Cisco ASA Disable ESMTP Inspection

Telnet to Exchange on Port 25 shows a row of Asterisks?

KB ID 0000536

Problem

Yesterday my colleague Ben called me over to the help-desk and asked “Have you ever seen this before?” This was what was on his screen.

220 ***************************************************

Solution

Usually when you Telnet to an Exchange server it gives you a 220 message followed by the “Banner” of the Exchange server, a little like:

220 Servername.domainname.com Microsoft ESMTP Mail service ready at (Date/Time)

The reason why you see this happening is, there is something in between you and the Exchange server that’s stopping/filtering ESMTP traffic.

In this clients case I knew straight away what that was, (because I’d seen it before,) Cisco firewalls (PIX and ASA) that have SMTP/ESMTP inspection enabled cause this to happen.

Disable ESMTP Inspection on Cisco ASA Via command line

Note: If you send mail via TLS DO NOT do this. (see here).

1. Connect to the the Cisco ASA, either by serial cable, Telnet or SSH.

2. Usually you will find ESMTP inspection enabled on the “global_policy” in the class called “inspection_default”, below are the commands to disable this feature.

Disable ESMTP Inspection on Cisco ASA via ASDM

1. Connect to the the Cisco ASA, via ASDM.

2. Navigate to Configuration > Firewall > Service Policy Rules > Global Policy > Inspection_Default > Rule Actions > untick ESMTP > OK > Apply > File > Save Running Configuration to flash.

Enable the Banner and Keep ESMTP Inspection on

You need to create a policy map that will not mask the banner and add that to the default inspection map, like so;

[box]

PetesASA> en
Password:*********
PetesASA#configure terminal
PetesASA(config)#policy-map type inspect esmtp tls-allow 
PetesASA(config-pmap-p)#parameters
PetesASA(config-pmap-p)#allow-tls
PetesASA(config-pmap-p)#no mask-banner
PetesASA(config-pmap-p)#exit
PetesASA(config)#policy-map global_policy 
PetesASA(config-pmap)#class inspection_default 
PetesASA(config-pmap-c)#no inspect esmtp
PetesASA(config-pmap-c)#inspect esmtp tls-allow 
PetesASA(config-pmap-c)#exit
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96
3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

 

 

Related Articles, References, Credits, or External Links

NA

Exchange 2007 / 2010 change the SMTP Banner

KB ID 0000327

Problem

If you want to shield the outside world from seeing what mail platform you are running, or even if you just want to deter the casual script kiddy who is trying to remote fingerprint a massive range of IP addresses. Changing the SMTP response banner is quite simple to do.

Out of the box we know we are running a Microsoft mail platform

Solution

1. Open Exchange System Manager and find the name of your “Receive Connector” (Server Configuration > Hub Transport > Receive Connectors).

2.Open the “Exchange Management Shell” and issue the following powershell command,

[box]Set-ReceiveConnector “name of the connector” -Banner “220 The text you want to display”[/box]

3. Then your banner should be changed (you don’t need to restart anything).

Changing the SMTP Banner for Exchange 2000 / 2003

1. Drop to command line and issue the following commands,

[box]

cd c:inetpubadminscripts
cscript adsutil.vbs set smtpsvc/vsi number/connectresponse “220 The text you want to display”

[box]

Note: c:inetpubadminscriptsadsutil path may be different in your Exchange server. And “vsi number” is the number of your SMTP virtual server, this is nearly always 1, check in your Exchange System Management console to make sure.

How to locate your VSI Number

2. Then restart the SMTP service.

Related Articles, References, Credits, or External Links

NA