ESMTP TLS and Cisco ASA don’t play nice

By | February 26, 2010

We had a nice little problem the other day. We had already gone through our Exchange 2003 to Exchange 2010 migration a couple weeks ago, last weekend was the firewall upgrade from Pix 515 to ASA5510. For the most part, all went well. On Tuesday I overheard someone mention that external email was coming in in bursts. Then later that day, my wife called me because I wasn’t answering my emails. Well that was because I hadn’t received them. At the time, being as busy as I was, I just wrote it off as people being impatient. Well then I actually received a help desk request for it, so it now had to be researched.

After looking into it a little bit, I decided to place the blame on the firewall upgrade. I headed over the my firewall guy’s desk and told him what I had found and what it was doing. After a bit of research he came back with an answer.

You need to enable esmtp inspection if you intend on running TLS on your SMTP server. This is because the ASA’s have an “enhancement” which provides a configuration parameter allow-tls in the esmtp policymap. When esmtp inspection is enabled, it will not mask the 250-STARTTLS echo reply from the server or the client. When the server replies with the 220 response, esmtp inspection turns off by itself.

Here is how you configure it.

Log into your ASA


CiscoASA# config t
CiscoASA(config)# policy-map global_policy
CiscoASA(config-pmap)# class inspection_default
CiscoASA(config-pmap-c)# no inspect esmtp
CiscoASA(config-pmap-c)# exit
CiscoASA(config-pmap)# exit
CiscoASA(config)# exit
CiscoASA# wr me

End of story. Simple, quick, silly little thing

Leave a Reply

Your email address will not be published. Required fields are marked *