Cisco Cisco Email Security Appliance X1050 Troubleshooting Guide

Why does the ESA issue EHLO twice when TLS is enabled?

You may wonder why the ESA issues more than one EHLO when making a TLS connection to a remote host. 
According to RFC3207 − Section 4.2:

"The server MUST discard any knowledge obtained from the client, such as the argument to the EHLO
command, which was not obtained from the TLS negotiation itself. The client SHOULD send an EHLO
command as the first command after a successful TLS negotiation."

Therefore a second EHLO, after the TLS negotiation, is perfectly normal behavior.  Anything before the TLS
session is established cannot be considered part of the TLS encrypted conversation. The list of SMTP service
extensions returned in response to an EHLO command received after the TLS handshake may be different
than the list returned before the TLS handshake. Below is an example of log entries you might see in your
mail logs, if TLS is enabled:

Mon May 16 18:34:30 2005 Info: 5165207 Sent: 'EHLO mx4.example.com'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '250−eq−c601.example.com'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '250−8BITMIME'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '250−SIZE 10485760'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '250 STARTTLS'

Mon May 16 18:34:30 2005 Info: 5165207 Sent: 'STARTTLS'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '220 Go ahead with TLS'

Mon May 16 18:34:30 2005 Info: 5165207 Sent: 'EHLO mx4.example.com'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '250−eq−c601.example.com'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '250−8BITMIME'

Mon May 16 18:34:30 2005 Info: 5165207 Rcvd: '250 SIZE 10485760'

Mon May 16 18:34:30 2005 Info: 5165207 Sent: 'MAIL

Updated: Aug 12, 2014

Document ID: 118211