Archive for the ESMTP over TLS email blocking issue fix Category

SMTP Blocked outbound ESMTP/TLS fix ASA/PIX

Posted in ESMTP over TLS email blocking issue fix on March 20, 2009 by itdaddy

Hello,

glad you are here. I first discovered this when I checked my Windows Exchange SMTP logs and had seen errors in the SMTP log like this:

Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-03-20 05:57:35
#Fields: time c-ip cs-method cs-uri-stem sc-status
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 EHLO – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 STARTTLS – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 EHLO – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 AUTH – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 MAIL – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 RCPT – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 DATA – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 – – 0
05:57:35 63.208.196.178 QUIT – 0
05:57:35 63.208.196.178 – – 0
05:58:04 63.208.196.178 – – 0
05:58:04 63.208.196.178 EHLO – 0
05:58:04 63.208.196.178 – – 0
05:58:04 63.208.196.178 STARTTLS – 0
05:58:04 63.208.196.178 – – 0

=========================

so what I did was this in CONFIG T mode I typed:

Cisco Firewall disabling TLS initiation by default

I have found my Cisco ASA 5510 is masking out STARTTLS initiation because of the SMTP packet inspection. This is enabled by default.

How to enable the firewall to start TLS on ESMTP sessions;

Option one;

policy-map type inspect esmtp esmtp_map
parameters
allow-tls [action log]

Option two;

no fixup protocol smtp 25

yeah!!!!!!!!!!!!!!!!!! mail is leaving outbound now!!!!!!!!!