-banner

special-character action drop-connection log

allow-tls action log

match sender-address length gt 320

drop-connection log

match MIME filename length gt 255

drop-connection log

match cmd line length gt 512

drop-connection log

match cmd verb VRFY

mask log

match cmd RCPT count gt 100

drop-connection log

match body line length gt 998

drop-connection log

Kureli Sankar · ‎01-09-2011

Hmm..not sure. How about if you install kiwi on a PC and send debug level logs to that logging server.

conf t

logging host x.x.x.x ---> x.x.x.x is the PC running kiwi syslogs (you can google and download kiwi)

logging trap 7

exit

Let us watch the logs collected on the syslog server and see if these are logging the esmtp inspection related messages.

You can also use this show command to smake sure that the port 25 connection will go through the policy configured.

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq 25

-KS

View solution in original post

Kureli Sankar · ‎01-09-2011

Hmm..not sure. How about if you install kiwi on a PC and send debug level logs to that logging server.

conf t

logging host x.x.x.x ---> x.x.x.x is the PC running kiwi syslogs (you can google and download kiwi)

logging trap 7

exit

Let us watch the logs collected on the syslog server and see if these are logging the esmtp inspection related messages.

You can also use this show command to smake sure that the port 25 connection will go through the policy configured.

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq 25

-KS

lcaruso · ‎01-09-2011

You can also use this show command to smake sure that the port 25 connection will go through the policy configured.

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq 25

That's handy. Thanks.

How about if you install kiwi on a PC and send debug level logs to that logging server.

Not able to do with this client at the moment, but we are working on it. I'm going to open a TAC case as this might be unreported.

ALAN HARKRADER · ‎01-16-2011

I am having a similar problem: my app guys are saying that their auto-mailer is getting hung up (all of its threads in use over the course of a few hours) trying to send through an ASA5580 running 8.2.4 with "inspect esmtp" in the default inspection policy (no inspect esmtp policy-map so no tweaks). I am able to manually send email via telnet:25 so the permit stmts are working. And nothing is showing up in MARS for these flows... not even build/teardowns, even for my telnet:25 sessions... but I see connections on other service/ports (http, sql, etc) logging normally. The only syslog messages I see for port 25 are denies when I attempt to connect to a host which isn't permitted in the ACL.

If I remove esmtp inspection, all of their messages get through.

I upgraded from 8.2.2 to 8.2.4 about 3 weeks ago... Icaruso, what version are you running?

lcaruso · ‎01-16-2011

That 5505 is running 8.2(3).

We are planning on opening a TAC case once the contract on this device is ready. I'll post anything I learn about this.