Extended Simple Mail Transfer Protocol

Cisco ASA Extended SMTP (ESMTP) inspection enhances the traditional SMTP inspection provided by Cisco PIX Firewall version 6.x or earlier. It provides protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the Cisco ASA. The following are the supported ESMTP commands:

  • AUTH
  • DATA
  • EHLO
  • ETRN
  • HELO
  • HELP
  • MAIL
  • NOOP
  • QUIT
  • RCPT
  • RSET
  • SAML
  • SEND
  • SOML
  • VRFY

If an illegal command is found in an ESMTP or SMTP packet, it is modified and forwarded. This causes a negative server reply, forcing the client to issue a valid command. Figure 8-2 shows an example in which a user is trying to send TURN, which is an unsupported illegal command. The Cisco ASA modifies it and makes the receiver reply with an SMTP error return code of 500 (command not recognized) and tears down the connection.

Figure 8-2. ESMTP Illegal Command Example


The Cisco ASA replaces the illegal command characters with X's, as illustrated in Figure 8-2.

The Cisco ASA may perform deeper parameter inspection for packets containing legal commands. This type of inspection is required for SMTP and ESMTP extensions. The following SMTP and ESMTP extensions are inspected using deeper parameter inspection:

  • Message Size Declaration (SIZE)
  • Remote Queue Processing Declaration (ETRN)
  • Command Pipelining (PIPELINING)
  • Authentication (AUTH)
  • Delivery Status Notification (DSN)
  • Enhanced Status Code (ENHANCEDSTATUSCODES)
  • 8bit-MIMEtransport (8BITMIME)

To enable ESMTP inspection, use the inspect esmtp command. This command is enabled in the default class and policy maps on the Cisco ASA.


If you enter the inspect smtp command, the Cisco ASA automatically converts the command to the inspect esmtp command.

The ESMTP AUTH command is used to indicate the authentication mechanism to the ESTMP server. If the server supports the requested authentication mechanism, it authenticates and identifies the user. The server sends a series of challenges that are answered by the client, depending on the authentication mechanism used. A server challenge (or ready response) is an ESMTP 334 reply with a Base64-encoded string. The client answer consists of a line containing a Base64-encoded string. The Cisco ASA inspects and keeps track of this exchange.

An important characteristic of ESMTP AUTH is that the client's reply is not associated with any SMTP command. The reply is sent with just a line containing a Base64-encoded string. The Cisco ASA has the ability to recognize the client's reply from other requests that contain ESMTP commands in the first 4 bytes and does not do command inspection for this reply. The Cisco ASA allows the keyword AUTH to be sent over the EHLO response when ESMTP inspection is enabled, allowing the client and server to use the authentication extension.

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net