The following is an excerpt from the Cisco Knowledge Base:
Note
If you use Transport Layer Security (TLS) encryption for e-mail communication then the ESMTP inspection feature (enabled by default) in the PIX drops the packets. In order to allow the e-mails with TLS enabled, disable the ESMTP inspection feature as this output shows.
CiscoASA# config t
CiscoASA(config)# policy-map global_policy
CiscoASA(config-pmap)# class inspection_default
CiscoASA(config-pmap-c)# no inspect esmtp
CiscoASA(config-pmap-c)# exit
CiscoASA(config-pmap)# exit
CiscoASA(config)# exit
CiscoASA# wr me
Note
In ASA version 8.0.3 and later, the allow-tls command is available to allow TLS email with inspect esmtp enabled as shown:
config t
policy-map type inspect esmtp tls-esmtp
parameters
allow-tls action log
exit
policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp tls-esmtp
Exit
