Disable ESMTP Inspection on FTD/ASA running FTD code from FMC/CLI
When ESMTP inspection in enabled on ASA/FTD device and you try to telnet to exchange server, you see rows of Asterisks and cause failure with sending email to exchange server. As these devices are you gateway, when you try to connect your on-prem exchange with cloud-based solutions like O365 or Mimecast, you have this issue.
ESMTP is enabled by default on ASA and ASA running FTD code, whereas it is disabled by default on FTD appliances.
You can go to verification section to identify if ESMTP is enabled on your firewall.
Verification of ESMTP inspection from CLI
- Connect to ASA/FTD CLI via SSH
- Enter command ‘system support diagnostic-cli’ to enter ASA CLI
- Enter command ‘enable’ to gain admin access, enable password is blank (just press Enter)
- Enter command ‘show running-configuration’
- Scroll down to the end section “policy-map global_policy”
- If you see ‘inspect esmtp’, this means ESMTP inspection is enabled, else means it is disabled.
Disable ESMTP Inspection via FMC GUI
- Login to FMC GUI
- Navigate to Object à FlexConfig à TextObject
- Open ‘disableInspectProtocolList’
- Add ‘esmtp’ to the list and Save
- Navigate to Devices à FlexConfig
- Create ‘New Policy’ or ‘Edit’ existing policy you have and is applied to the device you want to push this setting
- Select ‘Default_Inspection_Protocol_Disable’ from left tab and click right-arrow add button to add it to “Selected Prepend FlexConfigs”
- You can click on magnifying lens button to see the configuration it will push and verify it has ESMTP in the list
- Click on ‘Policy Assignment’ and add the device from the list you want to deploy this configuration to device.
- Save and Deploy the configuration
Once deployed, use the Verification step to verify that ‘inspect esmtp’ is now removed
Disable ESMTP via FTD/ASA running FTD code Command Line Interface (CLI)
- Login to FTD/ASA via CLI
- Enter command ‘configure inspection esmtp disable’
- Note – This will disable ESMTP inspection only on this device, if you are running FTD in HA or Cluster, please push the configuration thru FMC/FDM interface instead of CLI.
- You can verify as mentioned above in verification section