The Application Inspection for SMTP feature provides an intense provisioning mechanism that can be configured to inspect packets on a granular level so that malicious network activity, related to the transfer of e-mail at the application level, can be identified and controlled. This feature qualifies the Cisco IOS firewall extended Simple Mail Transfer Protocol (ESMTP) module as an "SMTP application firewall," which protects in a similar way to that of an HTTP application firewall.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Application Inspection and Control for SMTP
Follow the appropriate configuration tasks outlined in the Zone-Based Policy Firewall module before configuring the Application Inspection and Control for SMTP feature. This module contains important information about class-maps and policy-maps and their associated "match" statements necessary for configuring an SMTP policy.
SMTP Policy Requirements
Both SMTP and ESMTP inspection provide a basic method for exchanging e-mail messages between the client and server to negotiate capabilities and use these capabilities in an e-mail transaction. An ESMTP session is similar to an SMTP session, except for one difference--the Extended HELO (EHLO) command. The EHLO command is sent by a client to initiate the capability dialogue. After the client receives a successful response to the EHLO command, the client works the same way as SMTP, except that the client may issue new extended commands, and it may add a few parameters to the MAIL FROM and REPT TO commands.
Previously, if the Cisco IOS software was configured to inspect SMTP session only, inspection was configured by entering the
matchprotocolsmtp command. This action would "mask" the EHLO command to prevent capability negotiation and cause the client to go back to the HELO command and basic SMTP.
To have a workable policy for both ESMTP and SMTP inspection, the
matchprotocolsmtp command must be configured in the top-level policy before the Application Inspection and Control for SMTP features are implemented. See the Configuring a Default Policy for Application Inspection task for more information.
The SMTP policy (which specifies the particular SMTP configuration) is included as a child-policy in the top-level "inspect" policy-map. See the "Top-level Class Maps and Policy Maps" section in the Zone-Based Policy Firewall module for more information.
Restrictions for Application Inspection and Control for SMTP
The Application Inspection and Control for SMTP feature has the following restrictions:
The
matchcmd-linelengthgt command filter can co-exist only with a
matchcmdverb command filter in the SMTP match-all class -map (class-maptypeinspectsmtp). Any attempt to pair the
matchcmd-linelengthgt command filter with any other filter is not allowed by the CLI.
The alternative data transfer SMTP command extension BDAT is not supported. This command is substituted for the DATA command while the SMTP body is transferred. The BDAT command extension is used by the Cisco IOS firewall to mask the CHUNKING keyword in the EHLO response to the Application Inspection and Control for SMTP feature, preventing a client from using it.
The "mask" action can be configured only with a class having either or both of the
matchcmdverb or
matchehloreply commands. This action cannot be configured with a class having any other filter.
Information About Application Inspection and Control for SMTP
The Application Inspection and Control for SMTP feature inspects SMTP in a granular way and is complemented by an intensive provisioning system to help filter e-mail.
Benefits of Application Inspection and Control for SMTP
The Application Inspection and Control for SMTP feature provides the following benefits:
E-mail senders and user accounts are restricted to filter spam e-mail from suspected domains.
An action can be specified, which occurs when a number of invalid recipients appears on an SMTP connection. This action helps identify spammers who are looking for valid user accounts.
The number of invalid SMTP recipients can be restricted by specifying a maximum number for invalid recipients on an SMTP connection.
A pattern can be specified that identifies e-mail addressed to a particular recipient or domain in cases where a server is functioning as a relay.
A provisioning mechanism that provides masks specified verbs in an SMTP connection to block potentially dangerous SMTP commands.
The maximum length value for the SMTP e-mail header can be specified to prevent a Denial of Service (DoS) attack (also called a buffer overflow attack). A DoS attack occurs when the attacker continuously sends a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.
The maximum length of an SMTP command line can be specified to prevent a DoS attack.
Multipurpose Internet Mail Extension (MIME) content file-types (text, HTML, images, applications, documents,and so on) can be restricted in the body of the e-mail from being transmitted over SMTP.
Unknown content-encoding types can be restricted from being transmitted over SMTP.
Specified content-types and content encoding types can be restricted in the SMTP e-mail body.
Monitor arbitrary patterns (text strings) in the SMTP e-mail message header (subject field) or body.
A parameter in an EHLO server reply and mask can be specified to prevent a sender (client) from using the service extension in the server reply.
An SMTP connection can be dropped with an SMTP sender (client) if the SMTP connection violates the specified policy.
SMTP commands or the parameters returned by the server in response to an EHLO command can be explicitly masked by specifying these SMTP commands.
An action can be logged for a class type in an SMTP policy-map.
Cisco Common Classification Policy Language
The Cisco Common Classification Policy Language (C3PL) CLI structure is used to provision ESMTP inspection. ESMTP is provisioned by defining a match criterion on an SMTP class-map and associate actions to the match criterion defined in the SMTP policy-map. The Application Inspection and Control for SMTP feature adds new match criteria and actions to the existing SMTP policy maps that are discussed in the Zone-Based Policy Firewall module, which describes the Cisco IOS unidirectional firewall policy between groups of interfaces known as zones.
Figure 1
ESMTP Communication Between a Sender and Receiver
Common Classification Engine SMTP Database and Action Module
The Common Classification Engine (CCE) SMTP database is the site at which manually configured policy information is processed and converted into signatures. The information in these signatures is put into regular expression tables, which are then used to parse packets as they are switched by a router.
The SMTP database has two interfaces. One interface has the control plane, which is used to accept user configured policies, and the other interface has the CCE data-plane engine, which is used to classify a packet.
An action module is used as a part of the Context-Based Access Control (CBAC) SMTP inspection module to organize and trigger SMTP inspection. CBAC is used to detect and block SMTP attacks (illegal SMTP commands) and sends notifications when SMTP attacks occur.
How to Configure Application Inspection and Control for SMTP
Configuring a Default Policy for Application Inspection
If no policy is configured for SMTP, then there is no application inspection for SMTP. The firewall creates a TCP session and only performs "pinholing," which allows an application to have access to the protected network. Having an open gap in a firewall can expose the protected system to malicious abuse. The steps below are used to provide minimum application inspection protections for SMTP by enforcing the EHLO and HELO SMTP commands.
SUMMARY STEPS
1.enable
2.configureterminal
3.class-maptypeinspectsmtpclass-map-name
4.matchprotocolsmtp
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
class-maptypeinspectsmtpclass-map-name
Example:
Router(config)# class-map type inspect smtp c1
Creates a class map for the SMTP protocol and enters class-map configuration mode.
Step 4
matchprotocolsmtp
Example:
Router(config-cmap)# match protocol smtp
Enables inspection for ESMTP and SMTP.
Restricting Spam from a Suspicious E-Mail Sender Address or Domain
An e-mail sender and user accounts can be restricted to filter spam e-mail from suspected domains. Spam is restricted by using the matchsenderaddressregex command to match the parameter-map name of a specific traffic pattern that specifies a sender domain or e-mail address in the SMTP traffic. The specified pattern is scanned in the parameter for the SMTP MAILFROM: command.
SUMMARY STEPS
1.enable
2.configureterminal
3.parameter-maptyperegexparameter-map-name
4.patterntraffic-pattern
5.
exit
6.class-maptypeinspectsmtpmatch-anyclass-map-name
7.matchsenderaddressregexparameter-map-name
8.
exit
9.policy-maptypeinspectsmtppolicy-map-name
10.classtypeinspectsmtpclass-map-name
11.log
12.reset
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
parameter-maptyperegexparameter-map-name
Example:
Router(config)# parameter-map type regex bad-guys
Enter the parameter-map name of a specific traffic pattern. Once the parameter-map name is specified, parameter-map profile configuration mode is entered.
Specifies the Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail.
Step 5
exit
Exits parameter-map profile configuration mode.
Step 6
class-maptypeinspectsmtpmatch-anyclass-map-name
Example:
Router(config)# class-map type inspect smtp match-any c1
Creates a class map for the SMTP protocol so the match criteria is set to match any criteria for this class map and enters class-map configuration mode.
Step 7
matchsenderaddressregexparameter-map-name
Example:
Router(config-cmap)# match sender address regex bad-guys
Enters the parameter-map name class, which was defined in Step 3, to specify the Cisco IOS regular expression (regex) patterns for the class-map.
Step 8
exit
Exits class-map configuration mode.
Step 9
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 10
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures SMTP inspection parameters for this class map.
Step 11
log
Example:
Router(config-pmap)# log
Logs an action related to this class-type in the SMTP policy map.
Step 12
reset
Example:
Router(config-pmap)# reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
Identifying and Restricting Spammers Searching for User Accounts in a Domain
Spammers who search for a large number of user accounts in a domain typically send the same e-mail to all the user accounts they find in this domain. Spammers can be identified and restricted from searching for user accounts in a domain by using the matchrecipientcountgt command to specify an action that occurs when a number of invalid recipients appear on an SMTP connection.
Note
The matchrecipientcountgt command does not count the number of recipients specified in the To or Cc fields in the e-mail header.
SUMMARY STEPS
1.enable
2.configureterminal
3.class-maptypeinspectsmtpclass-map-name
4.matchrecipientcountgtvalue
5.
exit
6.policy-maptypeinspectsmtppolicy-map-name
7.classtypeinspectsmtpclass-map-name
8.reset
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
class-maptypeinspectsmtpclass-map-name
Example:
Router(config)# class-map type inspect smtp c1
Creates a class map for the SMTP protocol and enters class-map configuration mode.
Step 4
matchrecipientcountgtvalue
Example:
Router(config-cmap)# match recipient count gt 25
Sets a limit on the number of RCPT SMTP commands sent by the sender (client) to recipients who are specified in a single SMTP transaction.
This command determines the number of RCPT lines and invalid recipients (for which the server has replied "500 No such address") in the SMTP transaction.
Step 5
exit
Exits class-map configuration mode.
Step 6
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
The policy-map-name argument is the name of the policy map.
Step 7
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures SMTP inspection parameters for this class map.
Step 8
reset
Example:
Router(config-pmap)# reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
Restricting the Number of Invalid SMTP Recipients
If a sender specifies in an invalid e-mail recipient and SMTP encounters this invalid recipient on the SMTP connection, then SMTP sends an error code reply to the e-mail sender (client) to specify another recipient. In this case, the event did not violate the SMTP protocol or indicate that this particular SMTP connection is bad. However, if a pattern of invalid recipients appears, then a reasonable threshold can be set to restrict these nuisance SMTP connections. The matchrecipientinvalidcountgt command is used to help identify and restrict the number of invalid SMTP recipients that can appear in an e-mail from senders who try common names on a domain in the hope that they discover a valid username to whom they can send spam.
SUMMARY STEPS
1.enable
2.configureterminal
3.class-maptypeinspectsmtpclass-map-name
4.matchrecipientinvalidcountgtvalue
5.
exit
6.policy-maptypeinspectsmtppolicy-map-name
7.classtypeinspectsmtpclass-map-name
8.reset
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
class-maptypeinspectsmtpclass-map-name
Example:
Router(config)# class-map type inspect smtp c1
Creates a class map for the SMTP protocol and enters class-map configuration mode.
Step 4
matchrecipientinvalidcountgtvalue
Example:
Router(config-cmap)# match recipient invalid count gt 5
Specifies a maximum number of invalid e-mail recipients on this SMTP connection.
Step 5
exit
Exits class-map configuration mode.
Step 6
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 7
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures SMTP inspection parameters for this class map.
Step 8
reset
Example:
Router(config-pmap)# reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
Specifying a Recipient Pattern to Learn Spam Senders and Domain Information
A nonexistent e-mail recipient pattern can be specified to learn about spam senders and their domain information by luring them to use this nonexistent e-mail recipient pattern. This pattern is a regular-expression (regex) that can be specified to identify an e-mail addressed to a particular recipient or domain when a server is functioning as a relay. The specified pattern is checked in the SMTP RCPT command (SMTP envelope) parameter to identify if the recipient is either used as an argument or a source-list to forward mail in the route specified in the list.
Note
The matchrecipientaddressregex command does not operate on the To or Cc fields in the e-mail header.
SUMMARY STEPS
1.enable
2.configureterminal
3.parameter-maptyperegexparameter-map-name
4.patterntraffic-pattern
5.
exit
6.class-maptypeinspectsmtpclass-map-name
7.matchrecipientaddressregexparameter-map-name
8.
exit
9.policy-maptypeinspectsmtppolicy-map-name
10.classtypeinspectsmtpclass-map-name
11.log
12.reset
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
parameter-maptyperegexparameter-map-name
Example:
Router(config)# parameter-map type regex known-unknown-users
Enter the parameter-map name of a specific traffic pattern. Once the parameter-map name is specified, parameter-map profile configuration mode is entered.
Specifies a Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail. In the example, "username" is configured as the name for a fake e-mail account used to discover senders (and their domain) when they try to send spam e-mail to this fake account.
Step 5
exit
Exits parameter-map profile configuration mode.
Step 6
class-maptypeinspectsmtpclass-map-name
Example:
Router(config)# class-map type inspect smtp c1
Creates a class map for the SMTP protocol and enters class-map configuration mode.
Step 7
matchrecipientaddressregexparameter-map-name
Example:
Router(config-cmap)# match recipient address regex known-unknown-users
Specifies the nonexistent e-mail recipient pattern in order to learn spam senders and their domain information by luring them to use this contrived e-mail recipient.
Step 8
exit
Exits class-map configuration mode.
Step 9
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 10
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures SMTP inspection parameters for this class map.
Step 11
log
Example:
Router(config-pmap)# log
Logs an action related to this class-type in the SMTP policy map.
Step 12
reset
Example:
Router(config-pmap)# reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
Hiding Specified Private SMTP Commands on an SMTP Connection
Use this task to hide or "mask" commonly encountered SMTP verbs (SMTP commands) or specified private SMTP verbs used to provision an SMTP connection.
Specified verbs, such as the ATRN, ETRN, BDAT verbs may be considered vulnerable to exploitation if seen by a sender (client). The most commonly encountered SMTP verbs are listed along with the facility to specify a private verb as a string (using the WORD option).
Note
The BDAT verb (used as an alternative to DATA) is not used, so in its place, the CHUNKING keyword is masked in the EHLO response. However, if the sender (client) continues to send the BDAT command, it is masked.
Note
Using the mask command applies to certain match command filters like matchcmdverb. Validations are performed to make this check and the configuration is not be accepted in case of invalid combinations.
SUMMARY STEPS
1.enable
2.configureterminal
3.class-maptypeinspectsmtpclass-map-name
4.matchcmdverb {verb-name | WORD}
5.
exit
6.policy-maptypeinspectsmtppolicy-map-name
7.classtypeinspectsmtpclass-map-name
8.mask
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
class-maptypeinspectsmtpclass-map-name
Example:
Router(config)# class-map type inspect smtp c1
Creates a class map for the SMTP protocol and enters class-map configuration mode.
Step 4
matchcmdverb {verb-name | WORD}
Example:
Router(config-cmap)# match cmd verb ATRN
Specifies either the private verb name to "mask" that is used to provision an SMTP connection.
The verb-name argument is the name of an SNMP command verb.
The WORD argument is the name of a user-specified SMTP command verb, which is treated as an unknown verb and is masked regardless of whether the 'mask action is configured for the class or not.
Step 5
exit
Exits class-map configuration mode.
Step 6
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 7
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures SMTP inspection parameters for this class map.
Step 8
mask
Example:
Router(config-pmap)# mask
Explicitly masks the specified SMTP commands or the parameters returned by the server in response to an EHLO command.
Preventing a DoS Attack by Limiting the Length of the SMTP Header
A DoS attack (also called a buffer overflow attack) by a malicious sender (client) can cause the SMTP application firewall to lose time and memory while trying to reassemble the fake packets (large e-mail headers) associated with the e-mail. In an SMTP transaction, the header portion of an e-mail is considered part of the DATA area, which contains fields like Subject, From, To, Cc, Date, and proprietary information, which is used by a recipient's e-mail agent to process the e-mail. A DoS attack can be prevented by using the matchheaderlengthgt command to limit the length of the SMTP header that can be received. If a match is found, possible actions that can be specified within the policy are as follows: allow, reset, or log (the log action triggers a syslog message when a match is found).
SUMMARY STEPS
1.enable
2.configureterminal
3.class-maptypeinspectsmtpclass-map-name
4.matchheaderlengthgtbytes
5.
exit
6.policy-maptypeinspectsmtppolicy-map-name
7.classtypeinspectsmtpclass-map-name
8.reset
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
class-maptypeinspectsmtpclass-map-name
Example:
Router(config)# class-map type inspect smtp c1
Creates a class map for the SMTP protocol and enters class-map configuration mode.
Step 4
matchheaderlengthgtbytes
Example:
Router(config-cmap)# match header length gt 16000
Specifies a value from 1 to 65535 that limits the maximum length of the SMTP header in bytes to thwart DoS attacks.
Step 5
exit
Exits class-map configuration mode.
Step 6
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 7
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures SMTP inspection parameters for this class map.
Step 8
reset
Example:
Router(config-pmap)# reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
Preventing a DoS Attack by Limiting the Length or TYPE of SMTP Command Line
The following task is used to limit the length of an SMTP command line to prevent a DoS attack, which occurs when a malicious sender (client) specifies large command lines in an e-mail to perform DoS attacks on SMTP servers.
Enters class-map configuration mode and creates a class map for the SMTP protocol.
The
class-map-name argument by itself specifies a single class-map.
The
match-all keyword and
class-map-name argument places logical and all matching statements under this class map.
The
match-any keyword and
class-map-name argument places logical or all matching statements under this class map.
Note
If no
matchcmdverb command statement is specified in aclass-maptypeinspectsmtpmatch-all command statement for a class-map, which contains the
matchcmdlinelengthgt command statement, then the class-map applies to all SMTP commands.
Specifies a value that limits the length of the ESMTP command line or ESMTP command line verb used to thwart DoS attacks.
The
length argument specifies the ESMTP command line greater than the length of a number of characters from 1 to 65535.
Step 5
exit
Exits class-map configuration mode.
Step 6
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 7
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures an SMTP class-map firewall for SMTP inspection parameters.
Step 8
reset
Example:
Router(config-pmap)# reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
Examples
The following configuration has class-map c2 match when the length of the e-mail (MAIL) command exceeds 256 bytes.
When the
class-maptypeinspectsmtpmatch-all command statement is configured with the
matchcmdverb command statement, only the
matchcmdlinelengthgt command statement can coexist.
class-map type inspect smtp match-all c2
match cmd line length gt 256
match cmd verb MAIL
There are no match restrictions in case of a
class-maptypeinspectsmtpmatch-any command statement for a class map because the class-map applies to all SMTP commands.
Restricting Content File Types in the Body of the E-Mail
The
matchmimecontent-typeregex command is used to specify MIME content file types, which are restricted in attachments in the body of the e-mail being sent over SMTP. See the Example: MIME E-Mail Format section for more information.
Enter the parameter-map name of a specific traffic pattern. Once the parameter-map name is specified, parameter-map profile configuration mode is entered.
Step 4
patterntraffic-pattern
Example:
Router(config-profile)# pattern "*image//*"
Specifies a Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail.
Enters class-map configuration mode and creates a class map for the SMTP protocol.
The
class-map-name argument by itself specifies a single class-map.
The
match-all keyword and
class-map-name argument places logical and all matching statements under this class map.
The
match-any keyword and
class-map-name argument places logical or all matching statements under this class map.
Step 7
matchmimecontent-typeregexcontent-type-regex
Example:
Router(config-cmap)# match mime content-type regex jpeg
Specifies the MIME content file type, which are restricted in attachments in the body of the e-mail being sent over SMTP.
The
content-type-regex argument is the type of content in the MIME header in regular expression form.
This example lets the user specify any form of JPEG image content to be restricted.
Note
The actual content of the MIME part is not checked to see if it matches with the declared content-type in the MIME header.
Step 8
exit
Exits class-map configuration mode.
Step 9
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 10
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures an SMTP class-map firewall for SMTP inspection parameters.
Step 11
log
Example:
Router(config-pmap)# log
Logs an action related to this class-type in the SMTP policy map.
Restricting Unknown Content Encoding Types from Being Transmitted
Unknown MIME content-encoding types or values can be restricted from being transmitted over SMTP by using one of the following parameters with the matchmimeencodingcommand.
These preconfigured content-transfer-encoding types act as a filter on the content-transfer-encoding field in the MIME header within the SMTP body. The uuencode encoding type is not recognized as a standard type by the MIME RFCs because many subtle differences exist in its various implementations. However, since it is used by some mail systems, the x-uuencode type is included in the preconfigured list.
Enters class-map configuration mode and creates a class map for the SMTP protocol.
The class-map-name argument by itself specifies a single class-map.
The match-all keyword and class-map-name argument places logical and all matching statements under this class map.
The match-any keyword and class-map-name argument places logical or all matching statements under this class map.
Step 4
matchmimeencoding {unknown | WORD | encoding-type}
Example:
Router (config-cmap)# match mime encoding quoted-printable
Restricts unknown MIME content-encoding types or values.
The unknown keyword is used if content-transfer-encoding value in the e-mail does not match any of the ones in the list to restrict unknown and potentially dangerous encodings.
The WORD argument is a user-defined content-transfer encoding type, which must begin with "X-" (for example, "X-myencoding-scheme").
The encoding-type argument specifies one of the following preconfigured content-transfer-encoding types:
7-bit-ASCII characters
8-bit-Facilitates the exchange of e-mail messages containing octets outside the 7-bit ASCII range.
base64-Any similar encoding scheme that encodes binary data by treating it numerically and translating it into a base 64 representation.
quoted-printable-Encoding using printable characters (that is alphanumeric and the equals sign "=") to transmit 8-bit data over a 7-bit data path. It is defined as a MIME content transfer encoding for use in Internet e-mail.
binary-Representation for numbers using only two digits (usually, 0 and 1).
x-uuencode-Nonstandard encoding.
Note
The quoted-printable and base64 encoding types tell the e-mail client that a binary-to-text encoding scheme was used and that appropriate initial decoding is necessary before the message can be read with its original encoding.
Step 5
exit
Exits class-map configuration mode.
Step 6
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 7
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures an SMTP class-map firewall for SMTP inspection parameters.
Step 8
log
Example:
Router(config-pmap)# log
Logs an action related to this class-type in the SMTP policy map.
Specifying a Text String to Be Matched and Restricted in the Body of an E-Mail
The matchbodyregex command can be used to specify an arbitrary text expression to restrict specified content-types and content encoding types for text and HTML in the body of the e-mail. The text or HTML pattern is scanned only if the encoding is 7-bit or 8-bit and the encoding is checked before attempting to match the pattern. If the pattern is of another encoding type (for example, base64, zip files, and so on), then the pattern cannot be scanned.
Note
Using this command can impact performance because the complete SMTP connection has to be scanned.
Enter the parameter-map name of a specific traffic pattern. Once the parameter-map name is specified, parameter-map profile configuration mode is entered.
Step 4
patterntraffic-pattern
Example:
Router(config-profile)# pattern "*UD-421590*"
Specifies a Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail.
Enters class-map configuration mode and creates a class map for the SMTP protocol.
The class-map-name argument by itself specifies a single class-map.
The match-all keyword and class-map-name argument places logical and all matching statements under this class map.
The match-any keyword and class-map-name argument places logical or all matching statements under this class map.
Step 7
matchbodyregexparameter-map-name
Example:
Router(config-cmap)# match body regex doc-data
Specifies an arbitrary text expression to restrict specified content-types and content encoding types for text and HTML in the "body" of the e-mail.
Step 8
exit
Exits class-map configuration mode.
Step 9
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 10
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures an SMTP class-map firewall for SMTP inspection parameters.
Step 11
log
Example:
Router(config-pmap)# log
Logs an action related to this class-type in the SMTP policy map.
Configuring the Monitoring of Text Patterns in an SMTP E-Mail Subject Field
The matchheaderregex command can be used specify an arbitrary text expression in the SMTP e-mail message header (Subject field) or e-mail body such as Subject, Received, To, or other private header fields to monitor text patterns.
Router(config)# parameter-map type regex lottery-spam
Enter the parameter-map name of a specific traffic pattern. Once the parameter-map name is specified, parameter-map profile configuration mode is entered.
Specifies a Cisco IOS regular expression (regex) pattern that matches the traffic pattern for the e-mail sender or user accounts from suspected domains that are causing the spam e-mail.
Enters class-map configuration mode and creates a class map for the SMTP protocol.
The class-map-name argument by itself specifies a single class-map.
The match-all keyword and class-map-name argument places logical and all matching statements under this class map.
The match-any keyword and class-map-name argument places logical or all matching statements under this class map.
Step 7
matchheaderregexparameter-map-name
Example:
Router(config-cmap)# match header regex lottery-spam
Specifies an arbitrary text expression in the SMTP e-mail message header to monitor text patterns.
Step 8
exit
Exits class-map configuration mode.
Step 9
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 10
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures an SMTP class-map firewall for SMTP inspection parameters.
Step 11
reset
Example:
Router(config-pmap)# reset
(Optional) Drops an SMTP connection with an SMTP sender (client) if it violates the specified policy. This action sends an error code to the sender and closes the connection gracefully.
Configuring a Parameter to Be Identified and Masked in the EHLO Server Reply
The matchreplyehlo command is used to identify and mask a service extension parameter in the EHLO server reply (for example, 8BITMIME and ETRN) to prevent a sender (client) from using that particular service extension.
Enters class-map configuration mode and creates a class map for the SMTP protocol.
The class-map-name argument by itself specifies a single class-map.
The match-all keyword and class-map-name argument places logical and all matching statements under this class map.
The match-any keyword and class-map-name argument places logical or all matching statements under this class map.
Step 4
matchreplyehlo {parameter | WORD}
Example:
Router(config-cmap)# match reply ehlo ETRN
Identifies and masks a service extension parameter in the EHLO server reply.
The parameter argument specifies a parameter from the well-known EHLO keywords.
The WORD argument specifies an extension which is not on the EHLO list.
Step 5
exit
Exits class-map configuration mode.
Step 6
policy-maptypeinspectsmtppolicy-map-name
Example:
Router(config)# policy-map type inspect smtp p1
Creates a Layer 7 SMTP policy map and enters policy-map configuration mode.
Step 7
classtypeinspectsmtpclass-map-name
Example:
Router(config-pmap)# class type inspect smtp c1
Configures an SMTP class-map firewall for SMTP inspection parameters.
Step 8
log
Example:
Router(config-pmap)# log
Logs an action related to this class-type in the SMTP policy map.
Step 9
mask
Example:
Router(config-pmap)# mask
Explicitly masks the specified SMTP commands or the parameters returned by the server in response to an EHLO command.
Configuring a Logging Action for a Class Type in an SMTP Policy-Map
A logging action can be configured for a class type in an SMTP policy-map when conditions specified by the traffic class are met. The logging action results in a LOG_WARNING syslog message followed by the specific log message. The log message format is similar to other application firewall modules (for example, HTTP, IM, Peer-to-Peer (P2P)); session initiator/responder information, and zone-pair and class names.
Note
The log action currently exists for other types of policy-maps (http, pop3).
The following example shows a configuration without any Layer 7 SMTP policy that creates a pinhole only for the SMTP port. Any command sent to the server, including the EHLO command is accepted.
class-map type inspect smtp c1
match protocol smtp
policy-map type inspect smtp c1
class type inspect smtp c1
inspect
Note
No SMTP policy is configured by default. If an SMTP policy is not configured, then no SMTP inspection is done by default.
Example Preventing ESMTP Inspection
If a user decides to create a workable policy that is configured for SMTP inspection only, then it now needs to be explicitly specified in the policy.
The following example can be used to prevent ESMTP inspection:
class-map type inspect smtp c1
match cmd verb EHLO
policy-map type inspect smtp c1
class type inspect smtp c1
mask
Example MIME E-Mail Format
The format of data being transmitted through SMTP is specified by using the MIME standard, which uses headers to specify the content-type, encoding, and the filenames of data being sent (text, html, images, applications, documents and so on). The following is an example of an e-mail using the MIME format:
In the above example, the "name='picture.jpg'" is optional. Even without the definition, the image is sent to the recipient. The e-mail client of the recipient may display the image as "part-1" or "attach-1" or it may render the image in-line. Also, attachments are not 'stripped' from the e-mail. If a content-type for which reset action was configured is detected, an 5XX error code is sent and the connection is closed, in order to prevent the whole e-mail from being delivered. However, the remainder of the e-mail message is sent.
RFC 1869 and other SMTP RFC extensions apart from RFC 821.
SMTP Service Extensions
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for Application Inspection and Control for SMTP
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1
Feature Information for Application Inspection and Control for SMTP
Feature Name
Releases
Feature Information
Application Inspection and Control for SMTP
12.4(20)T
The Application Inspection and Control for SMTP feature provides an intense provisioning mechanism that can be configured to inspect packets on a granular level so that malicious network activity, related to the transfer of e-mail at the application level, can be identified and controlled. This feature qualifies the Cisco IOS firewall extended SMTP (ESMTP) module as an "SMTP application firewall," which protects in a similar way to that of an HTTP application firewall.
The following commands were introduced or modified by this feature:
log(policy-mapandclass-map),mask(policy-map),
matchbodyregex,
matchcmd,
matchheaderlengthgt,
matchheaderregex,
matchmimecontent-typeregex,
matchmimeencoding,
matchsenderaddressregex,
matchrecipientaddressregex,
matchrecipientcountgt,
matchrecipientinvalidcountgt,
matchreplyehlo,
reset(policy-map).
Glossary
C3PL--Cisco Common Classification Policy Language. Structured, feature-specific configuration commands that use policy maps and class maps to create traffic policies based on events, conditions, and actions.
EHLO--Extended HELO substitute command for starting the capability negotiation. This command identifies the sender (client) connecting to the remote SMTP server by using the ESMTP protocol.
ESMTP--Extended Simple Mail Transfer Protocol. Extended version of the Simple Mail Transfer Protocol (SMTP), which includes additional functionality, such as delivery notification and session delivery. ESMTP is described in RFC 1869, SMTP Service Extensions.
HELO--Command that starts the SMTP capability negotiation. This command identifies the sender (client) connecting to the remote SMTP server by its fully qualified DNS hostname.
MAILFROM --Start of an e-mail message that identifies the sender e-mail address (and name, if used), which appears in the From: field of the message.
MIME--Multipurpose Internet Mail Extension. Standard for transmitting nontext data (or data that cannot be represented in plain ASCII code) in e-mail, such as binary, foreign language text (such as Russian or Chinese), audio, or video data. MIME is defined in RFC 2045.
RCPTTO--Recipient e-mail address (and name, if used) that can be repeated multiple times for a likely message to deliver a single message to multiple recipients.
SMTP--Simple Mail Transfer Protocol. Internet protocol providing e-mail services.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.