Cisco ASA Disable ESMTP Inspection

Telnet to Exchange on Port 25 shows a row of Asterisks?

KB ID 0000536

Problem

Yesterday my colleague Ben called me over to the help-desk and asked “Have you ever seen this before?” This was what was on his screen.

220 ***************************************************

Solution

Usually when you Telnet to an Exchange server it gives you a 220 message followed by the “Banner” of the Exchange server, a little like:

220 Servername.domainname.com Microsoft ESMTP Mail service ready at (Date/Time)

The reason why you see this happening is, there is something in between you and the Exchange server that’s stopping/filtering ESMTP traffic.

In this clients case I knew straight away what that was, (because I’d seen it before,) Cisco firewalls (PIX and ASA) that have SMTP/ESMTP inspection enabled cause this to happen.

Disable ESMTP Inspection on Cisco ASA Via command line

Note: If you send mail via TLS DO NOT do this. (see here).

1. Connect to the the Cisco ASA, either by serial cable, Telnet or SSH.

2. Usually you will find ESMTP inspection enabled on the “global_policy” in the class called “inspection_default”, below are the commands to disable this feature.

Disable ESMTP Inspection on Cisco ASA via ASDM

1. Connect to the the Cisco ASA, via ASDM.

2. Navigate to Configuration > Firewall > Service Policy Rules > Global Policy > Inspection_Default > Rule Actions > untick ESMTP > OK > Apply > File > Save Running Configuration to flash.

Enable the Banner and Keep ESMTP Inspection on

You need to create a policy map that will not mask the banner and add that to the default inspection map, like so;

[box]

PetesASA> en
Password:*********
PetesASA#configure terminal
PetesASA(config)#policy-map type inspect esmtp tls-allow 
PetesASA(config-pmap-p)#parameters
PetesASA(config-pmap-p)#allow-tls
PetesASA(config-pmap-p)#no mask-banner
PetesASA(config-pmap-p)#exit
PetesASA(config)#policy-map global_policy 
PetesASA(config-pmap)#class inspection_default 
PetesASA(config-pmap-c)#no inspect esmtp
PetesASA(config-pmap-c)#inspect esmtp tls-allow 
PetesASA(config-pmap-c)#exit
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96
3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

 

 

Related Articles, References, Credits, or External Links

NA