Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA (inspect SMTP)

Posted on 2011-10-22
8
Medium Priority
?
1,186 Views
Last Modified: 2012-05-12
Hi guys,

I recently went through some troubles sending emails from our new mailserver software (mdaemon).
I did all the research and it boiled down to the our CISCO ASA having the 'inspect smtp' in the config.
Once that was removed, all emails started to deliver successfully and no more timeouts occured.

Does removing this line cause any security risk? Should I do something to compensate for the removal?

Thanks in advance folks.
0
Comment
Question by:dqnet
  • 4
  • 2
  • 2
8 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 37011850
On outgoing mails, there should not really be any security problems ...
Do you have a CSC module in the ASA doing content scanning?
0
 

Author Comment

by:dqnet
ID: 37013126
nop :(
0
 

Author Comment

by:dqnet
ID: 37016002
anyone?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 18

Accepted Solution

by:
Garry Glendown earned 1000 total points
ID: 37016136
Two things ... first of all would be to try to find out what the reason was why outgoing mails got blocked/interrupted by the ESMTP inspection of the firewall. Maybe your MTA is in some way misbehaving, which might cause problems at some later time, or for certain recipient domains.
Apart from that, you could try and set up the ESMTP inspection just for incoming traffic. While it's no content scanning or anti-spam feature as such, it does protect your MTA from certain possible attacks which could cause problems. Depending on the settings you use, it does checks on header line lengths, file names, obfuscates server messages (apart from the codes, in order to keep people from knowing what software and version you're using - though that's much more than "security by obscurity"), and lets you filter MIME types. In summary, it does help improve security, albeit not to any extreme extent.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 37016453
Essentially with inspction on - you are limited to the command set outlined in RFC's for the SMTP protocol, some vendors (famously Microsoft Exchange for example). use EXTRA commands that are not in the protocol outlines, so with smtp/esmtp inspection on the traffic will fail.

I disable esmtp inspection as soon as I deploy a Cisco ASA (All my clients run Microsoft Exchange).

To answer your question "am I at more risk?" Then yes, as smtp commands that are not ratified can be sent over port 25, but the choice is between having it work or not work.

Personally I don't worry, we have had this problem for years in the Cisco firewall community, before ASA we had to have "no inspect smtp" to make mail flow on Cisco PIX.

bottom line - yes the risk is greater but you will not get your mail platform vendor to change so you have to put up with it :)

Pete
0
 

Author Comment

by:dqnet
ID: 37022403
Gotcha!

So how do we inspect on incoming traffic only then?

Yes, it is to certain domains but presently thats far more then the working domains.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37038810
- you don't the inspection s applied on the global inspection map ) that's all traffic through all interfaces)
0
 

Author Comment

by:dqnet
ID: 37042080
thanks guys! points split..!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question