ASA - ESMTP Inspection

 

Assumptions

All changes we do in global service-police but you can change it if you wish

After modyfing policy-map remember to reload service-policy(no service-policy global_policy global) next (service-policy global_policy global)

 

ESTMP(Extended SMTP) Inspection is the most problematic inspection on ASA,especially when we want to inspect outbound esmtp traffic for internal users(Inspection for securing STMP server fortunatelly is much more easier but also limit SMTP servers functionality,especially on port 25).

 

Standard ESMTP inspection is enabled by default and has the following functionality:

  • Limits SMTP request to seven basic RFC 821 SMTP commands( data, helo, mail, noop, quit ,rcpt  and rset)
  • Limit ESMTP commands to eight( auth, ehlo, etrn, help, saml, send, soml and vrfy)
  • Generates audit trail.
  • Changes characters in the SMTP banner to asterisk except for the 2 and 0 characters.
  • Discards incomplete commands.
  • Monitors STMP command-response sequence for the following:
 - Truncated commands
 - Incorrect command termination
 - Enexpected transition by the SMTP server
 - TCP stream editing
 - Command pipelining
 - Pipe signature used as a parameter to a MAIL from or RCPT to command( when it is found session    is closed)
 - Unrecognized commands (when detected ASA changes all characters in the packet to "x".It causes SMTP server sends an error code to the client.
 
 

 Based on functionality above STARTTLS feature will not work on 25 port(see error) until we configure it.

 

esmtp-inspection-1.PNG

 EXAMPLE

Default inspection - masking SMTP banner

 

 

esmtp-inspection-2.PNGWithout inspection it will looks like below:

esmtp-inspection-3.PNG

 

Advanced ESMTP Inspection

EXAMPLE 1

  •  Enabling TLS over ESMTP (STARTTLS)
 

(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# parameters

(config-pmap-p)# allow-tls action log

 (config-pmap-p)# exit

 (config-pmap)# exit

(config)# policy-map global_policy

(config)# class inspection_default

(config-pmap-c)# no inspect esmtp

(config-pmap-c)# inspect esmtp danpol-smtp

(config-pmap-c)# exit

(config-pmap)# exit

 

 TEST

Mar 09 2013 15:12:26: %ASA-6-108007: TLS started on ESMTP session between client inside:10.10.1.10/40057 and server outside:x.x.x.x/25

 

EXAMPLE 2

  • Discard all emails if domain is not allowed( mail-relay )


(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# parameters

 (config)#mail-relay domain.com action drop-connection log

 (config-pmap-p)# exit

 (config-pmap)# exit

TEST

Mar 09 2013 22:51:06: %ASA-4-108004: ESMTP Parameter: Dropped connection for ESMTP Request from inside:10.10.1.10/58014 to outside:x.x.x.x/25; mail-relay: mail relay only allowed for the configured mail relay domain

 EXAMPLE 3

  • Preventing Buffer Overflows by limting max message size

 

(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# match body length gt 64000

 (config-pmap-c)# drop-connection log

 (config-pmap-p)# exit

 (config-pmap)# exit

 

TEST

Mar 10 2013 09:38:28: %ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from inside:10.10.1.10/40322 to outside:x.x.x.x/25; matched Class 25: body length gt 64000

 

 EXAMPLE 4

  • Blocking e-mail senders(per user or per domain)

(config)# regex danpol "@domain\.net"

(config)# regex sender1 "user@poczta\.onet\.pl"

(config)# class-map type regex match-any blocked_senders

(config-cmap)# match regex danpol

(config-cmap)# match regex sender1

(config-cmap)# exit

(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# match sender-address regex class blocked_senders

(config-pmap-c)# drop-connection log

(config-pmap-c)# exit

(config-pmap)# exit

 

TEST

Mar 10 2013 11:30:00: %ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from inside:10.10.1.10/42592 to outside:x.x.x.x/25; matched Class 29: sender-address regex class blocked_senders

 

 

dzbanek 2013-03-09

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.