Announcement

Collapse
No announcement yet.

Cisco ASA 5520 blocks SMTP when using TLS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5520 blocks SMTP when using TLS

    Hi,

    We have a Cisco ASA 5520 in our setup and in the dmz we have a postfix server, where we have applied a certificate and configured postfix to use that certificate.

    When connecting from outlook 2007 using TLS from the inside and to the postfix server in the dmz it works, but when connecting from the outside to the postfix server it does not work.

    When going from outside to the postfix traffic is passing through the asa 5520, but when going from the inside to the postfix server traffic is passing through a PIX501.

    The ASA is running:
    Cisco Adaptive Security Appliance Software Version 7.0(7)
    Device Manager Version 5.0(7)

    This is our inspection policy:

    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect rsh
    inspect sqlnet
    inspect xdmcp
    inspect netbios
    inspect tftp
    policy-map policy_global
    policy-map type
    !
    service-policy global_policy global
    smtp-server <ip1> <ip2>
    Cryptochecksum xxxxxxxxxxxxxxxxxxxxxxxxxxxxx


    We have also allowed traffic on port 25 and that works for non TLS traffic.


    We really need TLS to be allowed through the ASA.

    Can somebody help with an answer?

    Thanks.

  • #2
    Re: Cisco ASA 5520 blocks SMTP when using TLS

    Have a read here: http://www.cisco.com/en/US/products/...806745b8.shtml
    CCNA, Network+

    Comment


    • #3
      Re: Cisco ASA 5520 blocks SMTP when using TLS

      Hi,

      Thanks for your reply.

      I have seen that document and tried what it says.

      I have tried both with and without inspection of esmtp. Both does not work.

      Attached is my config.
      Attached Files

      Comment


      • #4
        Re: Cisco ASA 5520 blocks SMTP when using TLS

        Originally posted by Nikolaj7 View Post
        Hi,

        Thanks for your reply.

        I have seen that document and tried what it says.

        I have tried both with and without inspection of esmtp. Both does not work.

        Attached is my config.

        When you disabled the esmtp inspection policy, did you do a clear conn?

        Comment


        • #5
          Re: Cisco ASA 5520 blocks SMTP when using TLS

          Hi,

          No I did not, but I just tried with no result.

          BTW this is what I get from outlook when trying sending a test mail by using TLS:

          Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.

          Comment


          • #6
            Re: Cisco ASA 5520 blocks SMTP when using TLS

            Originally posted by Nikolaj7 View Post
            Hi,

            No I did not, but I just tried with no result.

            BTW this is what I get from outlook when trying sending a test mail by using TLS:

            Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.

            I was looking at your config again and realized that you are running version 7.0(7). Version 7.2(3) and above support esmtp over tls.

            Comment


            • #7
              Re: Cisco ASA 5520 blocks SMTP when using TLS

              Hi,

              thanks for the reply.

              I just upgraded the ASA to version 8.0(4) for the same reason, but unfortunately it still not work.

              Thanks for your attention to this important details. Well spottet.

              Comment


              • #8
                Re: Cisco ASA 5520 blocks SMTP when using TLS

                In post #3 you will find my current running config

                Comment


                • #9
                  Re: Cisco ASA 5520 blocks SMTP when using TLS

                  In your policy map for to inspect esmtp traffic do you have the allow-tls paramater configured.

                  For example:

                  policy-map type inspect esmtp esmtp_map
                  parameters
                  allow-tls

                  If you are still having issues I would open a tac case and see what they say.

                  Comment


                  • #10
                    Re: Cisco ASA 5520 blocks SMTP when using TLS

                    You won't believe it. But the error was not in the ASA it was in my Cisco 1811 which is in my office an through which I connect to the internet from the office.

                    The C1811 also had an inspection policy enabled for esmtp, and it was that policy that stripped out the TLS from the smtp traffic.

                    when I disablet the esmtp in my C1811 it worked.

                    Thank you VERY MUCH.

                    It is very good to have somebody like you to try out different things.

                    Comment


                    • #11
                      Re: Cisco ASA 5520 blocks SMTP when using TLS

                      Nice catch!!! I am glad I could be of some service. Plus I like trying to help others troubleshoot weird anamolies. It helps us all learn something new when an issue gets resolved.

                      Comment

                      Working...
                      X