CISCO Mailguard

CISCO has a feature on some of their firewalls called Mailguard.

The Mailguard runs on a firewall and is supposed to sanitize SMTP traffic, by restricting which SMTP command can be used when sending mail.

Sound good right?

Wrong.

It does not work reliably, you will get most of your email but some mail will just not be able to get past the Mailguard.

It is actually well documented by CISCO themselves that the feature does not work.  It is currently Sept. 2015 as I write this, if you do a Google search for CISCO Mailguard the first three matches are results from Microsoft and CISCO on how you must disable the CISCO Mailguard service if you want your email to work?!?!

Yep, you heard correct.  CISCO themselves actually state you must disable their product if you have problems with your email and are using their Mailguard feature on your firewall.

Here is what they wrote in an article published on their website in September 2008.

If you have an ESMTP server behind the PIX, such as a Microsoft Exchange Server, you might need to turn off the Mailguard feature to allow mail to flow properly.

Microsoft provides similar warnings.

To resolve this issue, turn off the Mailguard feature of the PIX or ASA firewall. 

We have also seen several cases ourselves where some email simply can't be delivered.  Then we see that the server we are trying to deliver to us using Mailguard.  Once the Mailguard feature is disabled all mail is able to flow correctly.