E-mail Inspection Engine
First Published: March 29, 2005
Last Updated: March 29, 2005
The E-mail Inspection Engine feature allows the Cisco IOS Firewall to inspect Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) e-mail, in addition to Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP) e-mail which were previously supported.
The secure-login enhancement allows people to download external POP3 e-mail only if authentication methods are secure.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for E-mail Inspection Engine" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for E-mail Inspection Engine
•Information About E-mail Inspection Engine
•How to Configure E-mail Inspection Engine
•Configuration Examples for E-mail Inspection Engine
•Additional References
•Feature Information for E-mail Inspection Engine
•Glossary
Prerequisites for E-mail Inspection Engine
•Configure CBAC.
•Enable SSL VPN tunnels.
Information About E-mail Inspection Engine
•E-mail Inspection Engine Operation
•Inspection
•POP3
•IMAP Protocol
•Client Command Validation
•SMTP
•SSL
E-mail Inspection Engine Operation
The client/server communication is validated from the time the TCP connection is initialized until the client is authenticated. The Cisco IOS Firewall uses a state router to track each stage of authentication. After the client is authenticated, the Cisco IOS Firewall allows all the client/server commands without further L7 inspection. TCP L4 inspection continues until the connection is closed. At the end of the e-mail session when the client host quits and before the TCP connection is closed, no further client/server interaction is allowed unless the client is reauthenticated.
During the authentication, any unrecognized command causes the Cisco IOS Firewall to drop the packet and close the connection.
If encryption is negotiated between the client and server control channel, no further validation occurs.
An e-mail client logging in from a nonsecure location may need to use encryption for authentication. For information about secure logins, see the description of the secure-login keyword of the ip inspect name command.
Inspection
Context Based Access Control (CBAC) inspects traffic that travels through the firewall to discover and manage state information for TCP and User Datagram Protocol (UDP) sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
Inspecting packets at the application layer and maintaining TCP and UDP session information provides CBAC with the ability to detect and prevent certain types of network attacks such as SYN-flooding. A SYN-flood attack occurs when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a network device are called denial-of-service (DoS) attacks.
POP3
The Post Office Protocol, Version 3 (POP3) is used to receive e-mail that is stored on a mail server. Unlike IMAP, POP only retrieves mail from a remote host.
POP3 works best when there is only one computer because it supports "offline" message access where messages are downloaded and then deleted from the mail server. This mode of access is not compatible with access from multiple computers because it tends to sprinkle messages across all the computers used for mail access.
With POP3-based e-mail clients, messages are downloaded to the user's local message store and can also be deleted from the mail server. Deletion is optional in most clients. When a new voice message arrives, the subscriber's only immediate notification is the activation of the MWI on the phone. New messages are displayed in the Inbox only after the client's local message store is updated with the Exchange message store. After the subscriber downloads new messages, the message state automatically changes from "new" to "read" on the server, even though the subscriber has not actually listened to the voice messages. MWIs on the subscriber's phone are extinguished, and the message state between the TUI and the subscriber's Inbox are not synchronized.
IMAP Protocol
The Internet Message Access Protocol (IMAP) is a method of accessing electronic mail or bulletin board messages that are kept on a mail server that may be shared. It permits a "client" e-mail program to access remote messages as though they were local. For example, e-mail stored on an IMAP server can be retrieved, sent, and managed from a desktop computer at home, from a workstation at the office, or from a laptop without transferring messages or files back and forth between the computers.
Only the message header and sender information are displayed in the Inbox until the user downloads the entire message, including attachments, from the server. When a new voice message arrives, the subscriber's only immediate notification is the activation of the Message Waiting Indication (MWI) on the phone. New messages are displayed in the Inbox only after the client's local message store is updated with the Exchange message store. When the subscriber listens to a new message by using the telephone user interface (TUI), the MWI is extinguished. In this case again, the message state is not updated in the Inbox until the client's message store is refreshed. However, if the subscriber uses an installed multimedia player to listen to the WaveForm Audio (WAV) attachment from the e-mail client's Inbox, message state changes are automatically synchronized with the TUI.
How message state changes are conveyed to the Cisco Unity subscriber, and how these changes are synchronized with the TUI, depend on whether the subscriber's e-mail client is configured to use POP3 or IMAP4 to access Exchange.
Client Command Validation
The Cisco IOS Firewall authenticates an e-mail client accessing an IMAP or POP3 server before allowing complete access into the server. The firewall searches the IMAP/POP3 TCP stream for valid protocol commands. If the client's commands are outside the protocol's definition, the Cisco IOS Firewall drops the packets and resets the connection.
Client command validation is typically needed in a DeMilitarized Zone (DMZ). Client access is allowed into the DMZ only if the e-mail server validates the user authentication. After the client is authenticated, the client becomes a trusted user and access is permitted.
SMTP
The Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail between servers and clients on the Internet. E-mail clients and mail servers that use protocols other than Message Application Programming Interface (MAPI) can use the SMTP protocol to transfer a message from a client to the server, and then forward it to a message recipient's server. To retrieve, send, and manage these messages from the e-mail client use POP3 or IMAP4.
Cisco Unity uses SMTP to route voice messages via the Internet Voice Connector (IVC) gateway between other Exchange servers that are not connected by using a Site Message Connector. There is an IVC gateway on either end of the SMTP connection between Exchange servers. This ensures that MAPI message attributes survive the outbound transit between SMTP connections. It also ensures that the MIME-encoded attributes survive the inbound transit, and are included with the message stored in the Exchange message store.
SSL
The Secure Socket Layer (SSL) protocol is the standard protocol that delivers secure content over the Internet. It is a point-to-point security protocol that secures communication between a client and a server. SSL usually does not require a special client (that is, a Web browser often will suffice) and it does not require any additional operating system software.
SSL includes client and server authentication and data encryption for a limited set of applications (for example, the Web, e-mail, news, and file transfer). SSL is useful for securing e-commerce transactions over the Internet, and the protocol is well suited for extranets and remote access because it is relatively simple to deploy.
How to Configure E-mail Inspection Engine
•Configuring Firewall Inspection of POP3 or IMAP E-mail (required)
•Verifying the E-mail Inspection Engine Configuration (optional)
Configuring Firewall Inspection of POP3 or IMAP E-mail
To allow the Cisco IOS Firewall to inspect POP3 or IMAP e-mail, perform the following task.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}][reset] [secure-login] [timeout seconds]
4. interface type slot/port
5. ip inspect name inspection-name {in | out}
6. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}][reset] [secure-login] [timeout seconds]
Router(config)# ip inspect name mail-guard pop3 |
Defines a set of inspection rules. |
Step 4 |
interface type slot/port
Router(config-if)# interface 1/0 |
Configures an interface type. |
Step 5 |
ip inspect name inspection-name {in | out}
Router(config-if)# ip inspect name mail-guard in |
Enables the Cisco IOS Firewall on an interface. |
Step 6 |
exit
Router(config-if)# exit |
Exits interface configuration mode and returns to global configuration mode. |
Verifying the E-mail Inspection Engine Configuration
To verify the E-mail Inspection Engine configuration, perform the following task.
Note Effective with Cisco IOS Release 12.4(20)T, the debug ip inspect command is replaced by the debug policy-firewall command. See the Cisco IOS Debug Command Reference for more information.
SUMMARY STEPS
1. debug ip inspect imap
2. debug ip inspect pop3
3. show ip inspect {name inspection-name | config | interfaces | session [detail] | all}
DETAILED STEPS
Step 1 debug ip inspect imap
Use this command to display messages about Cisco IOS Firewall events related to IMAP protocol e-mail messages.
Router# debug ip inspect imap
Step 2 debug ip inspect pop3
Use this command to display messages about Cisco IOS Firewall events related to POP3 protocol e-mail messages.
Router# debug ip inspect pop3
Step 3 show ip inspect {name inspection-name | config | interfaces | session [detail] | all}
Use this command to view CBAC configuration and session information.
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
Inspection Rule Configuration
Inspection name mail-guard
Configuration Examples for E-mail Inspection Engine
•Example: Configuring IMAP and POP3 Protocol E-mail
Example: Configuring IMAP and POP3 Protocol E-mail
The following example configures the Cisco IOS Firewall inspection of IMAP and POP3 protocol e-mail:
ip inspect name mail-guard pop3
ip inspect name mail-guard imap
The following commands enable this functionality on an interface:
ip inspect name mail-guard in
Additional References
Related Documents
Standards
|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
|
|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
|
|
RFC 1939 |
J Myers and M. Rose, "Post Office Protocol, Version 3 (POP3)," May 1996. |
RFC 3501 |
M. Crispin, "Internet Message Access Protocol (IMAP4rev1," March 2003. |
Technical Assistance
|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
http://www.cisco.com/cisco/web/support/index.html |
Feature Information for E-mail Inspection Engine
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Table 1 Feature Information for E-mail Inspection Engine
|
|
|
E-mail Inspection Engine |
12.3(14)T |
The E-mail Inspection Engine feature allows the Cisco IOS Firewall to inspect Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) e-mail, in addition to Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP) e-mail which were previously supported. The secure-login enhancement allows people to download external POP3 e-mail only if authentication methods are secure. The following commands were introduced or modified: debug ip inspect, ip inspect name, show ip inspect. |
Glossary
authentication—Process during which any unrecognized command causes the Cisco IOS Firewall to drop the packet and close the connection.
CBAC—Context-Based Access Control. A Cisco IOS Firewall set feature that scrutinizes source and destination addresses to enhance security for TCP and UDP applications that use well-known ports, such as FTP and e-mail traffic.
ESMTP—Extended Simple Mail Transfer Protocol. An extended version of the Simple Mail Transfer Protocol (SMTP), which includes additional functionality, such as delivery notification and session delivery.
IMAP—Internet Message Access Protocol. A method of accessing e-mail or bulletin board messages kept on a mail server that can be shared. IMAP permits client e-mail applications to access remote message stores as if they were local without actually transferring the message.
POP—Post Office Protocol. A protocol that client e-mail applications use to retrieve mail from a mail server.
SMTP—Simple Mail Transfer Protocol. An Internet protocol providing e-mail services.
SSL—Secure Socket Layer Protocol. This protocol is used to deliver secure information over the Internet.
state router—A router that tracks the client/server commands until the client is authenticated.
TCP—Transmission Control Protocol. A connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.
UDP—User Datagram Protocol. A connectionless transport-layer protocol for exchanging datagrams without acknowledgments or guaranteed delivery.
VPN—Virtual Private Network. A network that enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN network uses "tunneling" to encrypt all information at the IP level.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2007 Cisco Systems, Inc. All rights reserved