Cisco ASA Disable ESMTP Inspection

00001s 1 1


Yesterday my colleague Ben called me over to the help-desk and asked “Have you ever seen this before?” This was what was on his screen.

220 ***************************************************


Usually when you Telnet to an Exchange server it gives you a 220 message followed by the “Banner” of the Exchange server, a little like:

220 Microsoft ESMTP Mail service ready at (Date/Time)

The reason why you see this happening is, there is something in between you and the Exchange server that’s stopping/filtering ESMTP traffic.

In this clients case I knew straight away what that was, (because I’d seen it before,) Cisco firewalls (PIX and ASA) that have SMTP/ESMTP inspection enabled cause this to happen.

Disable ESMTP Inspection on Cisco ASA Via command line

Note: If you send mail via TLS DO NOT do this. (see here).

1. Connect to the the Cisco ASA, either by serial cable, Telnet or SSH.

2. Usually you will find ESMTP inspection enabled on the “global_policy” in the class called “inspection_default”, below are the commands to disable this feature.

Disable ESMTP Inspection on Cisco ASA via ASDM

1. Connect to the the Cisco ASA, via ASDM.

2. Navigate to Configuration > Firewall > Service Policy Rules > Global Policy > Inspection_Default > Rule Actions > untick ESMTP > OK > Apply > File > Save Running Configuration to flash.

Enable the Banner and Keep ESMTP Inspection on

You need to create a policy map that will not mask the banner and add that to the default inspection map, like so;

PetesASA> en
PetesASA#configure terminal
PetesASA(config)#policy-map type inspect esmtp tls-allow 
PetesASA(config-pmap-p)#no mask-banner
PetesASA(config)#policy-map global_policy 
PetesASA(config-pmap)#class inspection_default 
PetesASA(config-pmap-c)#no inspect esmtp
PetesASA(config-pmap-c)#inspect esmtp tls-allow 
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96
3965 bytes copied in 1.490 secs (3965 bytes/sec)


Previous articleMail Routing Issue ‘451 5.7.3 Cannot achieve Exchange Server authentication’
Next articleRemove Internal Exchange Server Names and IP Addresses from Message Headers
Phuong Nguyen
Hi, Nguyen Van Phuong is the owner of the website I 've been working in the IT sector since 2008. With nearly 12 years experience in the fields of design development, Governance, operating system enterprise network infrastructure.. I'm now a senior Infrastructure Administrator for the Enterprise network. Achivements: IT Project management IT management System and Network IT Security and data protection. Plan and bugged for Infrastructure and Security Deployment system Server (HP, IBM, Lenovo, Dell..), Network (Cisco, Juniper, Enterasys,..), PABX system, Firewall (Cisco ASA 5525-x, Juniper SSG520,..) Network system administration and maintenance: +Management all network configure IT system: AD, DNS, DHCP, Cores switch, Access switch, Router, Firewall, etc. Design & implement IT system, project management and manage IT operation, I also have extensive experience of ERP System base SQL , HRM, etc. Vendor/external system integrator management: support other department in terms of technical specifications for cost optimize, business process efficiency, procurement spend compliance. Virtualization System Deployment on Microsoft Windows Server 2016 (Hyper-V) and VMware ( Vmware vSphere 5.5, 6.5,6.7 vCenter) Backup and restore management on Symantec backup products (Veritas Backup 16, 20, 20.1, 20.2 ), Veeam Backup & Replication 9.0, 9.5U1, 9.5U2 U3, U4


Please enter your comment!
Please enter your name here