Cisco PIX/ASA Causes SMTP Banner Corruption

Traffic inspection rules on a Cisco PIX or ASA firewall will sometimes cause the SMTP banner to appear corrupted. When testing access to your mail server trough AsA, you may notice that the SMTP banner looks like this:

220 *************

This is just a symptom of the problem, which is that the SMTP traffic inspection rule is interfering with the SMTP data stream. Another symptom would be to see email messages destined for this server seemingly stuck in the SMTP queue on a server outside the network. This can ultimately cause delayed and undeliverable mail, especially for larger messages, such as those with attachments. You will find following message in your mail.log:

enabling PIX workarounds: disable_esmtp delay_dotcrlf for *.*.*.*[*.*.*.*]:25
(delivery temporarily suspended: lost connection with *.*.*.*[*.*.*.*] while sending end of data -- message may be sent more than once)

The resolution for this problem is to disable the traffic inspection rule for SMTP/ESMTP on the Cisco PIX or ASA firewall.

On a PIX, this can be done from the command-line using the “no fixup protocol SMTP 25” command. It can also be disabled from the PIX Device Manager (PDM).

On an ASA, it’s a little different. From the command line (assuming your policy map is named “global_policy” and your class is named “inspection_default”):

CiscoASA(config)#policy-map global_policy
CiscoASA(config-pmap)#class inspection_default
CiscoASA(config-pmap-c)#no inspect esmtp

From the Adaptive Security Device Manager (ASDM):

1. Go to Security Policy –> Open the inspection rule:

2. Go to the Rule Actions tab and uncheck the box next to ‘ESMTP’

3. Test from outside the PIX/ASA again by telnetting to port 25; your SMTP banner should now look like this (I have masked the name of the server for privacy).

That’s it. I have made it standard practice to just disable this inspection rule on all Cisco ASA firewalls that I deploy to avoid problems.

This behavior is also described here: