ESMTP TLS + Cisco ASA = Problems!

Do you have ESMTP messages stuck in a queue?  Do you have a Cisco ASA firewall?  If you answered yes to both of these questions then this article may help!

The Problem

You have a system that sends email using ESMTP, this traffic is routed via a Cisco ASA firewall.  The email is not delivered and errors similar to “421 4.4.1 Connection timed out” (Microsoft Exchange) are being reported.  The Cisco Firewall intercepts ESMTP traffic by default and replaces certain commands with “***”, this results in errors whilst trying to send the email message.  The image below shows an example of this behaviour (“500 5.3.3 Unrecognised Command”):

The Solution

To fix the issue the default setting of inspecting ESMTP traffic must be disabled on the Cisco firewall. This can be done using the commands below on the ASA:

enable
policy-map global_policy
class inspection_default
no inspect esmtp
exit
exit

You can read more on this issue from the Cisco Website!

Share this page:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.