ASA – ESMTP Inspection – Adrian Danek

Assumptions

All changes we do in global service-police but you can change it if you wish

After modyfing policy-map remember to reload service-policy(no service-policy global_policy global) next (service-policy global_policy global)

ESTMP(Extended SMTP) Inspection is the most problematic inspection on ASA,especially when we want to inspect outbound esmtp traffic for internal users(Inspection for securing STMP server fortunatelly is much more easier but also limit SMTP servers functionality,especially on port 25).

Standard ESMTP inspection is enabled by default and has the following functionality:

Limits SMTP request to seven basic RFC 821 SMTP commands( data, helo, mail, noop, quit ,rcpt and rset)
Limit ESMTP commands to eight( auth, ehlo, etrn, help, saml, send, soml and vrfy)
Generates audit trail.
Changes characters in the SMTP banner to asterisk except for the 2 and 0 characters.
Discards incomplete commands.
Monitors STMP command-response sequence for the following:

– Truncated commands

– Incorrect command termination

– Enexpected transition by the SMTP server

– TCP stream editing

– Command pipelining

– Pipe signature used as a parameter to a MAIL from or RCPT to command( when it is found session is closed)

– Unrecognized commands (when detected ASA changes all characters in the packet to “x”.It causes SMTP server sends an error code to the client.

Based on functionality above STARTTLS feature will not work on 25 port(see error) until we configure it.

EXAMPLE

Default inspection – masking SMTP banner

Without inspection it will looks like below:

Advanced ESMTP Inspection

EXAMPLE 1

Enabling TLS over ESMTP (STARTTLS)

(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# parameters

(config-pmap-p)# allow-tls action log

(config-pmap-p)# exit

(config-pmap)# exit

(config)# policy-map global_policy

(config)# class inspection_default

(config-pmap-c)# no inspect esmtp

(config-pmap-c)# inspect esmtp danpol-smtp

(config-pmap-c)# exit

(config-pmap)# exit

TEST

Mar 09 2013 15:12:26: %ASA-6-108007: TLS started on ESMTP session between client inside:10.10.1.10/40057 and server outside:x.x.x.x/25

EXAMPLE 2

Discard all emails if domain is not allowed( mail-relay )

(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# parameters

(config)#mail-relay domain.com action drop-connection log

(config-pmap-p)# exit

(config-pmap)# exit

TEST

Mar 09 2013 22:51:06: %ASA-4-108004: ESMTP Parameter: Dropped connection for ESMTP Request from inside:10.10.1.10/58014 to outside:x.x.x.x/25; mail-relay: mail relay only allowed for the configured mail relay domain

EXAMPLE 3

Preventing Buffer Overflows by limting max message size

(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# match body length gt 64000

(config-pmap-c)# drop-connection log

(config-pmap-p)# exit

(config-pmap)# exit

TEST

Mar 10 2013 09:38:28: %ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from inside:10.10.1.10/40322 to outside:x.x.x.x/25; matched Class 25: body length gt 64000

EXAMPLE 4

Blocking e-mail senders(per user or per domain)

(config)# regex danpol “@domain\.net”

(config)# regex sender1 “user@poczta\.onet\.pl”

(config)# class-map type regex match-any blocked_senders

(config-cmap)# match regex danpol

(config-cmap)# match regex sender1

(config-cmap)# exit

(config)# policy-map type inspect esmtp danpol-smtp

(config-pmap)# match sender-address regex class blocked_senders

(config-pmap-c)# drop-connection log

(config-pmap-c)# exit

(config-pmap)# exit

TEST

Mar 10 2013 11:30:00: %ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from inside:10.10.1.10/42592 to outside:x.x.x.x/25; matched Class 29: sender-address regex class blocked_senders

_{dzbanek 2013-03-09}