Cisco 7604 Configuration Manual page 511

Chapter 22 Applying Application Layer Protocol Inspection
The inspect smtp command supports seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT,
RCPT, RSET). The inspect esmtp command supports those seven commands and supports the following
extended SMTP commands: AUTH, HELP, EHLO, ETRN, SAML, SEND, SOML and VRFY.
Other SMTP or ESMTP commands and private extensions to ESMTP and are not supported.
Unsupported commands are translated into Xs, which are rejected by the SMTP server protected by the
FWSM. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are
discarded.
SMTP application inspection, as enabled by the inspect smtp command, occurs in fast path processing;
therefore, it occurs on one of the three network processors on the FWSM. ESMTP application
inspection, as enabled by the inspect esmtp command, occurs in control plane path processing;
therefore, it occurs on the single, general purpose processor on the FWSM.
Note If a policy map contains both the inspect smtp command and the inspect esmtp command, only the first
command listed in the policy map is applied to matching traffic.
Inspection changes the characters in the server SMTP banner to asterisks except for the "2", "0", "0"
characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following
rules are not observed: SMTP commands must be at least four characters in length; must be terminated
with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human-readable
strings. SMTP application inspection controls and reduces the commands that the user can use as well
as the messages that the server returns. SMTP inspection performs three primary tasks:
• Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
Monitors the SMTP command-response sequence.
•
Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the
•
mail address is replaced. For more information, see RFC 821.
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
Truncated commands.
•
Incorrect command termination (not terminated with <CR><LR>).
•
The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail
•
addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank
space) and "<" ‚">" are only allowed if they are used to define a mail address (">" must be preceded
by "<").
• Unexpected transition by the SMTP server.
• For unknown commands, the FWSM changes all the characters in the packet to X. In this case, the
server generates an error code to the client. Because of the change in the packed, the TCP checksum
has to be recalculated or adjusted.
TCP stream editing.
•
Command pipelining.
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
SMTP and Extended SMTP Inspection
22-95