Cisco ASA 55xx and ESMTP inspection breaks TLS

It’s been few days when we discovered a problem with sending emails using TLS in our company.

We found out the problem with sending emails via TLS was the result given by the email server after “STARTTLS” command:
> 502 5.5.2 Error: command not recognized

First it seemed as the destined server didn’t implement TLS at all.

But when I tried to handle SMTP connection from my home PC, the “STARTTLS” command gave me different result:
> 220 2.0.0 Ready to start TLS

Because all corporate outgoing traffic flows via ASA 5520 appliance with 8.4.2 fw which has some basic protocol inspections enabled, we started to blame ASA.

The problem was solved after disabling esmtp inspections on ASA and all outgoing TLS connection worked like a charm since then.

Ok, but what was the problem ? We started looking for some more information about this issue as we believed we’re not the only ones having this problem and we found a workaround in few tech forums. After contacting our local Cisco partner about this issue we were given the very same workaround so we can also consider it as an official solution:

policy-map type inspect esmtp esmtp_no_TLS
allow-tls action log

policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp esmtp_no_TLS

It’s strange this issue is described on official Cisco site pointing to this bug claiming it’s already resolved in 8.4.2 fw which apparently is not true.

After consulting it with local Cisco partner we decided to file this bug to Cisco bugzilla and see the official statement.

Posted in ASA 5000 series, Cisco devices configuration

Leave a Reply