Cisco ASA Disable ESMTP Inspection

Telnet to Exchange on Port 25 shows a row of Asterisks?

KB ID 0000536 Dtd 20/12/12


Yesterday my colleague Ben called me over to the help-desk and asked "Have you ever seen this before?" This was what was on his screen.

telnet to exchange asterisks

220 ***************************************************


Usually when you Telnet to an Exchange server it gives you a 220 message followed by the "Banner" of the Exchange server, a little like:

220 Microsoft ESMTP Mail service ready at (Date/Time)

The reason why you see this happening is, there is something in between you and the Exchange server that's stopping/filtering ESMTP traffic.

In this clients case I knew straight away what that was, (because I'd seen it before,) Cisco firewalls (PIX and ASA) that have SMTP/ESMTP inspection enabled cause this to happen.

Disable ESMTP Inspection on Cisco ASA Via command line

Note: If you send mail via TLS DO NOT do this. (see here).

1. Connect to the the Cisco ASA, either by serial cable, Telnet or SSH.

2. Usually you will find ESMTP inspection enabled on the "global_policy" in the class called "inspection_default", below are the commands to disable this feature.

Disable ESMTP on ASA

Disable ESMTP Inspection on Cisco ASA via ASDM

1. Connect to the the Cisco ASA, via ASDM.

2. Navigate to Configuration > Firewall > Service Policy Rules > Global Policy > Inspection_Default > Rule Actions > untick ESMTP > OK > Apply > File > Save Running Configuration to flash.


Enable the Banner and Keep ESMTP Inspection on

You need to create a policy map that will not mask the banner and add that to the default inspection map, like so;

PetesASA> en  Password:*********  PetesASA#configure terminal  PetesASA(config)#policy-map type inspect esmtp tls-allow   PetesASA(config-pmap-p)#parameters  PetesASA(config-pmap-p)#allow-tls  PetesASA(config-pmap-p)#no mask-banner  PetesASA(config-pmap-p)#exit  PetesASA(config)#policy-map global_policy   PetesASA(config-pmap)#class inspection_default   PetesASA(config-pmap-c)#no inspect esmtp  PetesASA(config-pmap-c)#inspect esmtp tls-allow   PetesASA(config-pmap-c)#exit  PetesASA(config)# write mem  Building configuration...  Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)  [OK]



Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On