cannot pass smtp - 25

Unanswered Question
Jul 23rd, 2008
User Badges:


I am in the process of setting up an in house mail server. In so I have setup smtp, pop3, and imap to pass to my mail server.

for some reason when I do the telnet test for 25 from an outside location, the 515E returns the 220 and not my mail server. pop3 and imap seem to work fine

any ideas what could be blocking my 25



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.alekseev Wed, 07/23/2008 - 11:56
User Badges:
  • Gold, 750 points or more

what software version of the PIX do you have?

husycisco Wed, 07/23/2008 - 12:07
User Badges:
  • Gold, 750 points or more

Hello Mark,

"the 515E returns the 220 and not my mail server"

I dont know a reply type of "220" from PIX firewall. If you telnet 25 to the IP and get any kind of screen (either blank or some output) other than "Could not open connection to the host" Connect failed or timeout, that means the port is open.

By the way, exchange server reply to a telnet to port 25 starts with 220. Here is one of them

"220 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at

Wed, 23 Jul 2008 23:09:19 +0300 "

Or sometimes just 220 and some ASCII chars like ######## or so.

If you post your sanitized config, we would help better.

Also make sure that you configued your SMTP Connector in Exchange server

Regards Wed, 07/23/2008 - 12:31
User Badges:

You probably also want to turnoff fixup for smtp. We run a 515e and E2K and have it off. It's my understanding that MS has a problem with that.

mjackson@lewisa... Wed, 07/23/2008 - 12:43
User Badges:

when I do the telnet 25 from an outside location I get one of 2 returns

220 ####### - I am told this is the 515e responding

or nothing

mjackson@lewisa... Wed, 07/23/2008 - 12:39
User Badges:

Guessing old, I inherited this when I started this job.

version 6.3(5) does that sound right?

a.alekseev Wed, 07/23/2008 - 12:48
User Badges:
  • Gold, 750 points or more

In this case I advise you to turn off smtp fixup.

husycisco Wed, 07/23/2008 - 17:04
User Badges:
  • Gold, 750 points or more


"220 ####### - I am told this is the 515e responding"

Inspection is replacing the starttls echo-reply with ## sometimes ** . Most mail servers work in this case, but your mail server may not be able to establish connection with some mail servers.

Following are the necessary commands to correct that

policy-map type inspect esmtp esmtp_map


no mask-banner

policy-map global_policy

class inspection_default

inspect esmtp esmtp_map

But this is available in code 7.2 or higher. I dont know an equivalant for 6.3 code and I assume it does not exist.

Better upgrade your IOS or remove the fixup as suggested.



This Discussion