telnet test.mail.com
On port 25:
220 ***************************
On port 587:
220 test.mail.com ESMTP
This can cause delayed and undeliverable mail, especially for larger messages, such as those with attachments.
Easy and dummy way to fix
ASA(config)#policy-map global_policy
ASA(config-pmap)#class inspection_default
ASA(config-pmap-c)#no inspect esmtp
(old school PIX: no fixup protocol SMTP 25)
Right way (if we gonna fix only banner corruption):
N.B. Banner re-writen is a issue when we perform test via telnet MX.MAIL.COM 25
More info here: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113423-asa-esmtp-smtp-inspection.html
policy-map type inspect esmtp new_estmp_inspect_map
description Don't touch my banner
parameters
no mask-banner
policy-map global-policy
class class-default
inspect esmtp new_esmtp_inspect_map
service-policy global-policy global
the advantage instead of deactivating is, that you are still able inspect other criteria like:
match sender-address length ..
match mime filename length ..
match cmd line length ..
match cmd rcpt count ..
match body line length ..
List of available (e)smpt commands can be found here: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/69309-smtp-esmtp-ios-fw.html
Some simple troubleshooting commands:
show ip inspect all
debug ip inspect smtp
Deeper-look-int-topic here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_basic.html#wp1224614
Няма коментари:
Публикуване на коментар