3

Have a question towards the 998 bytes limitation on the esmtp header line length. We have noticed the asa is dropping emails coming from various external mail servers with the header line length greater than 998.

Have googled a bit on this issue and found there are various suggestions to remove the rule on the asa or modify the rules to allow these headers through. For example:- http://packetsneverlie.blogspot.com.au/2010/09/how-to-bypass-smtp-inspection.html

Question is; will removing or modifying the rule in any way create a security risk that malicious parties can exploit against our mail server?

I have been googling for cases where this has already happened nd documentation as to why this could be a bad idea but found nothing yet. Perhaps a mail security expert could assist?

Thanks in advance,

Jean

user4565
  • 151
  • 3
  • How about increasing the limit instead of removing it? I could imagine that a multi-gigabyte header might crash things, so setting a reasonable limit (at least for the moment) might be a good idea. – Luc Oct 20 '14 at 21:13
  • Yes, increasing the limit is also an option but will this modification also create a security risk that can be exploited somehow? There are a lot of smart but malicious guys and gals out on the net that could do some real damage... – user4565 Oct 20 '14 at 21:18
  • Well, if I was sure about an answer I would post it :). But if you test with longer headers to make sure it doesn't crash anything, it is probably okay, at least until you find out more. – Luc Oct 20 '14 at 21:32
  • @Luc - Thanks :-). We have temporarily tried removing the rule by allowing bigger headers. The big question is: are we creating a security risk that crackers could take advantage of? Still looking for some documentation on this scenario. Perhaps an experienced mail security admin could assist. – user4565 Oct 22 '14 at 19:42

1 Answers1

1

This link below could be the answer I'm looking for, please review and comment:-

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Mail-server-related-injections-Whose-problem/ba-p/6640176

It suggests compliance to rfc2822 (superseded by rfc5822) may save the proverbial: "Although not mandatory, complying with this guidance may help prevent SMTP header injection."

I could be barking up the wrong tree and would appreciate some opinions on this :-)

user4565
  • 151
  • 3