ESMTP TLS + Cisco ASA = Problems!
Do you have ESMTP messages stuck in a queue? Do you have a Cisco ASA firewall? If you answered yes to both of these questions then this article may help!
The Problem
You have a system that sends email using ESMTP, this traffic is routed via a Cisco ASA firewall. The email is not delivered and errors similar to “421 4.4.1 Connection timed out” (Microsoft Exchange) are being reported. The Cisco Firewall intercepts ESMTP traffic by default and replaces certain commands with “***”, this results in errors whilst trying to send the email message. The image below shows an example of this behaviour (“500 5.3.3 Unrecognised Command”):
The Solution
To fix the issue the default setting of inspecting ESMTP traffic must be disabled on the Cisco firewall. This can be done using the commands below on the ASA:
enable policy-map global_policy class inspection_default no inspect esmtp exit exit
You can read more on this issue from the Cisco Website!