An SMTP or ESMTP server responds to client requests with numeric reply codes and
optional human-readable strings. SMTP application inspection controls and reduces the
commands that the user can use, as well as the messages the server returns. SMTP inspection
performs three primary tasks:
■ It restricts SMTP requests to seven commands: HELO, MAIL, RCPT, DATA, RSET,
NOOP, and QUIT.
■ It restricts SMTP requests to eight extended SMTP commands: AUTH, DATA, EHLO,
ETRN, SAML, SEND, SOML, and VRFY.
■ It monitors the SMTP command-response sequence.
■ It generates an audit trail–audit record 108002 when an invalid character embedded in
the mail address is replaced. For more information, see RFC 821.
NOTE A pointer record is also called a reverse record. A PTR record associates an IP
address with a canonical name.
NOTE If the Security Appliance is protecting hosts that connect to Microsoft Windows
2003 DNS servers, the following inspect DNS command must be used:
inspect dns maximum-length 1280
Microsoft uses EDNS as the DNS server software on Windows 2003 servers. EDNS
violates the previous max-length attribute of 512, requiring the inspect dns maximumlength
1280 command to override.
Application Inspection 607
By default, the Cisco Security Appliance inspects port 25 connections for SMTP and ESMTP
traffic. ESMTP inspection monitors the command-response sequence for the following
anomalous signatures:
■ Truncated commands.
■ Incorrect command termination (those not terminated with
■ Unallowed characters. The MAIL and RCPT commands specify the sender and recipient
of the mail. Mail addresses are scanned for strange characters. The pipe character (|) is
deleted (changed to a blank space), and <> are allowed only if they are used to define
a mail address (> must be preceded by <).
■ An unexpected transition by the SMTP server.
■ Unknown commands, for which the Security Appliance changes all the characters in the
packet to X. In this case, the server generates an error code to the client. Because of the
change in the packet, the TCP checksum has to be recalculated or adjusted.
The inspect smtp command enables the Mail inspection feature. This restricts mail servers to
receiving only the seven commands defined in RFC 821 section 4.5.1 (HELO, MAIL, RCPT,
DATA, RSET, NOOP, and QUIT). Additional support for eight extended SMTP commands
can be enabled through these commands: AUTH, DATA, EHLO, ETRN, SAML, SEND,
SOML, and VRFY. All other commands are rejected.
The strict implementation of RFC 821 section 4.5.1 sometimes causes problems for mail
servers that do not adhere to the standard. For example, Microsoft Exchange Server does not
strictly comply with RFC 821 section 4.5.1 and uses extended SMTP commands such as
EHLO. The Cisco Security Appliance converts any such commands into NOOP commands,
which, as specified by the RFC, forces SMTP servers to fall back to using minimal SMTP
commands only. This might cause Microsoft Outlook clients and Exchange servers to
function unpredictably when their connection passes through the Security Appliance.
Mail inspection, however, is not the magic bullet for all mail server–related attacks. It
protects your mail server only from known attacks.