Smtp And Extended Smtp Inspection - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
e.
f.
The following example shows how to define an SCCP inspection policy map.
hostname(config)# policy-map type inspect skinny skinny-map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# enforce-registration
hostname(config-pmap-p)# match message-id range 200 300
hostname(config-pmap-p)# drop log
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# policy-map global_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect skinny skinny-map
hostname(config)# service-policy global_policy global
SMTP and Extended SMTP Inspection
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting
the types of SMTP commands that can pass through the security appliance and by adding monitoring
capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For
convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The
application inspection process for extended SMTP is similar to SMTP application inspection and
includes support for SMTP sessions. Most commands used in an extended SMTP session are the same
as those used in an SMTP session but an ESMTP session is considerably faster and offers more options
related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for eight extended SMTP commands, including
AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML and VRFY. Along with the support for seven RFC
821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the security appliance supports a
total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, STARTLS, ONEX, VERB, CHUNKING, and private
extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by
the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete
commands are discarded.
The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for
the "2", "0", "0" characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following
rules are not observed: SMTP commands must be at least four characters in length; must be terminated
with carriage return and line feed; and must wait for a response before issuing the next reply.
OL-10088-01
Where the enforce-payloadtype keyword enforces the payload type to be audio or video based on
the signaling exchange.
To set the maximum and minimum SCCP prefix length value allowed, enter the following
command:
hostname(config-pmap-p)# sccp-prefix-len {max | min} value_length
Where the value_length argument is a maximum or minimum value.
To configure the timeout value for signaling and media connections, enter the following command:
hostname(config-pmap-p)# timeout
Cisco Security Appliance Command Line Configuration Guide
SMTP and Extended SMTP Inspection
25-71
Advertisement
Table of Contents
Troubleshooting
