disable smtp in ASA Firewall

hi
could anyone tell us ,disable something called SMTP inspections in the ASA firewall. How could we do that
mishalkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chosmerCommented:
Here ya go...(version 7)

pix(config)#policy-map global_policy
pix(config-pmap)#class inspection_default
pix(config-pmap-c)#no inspect esmtp
pix(config-pmap-c)#exit
pix(config-pmap)#exit
0
piwowarcCommented:
I assume your_policy_name and your_inspection are the names of your policy and  is your class.

CiscoASA(config)#policy-map your_policy_name
CiscoASA(config-pmap)#class your_inspection
CiscoASA(config-pmap-c)#no inspect esmtp

Could you say something more about your problem? Why are you trying to switch it off? Do you have problems with TLS, common to some people using ASAs?

Cheers
0
piwowarcCommented:
I didn't see your reply before chosmer, sorry
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

mishalkAuthor Commented:
we are having a problem when users send emails from gmail. they are getting a warning message. So from blogs i came to know that you need to disable this option
send Message ( Connection TIme out) error is showing on the non delivery messages
0
piwowarcCommented:
It's for almost certain fault of ASA fixup esmtp. Googling shown that it's a common problem with gmail. I assume that your mail client configuration is proper.

I would suggest though to block (if you can, and haven't already) TCP 25 (SMTP) for outgoing connections. It won't affect gmail (it uses TCP 587) and will prevent those nasty spamming bots that may install themselves somewhere in the background. ISP use this method to fight with global spam problem so can you.

Cheers
0
mishalkAuthor Commented:
that is a cool idea..i will look into it and come back

regards
0
mishalkAuthor Commented:
hope you understand the issue

when a user from outside our network send a mail using gamil . the mails doesnt recived by our company staff. And the send will get a warning message which i said earlier. You suggest all outgoing message to transfer to another port instead of port 25. But the issue is not sending out from our network to external . The issue is from external user (outside our network) send to our domain name using gmail account
0
piwowarcCommented:
That makes your problem a bit more clear. I need some more details.

Someone sends an email using gmail to one of people at your company at person@yourdomain.com This person does not receive the email and sender gets an error message on his gmail. Right?

Do you have a local mail sever which hosts  person@yourdomain.com or is it localed outside your company Lan?
0
mishalkAuthor Commented:
the first question, yes you are right
and the second second question, yes we have a local mail server which host our mails(it is in company lan),
0
mishalkAuthor Commented:
the sender receive a warning message as follows

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

    username@domain.com

Message will be retried for 2 more day(s)

Technical details of temporary failure:
Unspecified Error (SENT_MESSAGE): Connection timed out
0
piwowarcCommented:
Does your server receive any mail at all? Does yous ASA have ACL to forward incoming traffic to mail server? I know it's a lot of questions, but more we know, the better we may help

Cheers
0
mishalkAuthor Commented:
we are getting mails without any issues, but some mails from gmail.com is not receiving and sender get the above warning message , not all the times...
0
mishalkAuthor Commented:
the mail delivery is as follows

external - asa firewall- firewall 2-antispam device-mail server
0
piwowarcCommented:
It's not happening all the time.  That's bad, it's more difficult to diagnose that way.

Try switching off esmtp fixup and we'll see if the problem goes away.

I assume your_policy_name and your_inspection are the names of your policy and  is your class.

CiscoASA(config)#policy-map your_policy_name
CiscoASA(config-pmap)#class your_inspection
CiscoASA(config-pmap-c)#no inspect esmtp

And discard my idea about blocking TCP 25. Your mail server uses it to talk with other mail servers.

Blocking TCP 25 is common in ISPs, Universities and companies which has hosted email (not in company LAN).

Cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mishalkAuthor Commented:
hi
i followed your comment and did the changes in the firewall. We will have to monitor ,is the same problem is going to happen again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.