However, starting with ASA 9.7, things have significantly changed, offering a more streamlined and efficient way to inspect and filter email traffic. Cisco introduced new features, simplifying the process, while also enhancing security, performance, and management. Below, we’ll walk through how SMTP inspection works post-9.7, including how to achieve the same results that were possible using class maps in older versions.
### What Changed in ASA 9.7?
With the release of ASA 9.7, Cisco brought in several major improvements:
- **More Advanced Application Layer Gateways (ALGs)** for better handling of protocols like SMTP.
- **Simplified Configuration** for inspecting application protocols, including SMTP, by removing the need for manual regular expressions for every inspection.
- **Unified Layer 7 Policies** for easier control over traffic inspection.
### SMTP Inspection in Post-9.7 ASA
SMTP (Simple Mail Transfer Protocol) is one of the most critical protocols for network security due to its role in email transfer. To protect your network from email-based threats (like spam, malware, and phishing), inspecting SMTP traffic is essential. Cisco ASA’s enhanced Application Inspection and Control (AIC) feature allows you to inspect and manage SMTP traffic more effectively.
#### The New SMTP Inspection Process
In ASA post-9.7, you no longer have to rely on class maps and regular expressions to inspect SMTP traffic. The system now provides **built-in SMTP inspection**, which simplifies the process. Here’s how SMTP inspection works and how you can configure it.
1. **Enable SMTP Inspection**: ASA includes an SMTP application layer gateway (ALG), which examines SMTP traffic at Layer 7, inspecting email messages and preventing malicious content from entering or leaving your network.
2. **Simplified Regular Expression Handling**: In pre-9.7 versions, you'd manually define regular expressions to match patterns in SMTP headers or body. Now, the inspection engine handles most of this automatically, filtering common threats like email-based exploits or malformed headers. However, you can still define custom regex patterns if necessary, but for most cases, the built-in inspection suffices.
3. **TLS Inspection Support**: In the past, inspecting encrypted email traffic required separate solutions. Post-9.7 ASA can handle encrypted traffic (like SMTPS) using **SSL/TLS inspection**, making it easier to secure mail servers.
### Steps to Enable and Configure SMTP Inspection in ASA Post-9.7
Here’s a practical example of configuring SMTP inspection in a modern ASA setup.
#### 1. Enable Basic SMTP Inspection
First, you need to enable SMTP inspection on your ASA. This can be done through the command line or via the ASDM (Adaptive Security Device Manager).
- **From the CLI**:
policy-map global_policy
class inspection_default
inspect smtp
This command enables SMTP inspection globally. The system will now inspect SMTP traffic for common threats and filter them out.
- **From ASDM**:
- Go to **Configuration > Firewall > Service Policy Rules**.
- Choose the global policy (or create a new one).
- Under **Rule Actions**, enable **SMTP Inspection**.
#### 2. Fine-Tuning SMTP Inspection
While the default settings should work for most organizations, you can customize SMTP inspection to meet your needs. You can block specific email commands or inspect traffic in more detail using the `inspect smtp` command with advanced options.
For example, to disable certain SMTP commands that are often used in attacks, such as `EXPN` and `VRFY`, you can modify the inspection settings:
policy-map global_policy
class inspection_default
inspect smtp eol discard
This command will discard any packets containing the `EXPN` or `VRFY` commands, which can help prevent spammers from verifying email addresses.
#### 3. Handling TLS/SSL-encrypted SMTP (SMTPS)
To inspect encrypted email traffic, you’ll need to enable SSL inspection:
- **Create an SSL policy**:
ssl policy ssl_policy
inspect ftp
inspect smtp
inspect https
- **Apply the SSL policy to your traffic**:
policy-map global_policy
class inspection_default
ssl policy ssl_policy
This allows the ASA to decrypt, inspect, and then re-encrypt SMTP traffic that is secured with SSL/TLS.
### Sender Address Filtering
In older versions, matching sender addresses involved setting up L7 class maps with regular expressions. With ASA 9.7 and later, this process has been streamlined, but you still have the option to customize filtering based on the sender.
For example, if you want to inspect emails based on the sender address, you can use custom regex filters or an external mail security appliance to block known spammers or filter suspicious domains.
Here’s an example of matching a specific sender domain using regex:
regex match_sender ^.*@maliciousdomain.com$
policy-map global_policy
class inspection_default
match regex match_sender smtp-request HELO
drop log
In this example, any email from "maliciousdomain.com" would be dropped and logged.
### Conclusion
Cisco ASA post-9.7 greatly simplifies SMTP inspection, making it easier to secure your network while still providing flexibility for custom configurations when needed. The built-in SMTP inspection handles most threats automatically, but you can still fine-tune settings for advanced filtering, including sender address matching and SSL/TLS traffic inspection.
If you’re migrating from an older ASA version, you’ll find that the new approach requires less manual intervention, freeing up resources and reducing the chances of configuration errors. It’s a more powerful, yet simpler, solution to keep your email traffic secure.
