Why do you see XXXXXXXA after EHLO and “500 #5.5.1 command not recognized” after STARTTLS?



This document describes why you see “XXXXXXXA” in mailserver communication and TLS failures associated with the Cisco Email Security Appliance (ESA).

Why do you see XXXXXXXA after EHLO and “500 #5.5.1 command not recognized” after STARTTLS?

TLS fails for inbound or outbound messages.

After the EHLO command, the ESA responds to an external mailserver with:

250-SIZE 14680064

After command “STARTTLS” in the SMTP conversation, the ESA responds to an external mailserver with:

500 #5.5.1 command not recognized

Internal tests for STARTTLS are successful. That means when bypassing the firewall, STARTTLS works fine, such as STARTTLS connections with the local mail servers or telnet injection tests.

The problem is typically seen when you use a Cisco Pix or Cisco ASA firewall when SMTP Packet Inspection (SMTP and ESMTP Inspection, SMTP Fixup Protocol) and the STARTTLS command is not allowed in the firewall.

Cisco PIX firewall versions earlier than 7.2(3) that use the various ESMTP security protocols incorrectly terminate connections because of a bug in interpreting duplicate headers. The ESMTP security protocols include “fixup,” “ESMTP inspect,” and others.

Turn off all ESMTP security features in PIX, or upgrade PIX to 7.2(3) or later, or both. Since this problem occurs with remote email destinations that run PIX, it might not be practical to turn this off or recommend turning it off. If you have the opportunity to make a recommendation, a firewall upgrade should solve this issue.

Some, not all, of the issues are due to the inclusion of message headers within other headers, notably the signature headers for Domain Keys and Domain Keys Identified Mail. While there are still other circumstances under which PIX incorrectly terminates an SMTP session and causes delivery failures, DK and DKIM signing is one known cause. Temporarily disabling DK or DKIM might solve this issue for the time being, but the best solution is for all PIX users to upgrade or disable these security features.

Cisco recommends that all customers continue to sign messages with DKIM and to consider using this feature if not already doing so.

For SMTP and ESMTP Inspection (PIX/ASA 7.x and above) please see:


ESMTP TLS Configuration:

pix(config)#policy-map global_policy
pix(config-pmap)#class inspection_default
pix(config-pmap-c)#no inspect esmtp

For SMTP Fixup Protocol please see:


You can view the explicit (configurable) fixup protocol settings with the show fixup command. The default settings for configurable protocols are as follows:

show fixup
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060

Source : https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118550-qa-esa-00.html

Bài trướcCisco Bug: CSCsh33982 – (E)SMTP Multiple Content-Type headers check is wrong
Bài tiếp theoMail Routing Issue ‘451 5.7.3 Cannot achieve Exchange Server authentication’
Hi, Nguyen Van Phuong is the owner of the website viettechgroup.vn. I 've been working in the IT sector since 2008. With nearly 11 years experience in the fields of design development, Governance, operating system enterprise network infrastructure.. I'm now a senior Infrastructure Administrator for the Enterprise network. Achivements: IT Project management IT management System and Network IT Security and data protection. Plan and bugged for Infrastructure and Security Deployment system Server (HP, IBM, Lenovo, Dell..), Network (Cisco, Juniper, Enterasys,..), PABX system, Firewall (Cisco ASA 5525-x, Juniper SSG520,..) Network system administration and maintenance: +Management all network configure IT system: AD, DNS, DHCP, Cores switch, Access switch, Router, Firewall, etc. Design & implement IT system, project management and manage IT operation, I also have extensive experience of ERP System base SQL , HRM, etc. Vendor/external system integrator management: support other department in terms of technical specifications for cost optimize, business process efficiency, procurement spend compliance. Virtualization System Deployment on Microsoft Windows Server 2016 (Hyper-V) and VMware ( Vmware vSphere 5.5, 6.5,6.7 vCenter) Backup and restore management on Symantec backup products (Veritas Backup 16, 20, 20.1, 20.2 ), Veeam Backup & Replication 9.0, 9.5U1, 9.5U2 U3, U4


Vui lòng nhập bình luận của bạn
Vui lòng nhập tên của bạn ở đây