How can a firewall or SMTP proxy affect ESMTP services?
In conjunction with mail processing through a Cisco Email Security Appliance (ESA), there are a number of firewalls and SMTP proxy services available that provide features meant to protect mail servers from exploit.
Some of these methods of protection can impede ESMTP services such as TLS and SMTP Authentication.
Services, such as TLS and SMTP Authentication, use ESMTP (Extended SMTP) commands. In order to access the ESMTP command set, the EHLO command must reach the receiving server. Some firewall and proxy security features will block or modify the EHLO command in transit. When the security device does not allow EHLO, no ESMTP services will be available. In this case, only the SMTP commands specified in RFC 821 section 4.5.1 are allowed on a mail server. These are: HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. No ESMTP commands are available.
Another security feature used by these devices is SMTP banner modification. In order to hide the type and version of the protected mail server, some devices will obscure all but the 220 portion of the banner that is required for communication.
The banner will often appear similar to:
Part of the information being hidden is the ESMTP advertisement in the banner. When this advertisement is removed, a sending server will not be aware that ESMTP commands are accepted.
In summary, firewalls and SMTP proxy servers may block EHLO commands and hide ESMTP banner advertisements. When these security measures are in place, ESMTP commands may not be accessible. To ensure that other hosts can communicate with your ESA using ESMTP, you may need to disable these security features on your security device