Cisco Cisco Email Security Appliance X1050 Information Guide

Contributed by Timo Steinlein and Robert Sherwin, Cisco TAC
Engineers.

Oct 10, 2014

This document describes why you see "XXXXXXXA" in mailserver communication and TLS failures
associated with the Cisco Email Security Appliance (ESA).

TLS fails for inbound or outbound messages.

After the EHLO command, the ESA responds to an external mailserver with:

250−8BITMIME\

250−SIZE 14680064

250 XXXXXXXA

After command "STARTTLS" in the SMTP conversation, the ESA responds to an external mailserver with:

500 #5.5.1 command not recognized

Internal tests for STARTTLS are successful. That means when bypassing the firewall, STARTTLS works
fine, such as STARTTLS connections with the local mail servers or telnet injection tests.

The problem is typically seen when you use a Cisco Pix or Cisco ASA firewall when SMTP Packet Inspection
(SMTP and ESMTP Inspection, SMTP Fixup Protocol) and the STARTTLS command is not allowed in the
firewall.

Cisco PIX firewall versions earlier than 7.2(3) that use the various ESMTP security protocols incorrectly
terminate connections because of a bug in interpreting duplicate headers. The ESMTP security protocols
include "fixup," "ESMTP inspect," and others.

Turn off all ESMTP security features in PIX, or upgrade PIX to 7.2(3) or later, or both. Since this problem
occurs with remote email destinations that run PIX, it might not be practical to turn this off or recommend