Cisco ASA – E-SMTP

Leave a comment Posted by on April 5, 2018

I recently had an issue with a Office 365 deployment. This was a hybrid deployment, and as we were trying to start syncing to Office 365 we were getting an error in our logs :

(Retry : Must issue a STARTTLS command first)

This was causing mail not to flow. This site happened to be behind a Cisco ASA. After some research the cause of this problem is that the ASA is inspecting ESMTP in the policy map, which is stripping the STARTTLS packets.

To bypass this you have to create a new policy map to make sure the parameters of the inspection allow encrypted connections – the default is to not allow this, and it does this by removing the STARTTLS packets.

First lets create our policy map

policy-map type inspect esmtp esmtp_map
parameters
allow-tls action log

Then we will modify the global policy and match this policy for inspection. In the following example, the service policy is all default – the global_policy.

policy-map global_policy
class inspection_default

inspect esmtp esmtp_map

Thats it – now it will allow TLS . I had one other issue when applying I kept getting this error – ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration

I was getting this error because by default the “Inspect esmtp” option is enabled in the global_policy map. So first remove this inspection and then reapply.  After modifying the ESMTP parameter mail started flowing. The follow shows that whole step.

show run

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!

config t

NHS-ASA(config-pmap)# policy-map global_policy
NHS-ASA(config-pmap)# class inspection_default
NHS-ASA(config-pmap-c)# inspect esmtp esmtp_map
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration

NHS-ASA(config-pmap-c)# no inspect esmtp
NHS-ASA(config-pmap-c)# inspect esmtp esmtp_map

show run :

policy-map type inspect esmtp esmtp_map
parameters
allow-tls action log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect esmtp esmtp_map
!
service-policy global_policy global

 

 

Cisco

Leave a Reply

%d bloggers like this: