I have a mailserver with opportunistic TLS enabled (Postfix smtpd_tls_security_level = may), however the SMTP banner is being masked by SMTP fixup on our FWSM. Before I disable this masking, is the SMTP banner required for other mailservers configured for opportunistic TLS to negotiate a TLS session for incoming mail? I read somewhere that Postfix may not use ESMTP if that term isn't in the banner.
The banner is masked by asterisks:
220 *************************************
Best Answer
I think there are two different questions being asked here so I'll address them separately.
Question 1: Is the SMTP Banner required to display unmasked for other mail servers to use TLS?
Answer: No, the SMTP greeting banner itself does not determine eligibility for TLS. So if that's the ONLY thing that is masked, it shouldn't cause an issue.
Question 2 (Paraphrased): Is the firewall interfering with incoming TLS connections?
Answer: Most likely. In addition to masking the greeting banner, the fixup/esmtp inspection service on Cisco Firewalls typically only accepts specific commands.
I'm not sure what version/model firewall you're using but as per this tech note:
When external servers connect and issue the
ehlo
SMTP command, they'll see a list of SMTP services/options supported. Assuming they see250-STARTTLS
the sending server will issue aSTARTTLS
command to begin the attempt to use TLS. You'll notice that this command isn't included in the list of commands above.So in summary, I suspect that your firewall IS interferring but not because of the banner greeting. I think it's blocking/masking the STARTTLS command from the remote mail server.