TLS connections fail with "500 5.5.2 unrecognized command"
search cancel

TLS connections fail with "500 5.5.2 unrecognized command"

book

Article ID: 222652

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Messaging Gateway (SMG) has been configured to use TLS security when accepting mail from the internet but all attempts to deliver TLS secured email to SMG fail with a "500 5.5.2 unrecognized command".

A telnet test to the SMG scanner shows that the expected 250-STARTTLS in the EHLO response has been replaced with 250-XXXXXXXA:

telnet 192.0.2.25 25
Trying 192.0.2.25...
Connecting to 192.0.2.25 (smtp.example.com)
220 ************************************************************
EHLO example.net
250-smtp.example.com says EHLO to smg.example.net:45678
250-PIPELINING
250-XXXXXXXA
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 SIZE 10485760
STARTTLS
500 5.5.2 Unrecognized command

Environment

Messaging Gateway

Cause

A Cisco / PIX firewall is intercepting and modifying the SMTP session

Resolution

This issue is caused by an intermediate firewall, usually Cisco PIX, doing SMTP packet inspection and disallowing TLS sessions to the Messaging Gateway. SMTP packet inspection will need to be disabled or modified on the firewall.

Please see Why do you see XXXXXXXA after EHLO and "500 #5.5.1 command not recognized" after STARTTLS? for details.