Cisco ASA Disable ESMTP Inspection
Contents
Problem
Yesterday my colleague Ben called me over to the help-desk and asked “Have you ever seen this before?” This was what was on his screen.
220 ***************************************************
Solution
Usually when you Telnet to an Exchange server it gives you a 220 message followed by the “Banner” of the Exchange server, a little like:
220 Servername.domainname.com Microsoft ESMTP Mail service ready at (Date/Time)
The reason why you see this happening is, there is something in between you and the Exchange server that’s stopping/filtering ESMTP traffic.
In this clients case I knew straight away what that was, (because I’d seen it before,) Cisco firewalls (PIX and ASA) that have SMTP/ESMTP inspection enabled cause this to happen.
Disable ESMTP Inspection on Cisco ASA Via command line
Note: If you send mail via TLS DO NOT do this. (see here).
1. Connect to the the Cisco ASA, either by serial cable, Telnet or SSH.
2. Usually you will find ESMTP inspection enabled on the “global_policy” in the class called “inspection_default”, below are the commands to disable this feature.
Disable ESMTP Inspection on Cisco ASA via ASDM
1. Connect to the the Cisco ASA, via ASDM.
2. Navigate to Configuration > Firewall > Service Policy Rules > Global Policy > Inspection_Default > Rule Actions > untick ESMTP > OK > Apply > File > Save Running Configuration to flash.
Enable the Banner and Keep ESMTP Inspection on
You need to create a policy map that will not mask the banner and add that to the default inspection map, like so;
PetesASA> en Password:********* PetesASA#configure terminal PetesASA(config)#policy-map type inspect esmtp tls-allow PetesASA(config-pmap-p)#parameters PetesASA(config-pmap-p)#allow-tls PetesASA(config-pmap-p)#no mask-banner PetesASA(config-pmap-p)#exit PetesASA(config)#policy-map global_policy PetesASA(config-pmap)#class inspection_default PetesASA(config-pmap-c)#no inspect esmtp PetesASA(config-pmap-c)#inspect esmtp tls-allow PetesASA(config-pmap-c)#exit PetesASA(config)# write mem Building configuration... Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96 3965 bytes copied in 1.490 secs (3965 bytes/sec) [OK]