As far as I know it just "limit" the commands that you can send to the mail server, you just have to be sure if you are using ESMTP or SMTP. Here's the link explaining how it works.
All the customers of our company uses that inspect, the common issue is with proofpoint. Every other MTA is accepted without issues. Just a thought. This is the TAC's point of view. the inspect SMTP could drop those emails that carry unsupported commands such as ATRN, ONEX, VERB, CHUNKING You may verify this if you run captures on the outside and inside interface of the ASA. “” The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the adaptive security appliance supports a total of fifteen SMTP commands. Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded. “” Here is the documentation that talks about it http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1742723 Saludos. Ing. Alfonso Alejandro Reyes Jiménez Coordinador de Seguridad - SASI E-mail: aare...@scitum.com.mx Telefono: 91 50 74 89 Movil: (044) 55 85 81 04 62 -----Mensaje original----- De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de Jeroen Geilman Enviado el: viernes, 09 de diciembre de 2011 01:02 p.m. Para: postfix-users@postfix.org Asunto: Re: CISCO breaks DKIM on their ASA/PIX (again) On 2011-12-09 19:57, Ralf Hildebrandt wrote: > * Jeroen Geilman<jer...@adaptr.nl>: >> On 2011-12-08 09:53, Ralf Hildebrandt wrote: >>> Over the last few days I discussed SMTP delivery problems with a >>> czech site which was using Postfix and a CISCO ASA with "smtp >>> protocol fixup" enabled. >> smtp fixup is evil and should have died out years ago. > No shit, sherlock :) > I am in no way implying that you did anything wrong! It's just that I cringe every time I see this enabled and when I ask after it the answer is usually a variant on "oh it's a security option offered by a Cisco firewall, of course we enable it! Why not?" Cisco themselves are mostly to blame for this by not disabling it by default - unless they do so by now, I haven't kept up... -- J.
