Various problems with incoming email while using a Cisco firewall with PIX/ASA Mailguard enabled

Problem description

You have a Cisco PIX/ASA firewall with Mailguard enabled and are experiencing problems with incoming email.

Known problems include:
- No email is delivered to your ESMTP server
- May cause duplicated incoming messages


To check for the presence of Mailguard, follow these steps:

  1. 1. From a workstation on the Internet, open a Telnet session to the IP address of the MX record on port 25. You should see text that resembles the following:
    220 *********0***************************************************************** ************2*************
  2. Issue the EHLO command. You may receive one of the following messages:
    • OK
    • 500 Unrecognized command

Note If you have an ESMTP server behind the PIX firewall, you may have to turn off the Mailguard feature to allow mail to flow correctly. Also, you may be unable to establish a Telnet session to port 25 with the fixup protocol smtp command. This is especially true with a Telnet client that uses character mode.

Note On Cisco PIX firewalls with firmware version 5.1 and with later versions, the fixup protocol smtp command changes most characters in the SMTP banner to asterisks. The exceptions to this are the "2" character, the "0" character, and the "0 " character. The carriage return (CR) character and the linefeed (LF) character are ignored. In version 4.4, all characters in the SMTP banner are converted to asterisks.

To work around these issues, turn off the Mailguard feature of the PIX firewall. To do this, follow these steps:

  1. Establish a Telnet session to log on to the Cisco PIX firewall. Alternatively, use the console to log on to the Cisco PIX firewall.
  2. Type enable, and then press ENTER.
  3. When you are prompted for your password, type your password, and then press ENTER.
  4. Type configure terminal, and then press ENTER.
  5. Type no fixup protocol smtp 25, and then press ENTER.
  6. Type write memory, and then press ENTER.
  7. Restart or reload the Cisco PIX firewall.

Note For more information about how to turn off the Mailguard feature of the Cisco PIX firewall, visit the following Cisco Web site:

Date Published: 2012.06.05   Date Updated: 2012.11.14