This document describes the best way to troubleshoot connectivity
problems with SMTP and ESMTP traffic through an ASA.
There are no specific requirements for this document.
The information in this document is based on the Cisco 5500 Series
Adaptive Security Appliance (ASA).
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
When you test an email server through Telnet on the ASA and ESMTP or
SMTP inspection is enabled, certain commands, such as
HELO or EHLO, return a
550 error that indicates the command is not understood. When ESMTP or SMTP
inspection is disabled, the commands are understood.
ESMTP and SMTP inspection enforce a policy that allows only certain
commands through the ASA. If a mail command is sent that is not allowed, it is
replaced by Xs, which makes the command invalid to the client and the server.
Commands that are normally allowed are listed in the
esmtp section of the Cisco ASA Series Command
Reference. HELO and
EHLO are normally allowed; however, whether the
command is recognized depends on the method by which you test.
For example, Telnet sends each character individually in a different
packet on the wire, but actual email clients and servers send the entire
command in one packet. If you use Telnet and you type H, the
Telnet client sends an H to the email server. Since ESMTP and SMTP inspection
do not recognize H as a valid command, the ASA replaces the H with an X and
passes it along. If you proceed to type ELO, each character is sent
individually, and the ASA turns each character into an X. The server receives
the final command as XXXX and errors out as expected.
If you use Telnet to test connectivity, you must configure the
application to send the entire command in one packet. (The Microsoft Windows
Telnet program can send a line at a time instead of character by character.)
Press CTRL+] to exit the Telnet session, and type
send HELO. This action sends the entire command
instead of individual characters.
As an alternative, you can use another program, such as Netcat. Netcat
sends commands line by line and is a very power tool for testing network
sockets and data transfers. However, the best solution is to test the
connectivity with an actual email program and capture the traffic on the ASA
for further testing.