Problem

Incoming or outgoing TLS fails permanently to and\or from specific remote domain.

Resolution

Permanent TLS failure can occur if either MailGate / Email Firewall or the remote end's SMTP relay are behind a Cisco PIX or Cisco ASA firewall with Fixup inspection enabled for SMTP protocol (see fixup command reference to PIX firewall - http://www.cisco.com/en/US/docs/security/pix/pix50/configuration/guide/commands.html#wp5788).

Given it is considered a network (firewall) specific issue, it is up to the network (firewall) administrators to take care of. Not only it affects MailGate / Email Firewall TLS operations but also any SMTP relay will not be able to perform ESMTP (TLS) as it is disallowed on the Cisco PIX or Cisco ASA firewall.

Below is a common example of an external relay trying to connect to MailGate behind Fixup-enabled firewall:

==========

$ telnet mailgate.sampledomain.com 25
Trying 1.1.1.1...
Connected to mailgate.sampledomain.com.
Escape character is '^]'.
220 *********************************************************************
ehlo external.domain.com
502 5.5.2 Error: command not recognized
quit
221 2.0.0 Bye
Connection closed by foreign host.

==========

Please note how the initial greeting is replaced by asterisks (**********). The example is valid for both incoming and outgoing SMTP connections.

Cisco PIX: The OS commands to enable/disable Fixup inspection for SMTP should be:

    fixup protocol smtp 25               -- enable

    no fixup procol smtp 25             -- disable (allow TLS)

Cisco ASA:   "Inspect ESMTP" option might also cause the abovementioned behavior.