ASA 5505 force SMTP TLS connection to Office 365 relay

By default Cisco ASA devices have disallowed SMTP TLS traffic on ASA firewalls. Reason is the possibility to inspect the traffic and the ability for traffic classification. When using TLS over SMTP encryption the MTA to MTA connection is encrypted from host to host. So basicly it isn’t possible to inspect the data anymore. That’s the theory to block the TLS connections

Since the GDPR was finally approved by the EU Parliament, secured email connections has become a discussed item in much organisations. When setting up the ‘emailserver of your organisation’ relay in the mailflow connector of the O365 Exchange management both connections SMTP plain and SMTP TLS are allowed.

So my goal is to force a SMTP with TLS connection when setting up local devices and applications by using the Office 365 relay. That worked on the ASA 5505 with this configuration:


policy-map type inspect esmtp esmtp_map
parameters
allow-tls
match body line length gt 1
drop-connection
policy-map global_policy
class inspection_default
inspect esmtp esmtp_map

First set the allow-tls parameter to allow the TLS connection.
Second the match body line lenght will drop a unsecured connection that basicly can get inspected (cool!)
The second match rule will not be applied to the TLS connections cause the encryption…

Just a workaround to turn the Cisco philosophy around and only force outgoing TLS connections.

Leave a Comment

Your email address will not be published. Required fields are marked *

*