Thanks Aaron.
From: Rohyans, Aaron [mailto:[email protected]] Sent: Tuesday, June 23, 2009 7:28 AM To: NT System Admin Issues Subject: RE: OT: Cisco ASA and inspect esmtp I would disable it... still causes problems J It really doesn't do that much except verify that ESMTP/SMTP connections maintain consistency with IETF/RFC standards. Any unknown commands that are not setup within the ESMTP Inspection are "re-written" to "xxxxx" before being passed to your mail server (or from your mail server). Thus, you'll see some weird failures when sending mail as remote/local mail servers don't understand what "xxxxx" is. With ESMTP Inspection disabled, you're just allowing remote/local mail servers to pass any/all commands to/from your mail server. Since your mail server will only accept commands that it knows about (naturally), you don't really need to shed this consistency check off on the firewall... just rely on your server to maintain the consistency. This is a link to an IOS Based Firewall, but the ASA is based on the same inspection techniques: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configura tion_example09186a008064730a.shtml Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 [email protected] <mailto:[email protected]> http://www.dpsciences.com/ From: Candee Vaglica [mailto:[email protected]] Sent: Tuesday, June 23, 2009 8:52 AM To: NT System Admin Issues Subject: Re: OT: Cisco ASA and inspect esmtp It's still a problem with the ASA; I turn it off. On Tue, Jun 23, 2009 at 8:48 AM, Eldridge, Dave <[email protected]> wrote: I have a vendor that is having trouble sending emails to me and wants me to turn off inspect esmtp. I know the older pix had some issues with this but not the newer (8.03) ASA. Those with asa's what have you done with esmtp inspect? On or Off? I have a ccie colleague that hasn't seen any issues with the ASA and version 8 so I am hesitant to break something that is working. Tia dave This e-mail contains the thoughts and opinions of the sender and does not represent official Parkview Medical Center policy. This communication is intended only for the recipient(s) named above, may be confidential and/or legally privileged: and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please return to sender and delete the message from your computer system. This message contains confidential information and is intended only for the intended recipient(s). If you are not the named recipient you should not read, distribute or copy this e-mail. Please notify the sender immediately via e-mail if you have received this e-mail by mistake; then, delete this e-mail from your system. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
