Guest

Preview Tool

Cisco Bug: CSCuo66818 - ESMTP inspection is not dropping connection for unknown ESMTP commands.

Last Modified

Apr 19, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.4(7) 9.1(5)

Description (partial)

Symptom:
Configured ASA to drop the ESMTP connection when unknown command is entered.
ASA is masking the unknown command with "XXX", but not dropping the connection.

Conditions:
ASA configured for esmtp inspection with the following commands :


ciscoasa# sh run class-map
!
class-map inspection_default
 match default-inspection-traffic
!
ciscoasa#
ciscoasa# sh run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no protocol-enforcement
  no nat-rewrite
policy-map type inspect esmtp test
 parameters
 match not cmd verb AUTH DATA EHLO ETRN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SOML VRFY
  drop-connection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect esmtp test
!
ciscoasa#
ciscoasa# sh run service-policy
service-policy global_policy global

But ASA is not dropping ESMTP connection for unknown ESMTP commands.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.