SMTP inspection with policy-map in ASA


This is the first time I was disappointed by the cisco.com . I had a simple task at hand – configure SMTP inspection in ASA 8.0(3) and cisco.com documentation didn’t help me at all. But first the task:Secure internal mail server by preventing it from sending spam outbound. It comes to mind two very simple but largely effective measures – block mails with From: field set to any domain but ours, and block attempts to relay Through the internal mail server mails destined to any domain but ours. In Checkpoint I can do it quite simply with SMTP Resource. Unfortunately in ASA it is not the case. Let’s look at final SMTP inspection I configured in ASA. Input :

Internal server having outside IP address of 199.202.2.3 serves two domains apple.com and microsoft.com Task:
- block mails with From: field set to any domain but apple.com or microsoft.com
- block mail relying for any domain but microsoft.com or apple.com

NOTE. Here I did this config on the production ASA so had no room for experimenting with all “what ifs” Identify mails direction from inside server outbound. I did it as didn’t find reliable info about sender-address match condition – does it match in any direction if applied globally on all traffic ? I mean , if it just looks at Mail from: field and acts on mails in both directions then it would block mails coming in from any domain but client’s own.

To prevent even checking this on client I did this ACL that will apply this SMTP inspection to outgoing mails anyway.

BigInJapan(config)#access-list Mail-server permit tcp host 199.202.2.3 any eq 25

To block mails with From filed other than client’s domains I use regex that matches client’s domains and the use negation with NOT.

BigInJapan(config)# regex PermittedSenders "@microsoft.com|@apple.com "

Create policy-map where all the tweaked parameters are set (as of ASA 8.2 there is still no class-map type inspect esmtp) .

BigInJapan (config)# policy-map type inspect esmtp NoSpamOutside

Match all mails that Mail from field is anything but *@microsoft.com or *@apple.com. Action is reset and log. It is more secure I guess to drop instead of reset as in drop malware would have to wait until some timeout, but I didn’t care here anyway.

BigInJapan(config-pmap)# match not sender-address regex PermittedSenders  
BigInJapan(config-pmap-c)# reset log  
BigInJapan(config-pmap-c)# exit

Various parameters. Here you set internal domain the mail server is serving, so trying to deliver mails to any other domain would be seen as illegal relaying and dropped. But also I was surprised to know here that policy-map mail-relay parameter can be used only once, leaving you without this protection if you have multiple domains served from the same server. So below is theoretical configuration if my client had just one domain on his server.

BigInJapan(config-pmap)# parameters
BigInJapan(config-pmap-p)# mail-relay apple.com action drop-connection log  
BigInJapan(config-pmap-p)# exit  
BigInJapan(config-pmap)# exit

Now create general policy-map to tie it all together.

BigInJapan(config)# policy-map NoSpamFromUs  
BigInJapan(config-pmap)# class Mail-server  
BigInJapan(config-pmap-c)# inspect esmtp NoSpamOutside  
BigInJapan(config-pmap-c)# exit  
BigInJapan(config-pmap)# exit

And apply it on some interface.

Important: according to Hucaby’s ASA handbook application protocol inspection is applied AFTER the NAT rules are done, so you need to use in your class-map/ACL IPs that are after the translation. Internal IP of the mail server is 192.168.3.3 that is statically NATed to 199.202.2.3, so I used 199.202.2.3 in class-map’s ACL.

On which interface to apply the policy-map I guess doesn’t matter but to be sure I did it on the outside.

BigInJapan(config)# service-policy NoSpamFromUs interface outside 

Link to Inspection page in ASA 8.
Applying Application Layer Protocol Inspection

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.