Cisco PIX/ASA Mailguard

The Cisco PIX firewall device uses an SMTP protocol filtering feature that is named Mailguard. When the Mailguard feature is turned on, it blocks all Extended Simple Mail Transfer Protocol (ESMTP) commands. Mailguard allows only seven basic Simple Mail Transfer Protocol (SMTP) commands to pass. Therefore, the PIX firewall does not forward the ESMTP commands to the mail server. The ESMTP commands include commands such as X-LINK2STATE, Auth, Auth login, KILL, and WIZ.

Additionally, there is a known issue with Mailguard that causes duplicate incoming messages. Cisco has corrected this issue in later software releases. For more information about this known issue, see the “Duplicate incoming SMTP messages" section later in this article.

To check for the presence of Mailguard, follow these steps:


From a workstation on the Internet, open a Telnet session to the IP address of the MX record on port 25. You should see text that resembles the following:

220 *********0***************************************************************** ************2*************


Issue the EHLO command. You may receive one of the following messages:


500 Unrecognized command

Note If you have an ESMTP server behind the PIX firewall, you may have to turn off the Mailguard feature to allow mail to flow correctly. Also, you may be unable to establish a Telnet session to port 25 with the fixup protocol smtp command. This is especially true with a Telnet client that uses character mode.

Note On Cisco PIX firewalls with firmware version 5.1 and with later versions, the fixup protocol smtp command changes most characters in the SMTP banner to asterisks. The exceptions to this are the "2" character, the "0" character, and the "0 " character. The carriage return (CR) character and the linefeed (LF) character are ignored. In version 4.4, all characters in the SMTP banner are converted to asterisks.


.To work around these issues, turn off the Mailguard feature of the PIX firewall. To do this, follow these steps:


Establish a Telnet session to log on to the Cisco PIX firewall. Alternatively, use the console to log on to the Cisco PIX firewall.


Type enable, and then press ENTER.


When you are prompted for your password, type your password, and then press ENTER.


Type configure terminal, and then press ENTER.


Type no fixup protocol smtp 25, and then press ENTER.


Type write memory, and then press ENTER.


Restart or reload the Cisco PIX firewall.

Note For more information about how to turn off the Mailguard feature of the Cisco PIX firewall, visit the following Cisco Web site: (