Sep 6, 2010

How to bypass SMTP Inspection?

The default SMTP Inspection policy blocks messages that match one of the following conditions:
  • Method line length greater than 512 bytes
  • More than 100 recipient email addresses set
  • Body line length greater than 998 bytes
  • Header line length greater than 998 bytes
  • Sender email address length greater than 320 bytes
  • Mime filename length greater than 255 bytes

Example: 
Source Server: 192.168.0.1
Destination Server: 172.16.0.1

In order to bypass the inspection without disable it, we have to implement the policy below. Before to implement the new policy, we must save the existing default policy since we need to remove and add it again to have the new one above it.

1) Get existing policy:

# sh run policy-map global_policy
!
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!

 
2) Implement new policy:

access-list smtp_bypass extended permit tcp host 192.168.0.1 host 172.16.0.1 eq smtp
!
policy-map type inspect esmtp smtp_bypass
 parameters
  no mask-banner
 match sender-address length gt 320
  log
 match mime filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd rcpt count gt 100
  log
 match body line length gt 998
  log

!
class-map smtp_bypass
  description Matches SMTP traffic and bypass global policy
  match access-list smtp_bypass
!

policy-map global_policy
 no class inspection_default
 class smtp_bypass
  inspect esmtp smtp_bypass
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!


 We can also use similar configuration to bypass other type of inspection.


asa(config)# end
asa# wr mem

No comments:

Post a Comment