Cisco Bug: CSCuo66818 - ESMTP inspection is not dropping connection for unknown ESMTP commands.
Apr 19, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: Configured ASA to drop the ESMTP connection when unknown command is entered. ASA is masking the unknown command with "XXX", but not dropping the connection. Conditions: ASA configured for esmtp inspection with the following commands : ciscoasa# sh run class-map ! class-map inspection_default match default-inspection-traffic ! ciscoasa# ciscoasa# sh run policy-map ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no protocol-enforcement no nat-rewrite policy-map type inspect esmtp test parameters match not cmd verb AUTH DATA EHLO ETRN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SOML VRFY drop-connection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect esmtp test ! ciscoasa# ciscoasa# sh run service-policy service-policy global_policy global But ASA is not dropping ESMTP connection for unknown ESMTP commands.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases