Since weeks I experienced a very strange problem with smtp and tls. My postfix mail server allows TLS encrypted connections – unfortunately this does not seem to work as soon as I’m at home – at work everything is fine. Today I found some time to investigate. I tested the TLS smtp connection using openssl from various systems I have access to by issuing:


openssl  s_client -starttls smtp -host my.mail.server -port 25

Only from my home LAN I got the following error:


root@linkstation:/home/nd# openssl  s_client -starttls smtp -host my.mail.server -port
25CONNECTED(00000003)
2933:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol:s23_clnt.c:567:

Now I began to suspect my cisco 851w Router and I was right! The router logged:


179041: Jan 13 14:51:15.969 CET: %FW-3-SMTP_INVALID_COMMAND: Invalid SMTP command 

(STARTTLSrn)(total 10 chars) from initiator (192.168.1.100:47797)

After searching the net I found out that this also is a known problem on Cisco PIX firewalls. I disabled smtp inspection using:


c851w-nd(config)#no ip inspect name DEFAULT100 smtp

Now the ssl handshake is successful. Looks like the deep inspection inside Cisco IOS is not knowing about TLS. BTW: my Cisco runs IOS version 12.3(8r)YI2.