ESMTP TLS and Cisco ASA Issues | Disabling SMTP Fixup

The other day we had a problem with our upgrade from Exchange 2010 to 2016. We are currently running an ASA5510 in our development site which needs cross-site connect via eSMTP to our production site running an ASA5520. For the most part, the upgrade went pretty well. However, a few days passed and I overheard someone mention that external emails were coming in bursts. Then, later by another person corroborated that same story. At the time, being as busy as I was, I just wrote it off because people can be impatient and sort of jump to conclusions all the time about email. Then, I received an IM from our help desk that request I looked into this issue because it was effecting more than just a few people. Now, it had to be researched.  I did a cursory google search and found a lot of articles but, no real answers. Then, a college emailed me a Microsoft support page stating that if the email server was behind a Cisco PIX or ASA then you could experience all the issues I had heard about.

After looking into it a little bit, I decided to place the blame on the firewall and not the Exchange server upgrade. After more research it became clear that you need to enable eSMTP inspection if you intend on running TLS on your SMTP server. This is because the ASA’s have some of the inspection engines watch for and setup these so-called pinhole ports, on demand. If the engine thinks the conversation contains “illegal” requests, it’s blocked. It’s really easy to spot if you telnet to the mail server (assuming you allow this on the firewall) on the standard port of 25, and look for the “banner” response.

On a regular mail server the banner looks something like this:

host:~$ telnet oxmail.ox.ac.uk 25
Trying 129.67.1.161...
Connected to oxmail.ox.ac.uk.
Escape character is'^]'.
220 relay0.mail.ox.ac.uk ESMPT Exim 4.69 Thu, 3 Aug 2017 19:28:51 +0000

However, on an affected server, the banner is noticeably different:

host:~$ telnet suspectserver.example.com 25
Trying 192.0.2.1...
Connected to suspectserver.example.com.
Escape character is'^]'.
220 *****************************************************************************

Disabling the SMTP fixup (which is on by default, I believe) enables mail to flow as it should (Gorwits, 2009).

Here is how you configure it.

Log into your ASA

CiscoASA# config t
CiscoASA(config)# no fixup protocol smtp 25
CiscoASA(config)# exit
CiscoASA# wr me

Warning If you have an ESMTP server behind the PIX or ASA, you may have to turn off the Mailguard feature to make it possible for mail to correctly flow (Microsoft, 2011).

Related Articles 
Troubleshooting Intra-Org SMTP Traffic Issues (and disabling Cisco ASA ESMTP Inspection)
 References

Microsoft (2011). Cannot send or recieve e-mail messages behind a Cisco PIX or Cisco ASA firewall. Article ID: 320027. Retrieved from: https://support.microsoft.com/en-us/help/320027/cannot-send-or-receive-e-mail-messages-behind-a-cisco-pix-or-cisco-asa

Gorwits, Oliver (2009). Cisco firewall SMTP “fixup” considered harmful. Network Development Team. Retrieved from: https://blogs.it.ox.ac.uk/networks/2009/11/26/cisco-firewall-smtp-fixup-considered-harmful/comment-page-1/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s