Cisco ASA rewriting SMTP traffic to prevent mail sending

Solution 1:

When we first set our 5510 up, we had a similar problem and I figured out it was easiest just to disable SMTP packet inspection entirely.

Take a look at what you have for:

yourfirewall# show running-config policy-map

If there's anything about esmtp in there, you can disable it with:

yourfirewall# configure terminal
yourfirewall(config)# policy-map global_policy
yourfirewall(config-pmap)# class inspection_default
yourfirewall(config-pmap-c)# no inspect esmtp

I believe you can do the same in ASDM, by looking in Firewall -> Objects -> Inspect Maps -> ESMTP

Solution 2:

i'am wondering if you also could fix this issue without globaly disable esmtp inspections. when configuring an own inspection map, there is a parameter called "no mask-banner" this will prevent the ASA from rewriting the banner with ****

  policy-map type inspect esmtp new_estmp_inspect_map
    parameters
      no mask-banner

  policy-map global-policy
    class class-default
      inspect esmtp new_esmtp_inspect_map
  service-policy global-policy global

the advantage instead of deactivating is, that you are still able inspect other criterias like:

    match sender-address length ..
    match mime filename length ..
    match cmd line length ..
    match cmd rcpt count ..
    match body line length ..

Solution 3:

ASA 5506X not only by default masks SMTP banner, but also scrambles ehlo replies, like shown below, where XXXX are ASA inventions. They must have a fancy idea about security those who implemented this "feature".

Anyway. I had no clue that the default filtering was on for ESMTP, as the graphical interfaces shows no rule and lowest security.

ehlo example.com
250-email.example.net Hello [hidden IP] 
250-SIZE 
250-PIPELINING 
250-DSN 
250-ENHANCEDSTATUSCODES 
250-XXXXXXXA 
250-AUTH 
250-8BITMIME 
250-BINARYMIME
250 XXXXXXXB