Cisco ASA (inspect SMTP)

Hi guys,

I recently went through some troubles sending emails from our new mailserver software (mdaemon).
I did all the research and it boiled down to the our CISCO ASA having the 'inspect smtp' in the config.
Once that was removed, all emails started to deliver successfully and no more timeouts occured.

Does removing this line cause any security risk? Should I do something to compensate for the removal?

Thanks in advance folks.
dqnetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
On outgoing mails, there should not really be any security problems ...
Do you have a CSC module in the ASA doing content scanning?
0
dqnetAuthor Commented:
nop :(
0
dqnetAuthor Commented:
anyone?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Garry GlendownConsulting and Network/Security SpecialistCommented:
Two things ... first of all would be to try to find out what the reason was why outgoing mails got blocked/interrupted by the ESMTP inspection of the firewall. Maybe your MTA is in some way misbehaving, which might cause problems at some later time, or for certain recipient domains.
Apart from that, you could try and set up the ESMTP inspection just for incoming traffic. While it's no content scanning or anti-spam feature as such, it does protect your MTA from certain possible attacks which could cause problems. Depending on the settings you use, it does checks on header line lengths, file names, obfuscates server messages (apart from the codes, in order to keep people from knowing what software and version you're using - though that's much more than "security by obscurity"), and lets you filter MIME types. In summary, it does help improve security, albeit not to any extreme extent.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
Essentially with inspction on - you are limited to the command set outlined in RFC's for the SMTP protocol, some vendors (famously Microsoft Exchange for example). use EXTRA commands that are not in the protocol outlines, so with smtp/esmtp inspection on the traffic will fail.

I disable esmtp inspection as soon as I deploy a Cisco ASA (All my clients run Microsoft Exchange).

To answer your question "am I at more risk?" Then yes, as smtp commands that are not ratified can be sent over port 25, but the choice is between having it work or not work.

Personally I don't worry, we have had this problem for years in the Cisco firewall community, before ASA we had to have "no inspect smtp" to make mail flow on Cisco PIX.

bottom line - yes the risk is greater but you will not get your mail platform vendor to change so you have to put up with it :)

Pete
0
dqnetAuthor Commented:
Gotcha!

So how do we inspect on incoming traffic only then?

Yes, it is to certain domains but presently thats far more then the working domains.
0
Pete LongTechnical ConsultantCommented:
- you don't the inspection s applied on the global inspection map ) that's all traffic through all interfaces)
0
dqnetAuthor Commented:
thanks guys! points split..!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.