Description of STARTTLS
ESMTP Inspection on the Cisco Adaptive Security Appliance
Interaction Between ASA ESMTP Inspection and STARTTLS
Disabling ESMTP Inspection on the Cisco ASA
Conclusion
References
STARTTLS is an extension to the Simple Mail Transfer Protocol (SMTP) service that allows an SMTP server and client to use Transport Layer Security (TLS) to provide private, authenticated communication over the Internet. This allows SMTP agents to protect some or all of their communications from eavesdroppers and attackers.
For more information on STARTTLS, see RFC 3207: SMTP Service Extension for Secure SMTP over Transport Layer Security.
Extended SMTP (ESMTP) application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the Cisco Adaptive Security Appliance (ASA) and by adding monitoring capabilities. It also provides support for application security and protocol conformance, which enforce the sanity of the SMTP messages and also detect several attacks, block senders/receivers, and block mail relay.
ESMTP application inspection adds support for extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET), the ASA supports a total of 15 SMTP commands. Other extended SMTP commands, such as ATRN, ONEX, VERB, and CHUNKING, and private extensions are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.
An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You can then apply the inspection policy map when you enable ESMTP inspection. See Configuring an ESMTP Inspection Policy Map for Additional Inspection Control for detailed information about configuring inspection policy maps for ESMTP inspection.
When Cisco ASA is configured for ESMTP inspection, the ASA is not able to examine the TLS session because it is encrypted. Therefore the ASA will prevent the establishment of the STARTTLS session and allow the SMTP endpoints to determine whether the SMTP session should continue in clear text (that is, with no privacy).
RFC 3207 notes the following:
"Both the SMTP client and server must check the result of the TLS negotiation to see whether an acceptable degree of authentication and privacy was achieved. Ignoring this step completely invalidates using TLS for security. The decision about whether acceptable authentication or privacy was achieved is made locally, is implementation-dependent, and is beyond the scope of RFC 3207. The SMTP client and server should note carefully the result of the TLS negotiation. If the negotiation results in no privacy, or if it results in privacy using algorithms or key lengths that are deemed not strong enough, or if the authentication is not good enough for either party, the client may choose to end the SMTP session with an immediate QUIT command, or the server may choose to not accept any more SMTP commands."
See "Security Considerations" in RFC 3207 for more information.
If SMTP sessions need to use the STARTTLS extension to provide privacy through TLS encryption, TLS must be allowed in the ESMTP inspection policy map. The behavior described in the Interaction Between ASA ESMTP Inspection and STARTTLS section can be avoided by using the allow-tls option that is supported in Cisco ASA Software Releases 8.0.3 and later as shown here:
policy-map type inspect esmtp esmtp_map
parameters
allow-tls action log
STARTTLS is an extension to SMTP that allows SMTP clients and servers to negotiate the use of TLS encryption to provide privacy for SMTP sessions. When Cisco ASA does perform ESMTP inspection, it does not allow the establishment of TLS sessions for SMTP by default, although they can be allowed to be established with the allow-tls command. When TLS sessions are not established, Cisco ASA signals to the SMTP client and server that the requested TLS session will result in clear text SMTP traffic. In this case, it is up to the SMTP client and server to decide whether the lack of privacy (that is, no TLS encryption) should cause the SMTP session to be terminated. Finally, if ESMTP inspection is required, TLS can be allowed in Cisco ASA Releases 8.0.3 and later by making a configuration change in the ESMTP policy map.
Cisco ASA Series Firewall CLI Configuration Guide, 9.3: Inspection of Basic Internet Protocols
//www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-basic.html
RFC 3207 - SMTP Service Extension for Secure SMTP over Transport Layer Security
https://tools.ietf.org/html/rfc3207
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.