Cisco ASA Extended SMTP (ESMTP) inspection enhances the traditional SMTP inspection provided by Cisco PIX Firewall version 6.x or earlier. It provides protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the Cisco ASA. The following are the supported ESMTP commands:
If an illegal command is found in an ESMTP or SMTP packet, it is modified and forwarded. This causes a negative server reply, forcing the client to issue a valid command. Figure 8-2 shows an example in which a user is trying to send TURN, which is an unsupported illegal command. The Cisco ASA modifies it and makes the receiver reply with an SMTP error return code of 500 (command not recognized) and tears down the connection.
Figure 8-2. ESMTP Illegal Command Example
The Cisco ASA replaces the illegal command characters with X's, as illustrated in Figure 8-2.
The Cisco ASA may perform deeper parameter inspection for packets containing legal commands. This type of inspection is required for SMTP and ESMTP extensions. The following SMTP and ESMTP extensions are inspected using deeper parameter inspection:
To enable ESMTP inspection, use the inspect esmtp command. This command is enabled in the default class and policy maps on the Cisco ASA.
If you enter the inspect smtp command, the Cisco ASA automatically converts the command to the inspect esmtp command.
The ESMTP AUTH command is used to indicate the authentication mechanism to the ESTMP server. If the server supports the requested authentication mechanism, it authenticates and identifies the user. The server sends a series of challenges that are answered by the client, depending on the authentication mechanism used. A server challenge (or ready response) is an ESMTP 334 reply with a Base64-encoded string. The client answer consists of a line containing a Base64-encoded string. The Cisco ASA inspects and keeps track of this exchange.
An important characteristic of ESMTP AUTH is that the client's reply is not associated with any SMTP command. The reply is sent with just a line containing a Base64-encoded string. The Cisco ASA has the ability to recognize the client's reply from other requests that contain ESMTP commands in the first 4 bytes and does not do command inspection for this reply. The Cisco ASA allows the keyword AUTH to be sent over the EHLO response when ESMTP inspection is enabled, allowing the client and server to use the authentication extension.