Tuesday, February 4, 2014

Cisco ASA: Can Not Send Secure Email From Behind Firewall

I got a call from a customer that said that they could not send out secure emails from their Exchange server from within their company to an outside email address.  So me and the engineer that was with me went onsite, since we were close already, and almost immediately the guy that was with me mentioned that he had recently seen this and that he thought that the ASA inspection was blocking this outbound secure email.  Well, that jogged my memory as well, and it seems like I have run into that a few times in the past as well.  What was the solution?
Console into the Cisco ASA, then do the following:
ciscoasa#     config t
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect esmtp

I dont recall having to do this for any other firewall except the Cisco ASA.  I know I have not for Check Point and Palo Alto.  As for any other, Im not sure.


  1. Another option:

    # In ASA version 8.0.3 and later, the allow-tls command is available to allow TLS email with inspect esmtp enabled as shown:
    # http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113336-asa83-mailserver-inside.html#esmtp

    policy-map type inspect esmtp tls-esmtp

    policy-map global_policy
    class inspection_default
    inspect esmtp tls-esmtp

    service-policy global_policy global


Your comment will be reviewed for approval. Thank you for submitting your comments.