Cisco ASA 5505 Configuration Manual page 835

Chapter 37 Configuring Inspection of Basic Internet Protocols
•
•
•
•
•
•
SMTP and ESMTP Inspection Overview
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting
the types of SMTP commands that can pass through the adaptive security appliance and by adding
monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For
convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The
application inspection process for extended SMTP is similar to SMTP application inspection and
includes support for SMTP sessions. Most commands used in an extended SMTP session are the same
as those used in an SMTP session but an ESMTP session is considerably faster and offers more options
related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for these extended SMTP commands, including
AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTLS, and VRFY. Along with the support for
seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the adaptive security
appliance supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions
and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal
server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are
discarded.
The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for
the "2", "0", "0" characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following
rules are not observed: SMTP commands must be at least four characters in length; must be terminated
with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human-readable
strings. SMTP application inspection controls and reduces the commands that the user can use as well
as the messages that the server returns. SMTP inspection performs three primary tasks:
•
•
•
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
•
•
OL-20339-01
Select ESMTP Map, page 37-52
ESMTP Inspect Map, page 37-52
MIME File Type Filtering, page 37-54
Add/Edit ESMTP Policy Map (Security Level), page 37-54
Add/Edit ESMTP Policy Map (Details), page 37-56
Add/Edit ESMTP Inspect, page 37-57
Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
Monitors the SMTP command-response sequence.
Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the
mail address is replaced. For more information, see RFC 821.
Truncated commands.
Incorrect command termination (not terminated with <CR><LR>).
SMTP and Extended SMTP Inspection
Cisco ASA 5500 Series Configuration Guide using ASDM
37-51