-
- IP Access List Features Roadmap
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values
- Refining an IP Access List
- Displaying and Clearing IP Access List Data Using ACL Manageability
- Controlling Access to a Virtual Terminal Line
- Access List-Based RBSCP
- ACL IP Options Selective Drop
- ACL Authentication of Incoming rsh and rcp Requests
- Configuring Lock-and-Key Security for Dynamic Access Lists
- Configuring IP Session Filtering of Reflexive Access Lists
- Configuring TCP Intercept and Preventing Denial-of-Service Attacks
-
- Configuring Context-based Access Control
- Application Firewall - Instant Message Traffic Enforcement
- Cisco IOS Firewall MIB
- Cisco IOS Firewall Performance Improvements
- Cisco IOS Firewall Stateful Failover
- Cisco IOS Firewall Support for TRP
- Email Inspection Engine
- ESMTP Support for Cisco IOS Firewall
- Firewall ACL Bypass
- Firewall N2H2 Support
- Firewall Stateful Inspection of ICMP
- Firewall Support for SIP
- Firewall Support of Skinny Client Control Protocol
- Firewall Websense URL Filtering
- Granular Protocol Inspection
- HTTP Inspection Engine
- Inspection of Router-Generated Traffic
- TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
- Transparent Cisco IOS Firewall
- Virtual Fragmentation Reassembly
- VRF Aware Cisco IOS Firewall
- Configuring Port to Application Mapping
- Configuring Cisco IOS Intrusion Prevention System (IPS)
- Configuring IP Security Options
- Finding Feature Information
- Contents
- Prerequisites for ESMTP Support for Cisco IOS Firewall
- Information About ESMTP Support for Cisco IOS Firewall
- How to Configure a Firewall to Support ESMTP
ESMTP Support for Cisco IOS Firewall
The ESMTP Support for Cisco IOS Firewall feature enhances the Cisco IOS Firewall to support Extended Simple Mail Transport Protocol (ESMTP), allowing customers who install mail servers behind Cisco IOS firewalls to install their servers on the basis of ESMTP (instead of Simple Mail Transport Protocol [SMTP]).
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for ESMTP Support for Cisco IOS Firewall" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for ESMTP Support for Cisco IOS Firewall
•Information About ESMTP Support for Cisco IOS Firewall
•How to Configure a Firewall to Support ESMTP
•Configuration Examples for Firewall ESMTP Support
•Feature Information for ESMTP Support for Cisco IOS Firewall
Prerequisites for ESMTP Support for Cisco IOS Firewall
To enable this feature, your Cisco IOS image must contain the Cisco IOS firewall.
Information About ESMTP Support for Cisco IOS Firewall
•SMTP Firewall and ESMTP Firewall Comparison
SMTP Functionality Overview
SMTP inspection provides a basic method for exchanging e-mail messages. Figure 1 and the following steps outline a basic SMTP session.
Figure 1 Sample SMTP Exchange Topology
After a user sends an e-mail request to the client (the "SMTP sender"), the client established a TCP channel with the server (the "SMTP receiver"). Thereafter, the client and the server exchange SMTP commands and responses until the mail transaction is complete. The steps of typical SMTP transaction are as follows:
4. The client establishes a TCP connection with the server.
5. The client sends a HELO command with its domain name. If the server can accept mail from that domain name, it responds with a 250 reply code, which allows the client to continue with the mail transaction. (If the server does not respond with a 250 reply code, the client will send a QUIT command and terminate the TCP session.)
6. The client sends the MAIL command, indicating who initiated the mail. If the server accepts the mail, it responds with an OK reply. Then, the client sends the RCPT command, identifying the recipient of the mail. If the server accepts mail for the specified recipient, it responds with an OK reply; if the server cannot accept mail for the specified recipient, it rejects the recipient but not the entire transaction. (Several recipients can be negotiated.)
7. After the list of recipients has been negotiated between the client and the server, the client sends a DATA command. If the server is ready to receive data, it responds with a 354 reply code. If the server is not ready to receive data, it responds with a error reply, and the client terminates the transaction.
8. The client sends mail data ending with a special sequence. When the server sees the end of the message, it sends a 250 code reply.
9. The client sends a QUIT command, waits for the server to respond, then terminates the session.
ESMTP Overview
Like SMTP, ESMTP inspection provides a basic method for exchanging e-mail messages. Although an ESMTP session is similar to SMTP, there is one difference—the EHLO command.
After the TCP connection has been established between the client (the ESMTP sender) and the server (the ESMTP receiver), the client sends the EHLO command (instead of the HELO command that is used for SMTP). If the server does not support ESMTP, it sends a failure reply to the client because it did not recognize the EHLO command. If it supports ESMTP, the server responds with the code 250 and a list of extensions that the server supports. (Refer to RFC 1869 for an explanation of the extensions that your server may support.)
The server may send any of the following error codes if it supports ESMTP but is unable to function as normal:
•Error code 501—The server recognizes the EHLO command but is unable to accept it.
•Error code 502—The server recognizes the EHLO command but does not implement it.
•Error code 554—The server is unable to list the service extensions it supports.
If the client receives any of these error codes, it should issue the HELO command to revert to SMTP mode or issue the QUIT command to end the session.
After the client receives a successful response to the EHLO command, it will work the same way as SMTP, except that the client may issue new extended commands, and it may add a few parameters to the MAIL FROM and REPT TO commands.
SMTP Firewall and ESMTP Firewall Comparison
Although a SMTP firewall and an ESMTP firewall support the same functionality—command inspection, session conversion, and Intrusion Detection System (IDS) detection—slight variations exist between the protocols. Table 1 explains the firewall functionality and protocol-specific differences.
How to Configure a Firewall to Support ESMTP
•Configuring a Firewall for ESMTP Inspection
Configuring a Firewall for ESMTP Inspection
Use this task to configure a Cisco IOS Firewall to inspect an ESMTP session and command sequence.
Restrictions
SMTP and ESMTP cannot exist simultaneously. If SMTP is already configured, an attempt to configure ESMTP will result in the error message, "%ESMTP cannot coexist with SMTP, please unconfigure SMTP and try again...." If ESMTP is already configured, an attempt to configure SMTP will result in the error message, "%SMTP cannot coexist with ESMTP, please unconfigure ESMTP and try again...."
The following example illustrates how the router will react if you attempt to configure both protocols:
Router(config)# ip inspect name mail-guard smtp
Router(config)# ip inspect name mail-guard esmtp
ESMTP cannot coexist with SMTP, please unconfigure SMTP and try again...
Router(config)# end
Router# show running-config
.
.
.
ip inspect name mail-guard smtp
.
.
.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip inspect name inspection-name {smtp | esmtp} [alert {on | off}] [audit-trail {on | off}] [max-data number] [timeout seconds]
4. interface type number
5. ip inspect inspection-name {in | out}
DETAILED STEPS
Troubleshooting Tips
To view and verify the inspection configuration, status, or session information, you can use any of the following EXEC commands:
•show ip inspect name inspection-name—Shows a particular configured inspection rule.
•show ip inspect session—Shows existing sessions that are currently being tracked and inspected by the firewall.
•show ip inspect all—Shows all inspection configuration and all existing sessions that are currently being tracked and inspected by the firewall.
Alert Messages
The existing SMTP-related alert message will not change. This message is logged every time the firewall detects an illegal or unsupported command. The message format is as follows:
FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command (%s) (total %d chars) from initiator (%i:%d)
A new alert message is added. This message is logged whenever the firewall detects an illegal parameter in an SMTP command. The message includes the address and port of the sender as well as the illegal parameter. The message format is as follows:
FW-3-SMTP_INVALID_PARAMETER: Invalid SMTP parameter (%s) from initiator (%i:%d)
What to Do Next
To provide a record of network access through the firewall, including illegitimate access attempts, and inbound and outbound services, you should turn on logging and audit trail. For information on completing this task, refer to the section "Configuring Logging and Audit Trail" in the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide.
Configuration Examples for Firewall ESMTP Support
•Example: ESMTP Inspection Configuration
Example: ESMTP Inspection Configuration
The following example shows how to configure inspection of ESMTP traffic:
Router# configure terminal
Router(config)# ip inspect name mail-guard esmtp timeout 30
Additional References
Related Documents
|
|
|
|---|---|
Cisco IOS commands |
|
Security commands |
Standards
|
|
|
|---|---|
None |
— |
MIBs
|
|
|
|---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
Technical Assistance
Feature Information for ESMTP Support for Cisco IOS Firewall
Table 2 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 2 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Feedback