Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Select ESMTP Map

11-53

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter11 Configuring Inspection of Basic Internet Protocols

SMTP and Extended SMTP Inspection

Other extended SMTP commands, such as ATRN , ONEX, VERB, CHUNKING, and private extensions

and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal

server. This results in a message such as “500 Command unknown: 'XXX'.” Incomplete commands are

discarded.

The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for

the “2”, “0”, “0” characters. Carriage return (CR) and linefeed (LF) characters are ignored.

With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following

rules are not observed: SMTP commands must be at least four characters in length; must be terminated

with carriage return and line feed; and must wait for a response before issuing the next reply.

An SMTP server responds to client requests with numeric reply codes and optional human-readable

strings. SMTP application inspection controls and reduces the commands that the user can use as well

as the messages that the server returns. SMTP inspection performs three primary tasks:

•Restricts SMTP requests to seven basic SMTP commands and eight extended commands.

•Monitors the SMTP command-response sequence.

•Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the

mail address is replaced. For more information, see RFC 821.

SMTP inspection monitors the command and response sequence for the following anomalous signatures:

•Truncated commands.

•Incorrect command termination (not terminated with <CR><LR>).

•The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail

addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank

space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded

by “<”).

•Unexpected transition by the SMTP server.

•For unknown commands, the ASA changes all the characters in the packet to X. In this case, the

server generates an error code to the client. Because of the change in the packed, the TCP checksum

has to be recalculated or adjusted.

•TCP stream editing.

•Command pipelining.

Select ESMTP Map

The Select ESMTP Map dialog box is accessible as follows:

Add/Edit Service PolicyRule Wizard > Rule Actions >

ProtocolInspection Tab >Select ESMTP Map

The Select ESMTP Map dialog box lets you select or create a new ESMTP map. An ESMTP map lets

you change the configuration values used for ESMTP application inspection. The Select ESMTP Map

table provides a list of previously configured maps that you can select for application inspection.

Fields

•Use the default ESMTP inspection map—Specifies to use the default ESMTP map.

•Select an ESMTP map for fine control over inspection—Lets you select a defined application

inspection map or add a new one.

•Add—Opens the Add Policy Map dialog box for the inspection.

Cisco Systems Select ESMTP Map