10-33
Cisco ASA Series Firewall CLI Configuration Guide
Chapter10 Configuring Inspection of Basic Internet Protocols
SMTP and Extended SMTP Inspection
includes support for SMTP sessions. Most commands used in an extended SMTP session are the same
as those used in an SMTP session but an ESMTP session is considerably faster and offers more options
related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for these extended SMTP commands, including
AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for
seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total
of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN , ONEX, VERB, CHUNKING, and private extensions
and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal
server. This results in a message such as “500 Command unknown: 'XXX'.” Incomplete commands are
discarded.
The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for
the “2”, “0”, “0” characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following
rules are not observed: SMTP commands must be at least four characters in length; must be terminated
with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human-readable
strings. SMTP application inspection controls and reduces the commands that the user can use as well
as the messages that the server returns. SMTP inspection performs three primary tasks:
Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
Monitors the SMTP command-response sequence.
Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the
mail address is replaced. For more information, see RFC 821.
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
Truncated commands.
Incorrect command termination (not terminated with <CR><LR>).
The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail
addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank
space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded
by “<”). To close the session when the PIPE character is found as a parameter to a MAIL from or
RCPT to command, include the special-character command in the configuration as part of the
inspection parameters (parameters command).
Unexpected transition by the SMTP server.
For unknown commands, the ASA changes all the characters in the packet to X. In this case, the
server generates an error code to the client. Because of the change in the packed, the TCP checksum
has to be recalculated or adjusted.
TCP stream editing.
Command pipelining.
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer
overflow/underflow attacks. It also provides support for application security and protocol conformance,
which enforce the sanity of the ESMTP messages as well as detect several attacks, block
senders/receivers, and block mail relay.