Cisco – To Inspect ESMTP on ASA or not

ciscocisco-asafirewallSecurity

On an ASA I administer there is a policy-map in place which implements "inspect ESMTP". I've reviewed what this does, and in my (rather uninformed) opinion at first blush it looks to be a good thing to implement. It is however impacting the ability to send mass emails from lists with over 50 recipients according to our domain admins. They want to remove this inspection to alleviate the problem.

Is ESMTP inspection a solid control to leave and place, or is removal safe? If I don't want to remove it, is there a way to see what in the control is preventing mail from being sent and possibly alter that one element of it rather than removing it altogether?

Best Answer

It only looks harmless. :-) In reality, Cisco has a long history of botching the STMP and ESMTP inspection. And honestly, it won't provide any protection from current evolving threats; it doesn't use a dynamic set of rules that can be updated regularly. Email filtering and inspection is best done by a dedicated appliance that's up-to-date.

To my knowledge, there are no knobs on inspect esmtp. And this is enough of a reason to never turn it on:

For example, Telnet sends each character individually in a different packet on the wire, but actual email clients and servers send the entire command in one packet. If you use Telnet and you type H, the Telnet client sends an H to the email server. Since ESMTP and SMTP inspection do not recognize H as a valid command, the ASA replaces the H with an X and passes it along.

Best Answer

Related Solutions

Cisco – How does group-policy inheritance work for a Cisco ASA

Cisco – ASA IPS issue: routing and management interface

Related Topic