ESMTP Advanced Inspection (CCIE Notes)


Configuring advanced ESMTP inspection;

regex gmail_reg "@gmail\.com"
regex bob_reg "bob@yahoo\.com"
!
class-map type regex match-any mail_class
 match regex bob_reg
 match regex gmail_reg
 !
policy-map type inspect esmtp esmtp_policy
 parameters
 match body length gt 20000 // characters
  drop-connection log
 match cmd verb EHLO
  rate-limit 50 // msgs per second
 match cmd line length gt 400 // bytes
  reset
 match cmd RCPT count gt 8 // recipients per transaction
  drop-connection
 match sender-address regex class mail_class // email address
  drop-connection log
 !
 policy-map global_policy
  class inspection_default
   inspect esmtp esmtp_policy

Note: Unlike other protocol inspection (FTP, HTTP), you cannot create a L7 class-map for ESMTP. All the inspection options that you would like to configure can be configured under the L7 policy-map. Multiple match commands can be used under a policy-map. However you can still use a L7 class-map type regex and reference it under the L7 policy-map for ESMTP.

Verification;

ASA-FW# sh service-policy inspect esmtp
Global policy: 
 Service-policy: global_policy
 Class-map: inspection_default
 Inspect: esmtp esmtp_policy, packet 0, drop 0, reset-drop 0
 mask-banner, count 0
 match body length gt 20000 
 drop-connection log, packet 0
 match cmd verb EHLO 
 rate-limit 50, packet 0
 match cmd line length gt 400 
 reset, packet 0
 match cmd RCPT count gt 8 
 drop-connection, packet 0
 match sender-address regex class mail_class
 drop-connection log, packet 0

Common matching criteria for ESMTP under a L7 policy map;

ASA-FW(config)# policy-map type inspect esmtp esmtp_policy
ASA-FW(config-pmap)# match ?

mpf-policy-map mode commands/options:
 body                 Match related to the body of the mail message
 cmd                  Match related to the commands exchanged in the ESMTP
                      transaction
 ehlo-reply-parameter Match an ESMTP ehlo reply parameter
 header               Match related to the header of the mail message
 invalid-recipients   Match invalid recipient address
 mime                 Match related to the MIME header
 not                  Negate this match result
 sender-address       Match related to the sender e-mail address

Default L7 policy-map for ESMTP inspection;

policy-map type inspect esmtp _default_esmtp_map
 description Default ESMTP policy-map
 parameters
  mask-banner
  no mail-relay
  no special-character
  no allow-tls
 match cmd line length gt 512 
  drop-connection log
 match cmd RCPT count gt 100 
  drop-connection log
 match body line length gt 998 
  log
 match header line length gt 998 
  drop-connection log
 match sender-address length gt 320 
  drop-connection log
 match MIME filename length gt 255 
  drop-connection log
 match ehlo-reply-parameter others 
  mask

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/ccie

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s