SMTP Proxy Firewalls and TLS

I found the following issue while I implemented Transport Layer Security for a customer. We installed a SSL certificate on the Exchange server. However, emails sent to the Internet or received from the Internet were not secured with TLS. If we used telnet on the Exchange server to connect to port 25 on the localhost, then we saw the extended commands of the SMTP server, including STARTTLS. If we connected from the Internet to port 25 on the external interface of the firewall, then some of the extended SMTP commands were not visible.

The firewall was a WatchGuard FireBox. I found the following articles that describe the reason of this phenomenon:

• Encryption: Issues with TLS and Encryption caused by Watchguard Firebox Firewall
• What is the difference between the SMTP proxy and Filtered-SMTP? [WFS]
• Troubleshoot failed TLS connections between the XCS and a remote mail server. [XCS v9.x]

The SMTP proxy module of the firewall stripped certain commands. After the firewall was reconfigured to use the SMTP packet filter module for incoming and outgoing traffic, TLS was working fine.

According to Microsoft Knowledge Base Article 948803 you can have the same problem with a Cisco ASA firewall.