-
- IP Access List Features Roadmap
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values
- Refining an IP Access List
- Displaying and Clearing IP Access List Data Using ACL Manageability
- Controlling Access to a Virtual Terminal Line
- Access List-Based RBSCP
- ACL IP Options Selective Drop
- ACL Authentication of Incoming rsh and rcp Requests
- Configuring Lock-and-Key Security for Dynamic Access Lists
- Configuring IP Session Filtering of Reflexive Access Lists
- Configuring TCP Intercept and Preventing Denial-of-Service Attacks
-
- Configuring Context-based Access Control
- Application Firewall - Instant Message Traffic Enforcement
- Cisco IOS Firewall MIB
- Cisco IOS Firewall Performance Improvements
- Cisco IOS Firewall Stateful Failover
- Cisco IOS Firewall Support for TRP
- Email Inspection Engine
- ESMTP Support for Cisco IOS Firewall
- Firewall ACL Bypass
- Firewall N2H2 Support
- Firewall Stateful Inspection of ICMP
- Firewall Support for SIP
- Firewall Support of Skinny Client Control Protocol
- Firewall Websense URL Filtering
- Granular Protocol Inspection
- HTTP Inspection Engine
- Inspection of Router-Generated Traffic
- TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
- Transparent Cisco IOS Firewall
- Virtual Fragmentation Reassembly
- VRF Aware Cisco IOS Firewall
- Configuring Port to Application Mapping
- Configuring Cisco IOS Intrusion Prevention System (IPS)
- Configuring IP Security Options
E-mail Inspection Engine
The E-mail Inspection Engine feature allows the Cisco IOS Firewall to inspect Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) e-mail, in addition to Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP) e-mail which were previously supported.
The secure-login enhancement allows people to download external POP3 e-mail only if authentication methods are secure.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for E-mail Inspection Engine" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for E-mail Inspection Engine
•Information About E-mail Inspection Engine
•How to Configure E-mail Inspection Engine
•Configuration Examples for E-mail Inspection Engine
•Feature Information for E-mail Inspection Engine
Prerequisites for E-mail Inspection Engine
•Configure CBAC.
•Enable SSL VPN tunnels.
Information About E-mail Inspection Engine
•E-mail Inspection Engine Operation
•POP3
•SMTP
•SSL
E-mail Inspection Engine Operation
The client/server communication is validated from the time the TCP connection is initialized until the client is authenticated. The Cisco IOS Firewall uses a state router to track each stage of authentication. After the client is authenticated, the Cisco IOS Firewall allows all the client/server commands without further L7 inspection. TCP L4 inspection continues until the connection is closed. At the end of the e-mail session when the client host quits and before the TCP connection is closed, no further client/server interaction is allowed unless the client is reauthenticated.
During the authentication, any unrecognized command causes the Cisco IOS Firewall to drop the packet and close the connection.
If encryption is negotiated between the client and server control channel, no further validation occurs.
An e-mail client logging in from a nonsecure location may need to use encryption for authentication. For information about secure logins, see the description of the secure-login keyword of the ip inspect name command.
Inspection
Context Based Access Control (CBAC) inspects traffic that travels through the firewall to discover and manage state information for TCP and User Datagram Protocol (UDP) sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
Inspecting packets at the application layer and maintaining TCP and UDP session information provides CBAC with the ability to detect and prevent certain types of network attacks such as SYN-flooding. A SYN-flood attack occurs when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a network device are called denial-of-service (DoS) attacks.
POP3
The Post Office Protocol, Version 3 (POP3) is used to receive e-mail that is stored on a mail server. Unlike IMAP, POP only retrieves mail from a remote host.
POP3 works best when there is only one computer because it supports "offline" message access where messages are downloaded and then deleted from the mail server. This mode of access is not compatible with access from multiple computers because it tends to sprinkle messages across all the computers used for mail access.
With POP3-based e-mail clients, messages are downloaded to the user's local message store and can also be deleted from the mail server. Deletion is optional in most clients. When a new voice message arrives, the subscriber's only immediate notification is the activation of the MWI on the phone. New messages are displayed in the Inbox only after the client's local message store is updated with the Exchange message store. After the subscriber downloads new messages, the message state automatically changes from "new" to "read" on the server, even though the subscriber has not actually listened to the voice messages. MWIs on the subscriber's phone are extinguished, and the message state between the TUI and the subscriber's Inbox are not synchronized.
IMAP Protocol
The Internet Message Access Protocol (IMAP) is a method of accessing electronic mail or bulletin board messages that are kept on a mail server that may be shared. It permits a "client" e-mail program to access remote messages as though they were local. For example, e-mail stored on an IMAP server can be retrieved, sent, and managed from a desktop computer at home, from a workstation at the office, or from a laptop without transferring messages or files back and forth between the computers.
Only the message header and sender information are displayed in the Inbox until the user downloads the entire message, including attachments, from the server. When a new voice message arrives, the subscriber's only immediate notification is the activation of the Message Waiting Indication (MWI) on the phone. New messages are displayed in the Inbox only after the client's local message store is updated with the Exchange message store. When the subscriber listens to a new message by using the telephone user interface (TUI), the MWI is extinguished. In this case again, the message state is not updated in the Inbox until the client's message store is refreshed. However, if the subscriber uses an installed multimedia player to listen to the WaveForm Audio (WAV) attachment from the e-mail client's Inbox, message state changes are automatically synchronized with the TUI.
How message state changes are conveyed to the Cisco Unity subscriber, and how these changes are synchronized with the TUI, depend on whether the subscriber's e-mail client is configured to use POP3 or IMAP4 to access Exchange.
Client Command Validation
The Cisco IOS Firewall authenticates an e-mail client accessing an IMAP or POP3 server before allowing complete access into the server. The firewall searches the IMAP/POP3 TCP stream for valid protocol commands. If the client's commands are outside the protocol's definition, the Cisco IOS Firewall drops the packets and resets the connection.
Client command validation is typically needed in a DeMilitarized Zone (DMZ). Client access is allowed into the DMZ only if the e-mail server validates the user authentication. After the client is authenticated, the client becomes a trusted user and access is permitted.
SMTP
The Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail between servers and clients on the Internet. E-mail clients and mail servers that use protocols other than Message Application Programming Interface (MAPI) can use the SMTP protocol to transfer a message from a client to the server, and then forward it to a message recipient's server. To retrieve, send, and manage these messages from the e-mail client use POP3 or IMAP4.
Cisco Unity uses SMTP to route voice messages via the Internet Voice Connector (IVC) gateway between other Exchange servers that are not connected by using a Site Message Connector. There is an IVC gateway on either end of the SMTP connection between Exchange servers. This ensures that MAPI message attributes survive the outbound transit between SMTP connections. It also ensures that the MIME-encoded attributes survive the inbound transit, and are included with the message stored in the Exchange message store.
SSL
The Secure Socket Layer (SSL) protocol is the standard protocol that delivers secure content over the Internet. It is a point-to-point security protocol that secures communication between a client and a server. SSL usually does not require a special client (that is, a Web browser often will suffice) and it does not require any additional operating system software.
SSL includes client and server authentication and data encryption for a limited set of applications (for example, the Web, e-mail, news, and file transfer). SSL is useful for securing e-commerce transactions over the Internet, and the protocol is well suited for extranets and remote access because it is relatively simple to deploy.
How to Configure E-mail Inspection Engine
•Configuring Firewall Inspection of POP3 or IMAP E-mail (required)
•Verifying the E-mail Inspection Engine Configuration (optional)
Configuring Firewall Inspection of POP3 or IMAP E-mail
To allow the Cisco IOS Firewall to inspect POP3 or IMAP e-mail, perform the following task.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}][reset] [secure-login] [timeout seconds]
4. interface type slot/port
5. ip inspect name inspection-name {in | out}
6. exit
DETAILED STEPS
Verifying the E-mail Inspection Engine Configuration
To verify the E-mail Inspection Engine configuration, perform the following task.
Note Effective with Cisco IOS Release 12.4(20)T, the debug ip inspect command is replaced by the debug policy-firewall command. See the Cisco IOS Debug Command Reference for more information.
SUMMARY STEPS
1. debug ip inspect imap
2. debug ip inspect pop3
3. show ip inspect {name inspection-name | config | interfaces | session [detail] | all}
DETAILED STEPS
Step 1 debug ip inspect imap
Use this command to display messages about Cisco IOS Firewall events related to IMAP protocol e-mail messages.
Router# debug ip inspect imap
Step 2 debug ip inspect pop3
Use this command to display messages about Cisco IOS Firewall events related to POP3 protocol e-mail messages.
Router# debug ip inspect pop3
Step 3 show ip inspect {name inspection-name | config | interfaces | session [detail] | all}
Use this command to view CBAC configuration and session information.
Router# show ip inspect
Session audit trail is disabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name mail-guard
tcp timeout 3600
tdp timeout 30
ftp timeout 3600
Configuration Examples for E-mail Inspection Engine
•Example: Configuring IMAP and POP3 Protocol E-mail
Example: Configuring IMAP and POP3 Protocol E-mail
The following example configures the Cisco IOS Firewall inspection of IMAP and POP3 protocol e-mail:
configure terminal
ip inspect name mail-guard pop3
ip inspect name mail-guard imap
exit
The following commands enable this functionality on an interface:
configure terminal
interface 1/0
ip inspect name mail-guard in
exit
Additional References
Related Documents
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
RFCs
|
|
|
|---|---|
RFC 1939 |
J Myers and M. Rose, "Post Office Protocol, Version 3 (POP3)," May 1996. |
RFC 3501 |
M. Crispin, "Internet Message Access Protocol (IMAP4rev1," March 2003. |
Technical Assistance
Feature Information for E-mail Inspection Engine
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Glossary
authentication—Process during which any unrecognized command causes the Cisco IOS Firewall to drop the packet and close the connection.
CBAC—Context-Based Access Control. A Cisco IOS Firewall set feature that scrutinizes source and destination addresses to enhance security for TCP and UDP applications that use well-known ports, such as FTP and e-mail traffic.
ESMTP—Extended Simple Mail Transfer Protocol. An extended version of the Simple Mail Transfer Protocol (SMTP), which includes additional functionality, such as delivery notification and session delivery.
IMAP—Internet Message Access Protocol. A method of accessing e-mail or bulletin board messages kept on a mail server that can be shared. IMAP permits client e-mail applications to access remote message stores as if they were local without actually transferring the message.
POP—Post Office Protocol. A protocol that client e-mail applications use to retrieve mail from a mail server.
SMTP—Simple Mail Transfer Protocol. An Internet protocol providing e-mail services.
SSL—Secure Socket Layer Protocol. This protocol is used to deliver secure information over the Internet.
state router—A router that tracks the client/server commands until the client is authenticated.
TCP—Transmission Control Protocol. A connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.
UDP—User Datagram Protocol. A connectionless transport-layer protocol for exchanging datagrams without acknowledgments or guaranteed delivery.
VPN—Virtual Private Network. A network that enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN network uses "tunneling" to encrypt all information at the IP level.
Feedback