Guest

Cisco ASA ESMTP Inspection of STARTTLS Sessions

Contents

Description of STARTTLS
ESMTP Inspection on the Cisco Adaptive Security Appliance
Interaction Between ASA ESMTP Inspection and STARTTLS
Disabling ESMTP Inspection on the Cisco ASA
Conclusion
References

Description of STARTTLS

STARTTLS is an extension to the Simple Mail Transfer Protocol (SMTP) service that allows an SMTP server and client to use Transport Layer Security (TLS) to provide private, authenticated communication over the Internet. This allows SMTP agents to protect some or all of their communications from eavesdroppers and attackers.

For more information on STARTTLS, see RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security.

ESMTP Inspection on the Cisco Adaptive Security Appliance

Extended SMTP (ESMTP) application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the Cisco Adaptive Security Appliance (ASA) and by adding monitoring capabilities. It also provides support for application security and protocol conformance, which enforce the sanity of the SMTP messages and also detect several attacks, block senders/receivers, and block mail relay. 

ESMTP application inspection adds support for extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET), the ASA supports a total of 15 SMTP commands. Other extended SMTP commands, such as ATRN, ONEX, VERB, and CHUNKING, and private extensions are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:

  • Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
  • Monitors the SMTP command-response sequence.
  • Generates an audit trail. Audit record 108002 is generated when an invalid character embedded in the mail address is replaced. For more information, see RFC 821.

SMTP inspection monitors the command and response sequence for the following anomalous signatures:

  • Truncated commands.
  • Incorrect command termination (not terminated with <CR><LR>).
  • The MAIL and RCPT commands. These commands specify the sender and receiver of the mail. Mail addresses are scanned for strange characters. The pipeline character (|) is replaced with a blank space, and lesser-than and greater-than characters (< >) are allowed only if they are used to define a mail address (> must be preceded by <).
  • Unexpected transition by the SMTP server.
  • Unknown commands. For these, Cisco ASA changes all the characters in the packet to X. In this case, the server generates an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted.
  • TCP stream editing.
  • Command pipelining.

To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You can then apply the inspection policy map when you enable ESMTP inspection. See Configuring an ESMTP Inspection Policy Map for Additional Inspection Control for detailed information about configuring inspection policy maps for ESMTP inspection.

Interaction Between ASA ESMTP Inspection and STARTTLS

When Cisco ASA is configured for ESMTP inspection, the ASA is not able to examine the TLS session because it is encrypted. Therefore the ASA will prevent the establishment of the STARTTLS session and allow the SMTP endpoints to determine whether the SMTP session should continue in clear text (that is, with no privacy).

RFC 3207 notes the following:

"Both the SMTP client and server must check the result of the TLS negotiation to see whether an acceptable degree of authentication and privacy was achieved. Ignoring this step completely invalidates using TLS for security. The decision about whether acceptable authentication or privacy was achieved is made locally, is implementation-dependent, and is beyond the scope of RFC 3207. The SMTP client and server should note carefully the result of the TLS negotiation. If the negotiation results in no privacy, or if it results in privacy using algorithms or key lengths that are deemed not strong enough, or if the authentication is not good enough for either party, the client may choose to end the SMTP session with an immediate QUIT command, or the server may choose to not accept any more SMTP commands."

See "Security Considerations" in RFC 3207 for more information.

Disabling ESMTP Inspection on the Cisco ASA

If SMTP sessions need to use the STARTTLS extension to provide privacy through TLS encryption, TLS must be allowed in the ESMTP inspection policy map. The behavior described in the Interaction Between ASA ESMTP Inspection and STARTTLS section can be avoided by using the allow-tls option that is supported in Cisco ASA Software Releases 8.0.3 and later as shown here:

policy-map type inspect esmtp esmtp_map
      parameters
        allow-tls action log

Conclusion

STARTTLS is an extension to SMTP that allows SMTP clients and servers to negotiate the use of TLS encryption to provide privacy for SMTP sessions. When Cisco ASA does perform ESMTP inspection, it does not allow the establishment of TLS sessions for SMTP by default, although they can be allowed to be established with the allow-tls command. When TLS sessions are not established, Cisco ASA signals to the SMTP client and server that the requested TLS session will result in clear text SMTP traffic. In this case, it is up to the SMTP client and server to decide whether the lack of privacy (that is, no TLS encryption) should cause the SMTP session to be terminated. Finally, if ESMTP inspection is required, TLS can be allowed in Cisco ASA Releases 8.0.3 and later by making a configuration change in the ESMTP policy map.

References

Cisco ASA Series Firewall CLI Configuration Guide, 9.3: Inspection of Basic Internet Protocols
//www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-basic.html

RFC 3207 - SMTP Service Extension for Secure SMTP over Transport Layer Security
https://tools.ietf.org/html/rfc3207

This document is part of Cisco Security Research & Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top

Cisco Security Research & Operations