ESMTP Inspection Dropping Connections

snowmizer · ‎08-27-2012

I am trying to understand why my ASA appears to be dropping packets with the following message

%ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from inside:1.1.1.1/1292 to DMZ:2.2.2.2/25; matched Class 31: cmd RCPT count gt 100

My understanding is that the "RCPT count gt 100" drops connections if the number of recipients is gt 100. I have a wireshark trace of this transaction and there is only 1 recipient on this email.

This makes no sense to me. Why else would I be seeing this message if the number of RCPT To addresses is 1? Does this have anything to do with the number of length of the RCPT TO email address?

Thanks.

Ramraj Sivagnanam Sivajanam · ‎08-28-2012

Can you paste your class-map and policy map output here?

Warm regards,
Ramraj Sivagnanam Sivajanam

snowmizer · ‎08-29-2012

policy-map type inspect esmtp esmtp_map

parameters

match cmd line length gt 512

drop-connection log

match cmd RCPT count gt 100

drop-connection log

match body line length gt 998

log

match header line length gt 998

log

match sender-address length gt 320

drop-connection log

match MIME filename length gt 255

drop-connection log

match ehlo-reply-parameter others

mask

snowmizer · ‎08-29-2012

The output I see is in the original message (so I don't have to go retrieve it again ). The map is the same as the default ESMTP inspection map except I removed "drop-connection" from the "match header line length gt 998" while we do some testing.