Cisco-PIX MailGuard problem with ZMailer SMTP ORCPT data

First of all: This is not ZMailer specific problem! This is a problem at the site receiving mail, not at the sending site.

This used to happen with certain series of Cisco firewall products, but has been seen a lot latter at some other firewall product as well... Possibly firewall makers do make the same mistakes over and over again...

ZMailer just happens to be a MTA that extensively uses ORCPT data in SMTP transactions.

People are seeing problems with error reports of following style

   This is a collection of reports about email delivery
   process concerning a message you originated:

<smtp 60001>: ...\
    <<- RCPT To:<> ORCPT=rfc822;
    ->> 501 <>... Syntax error in ORCPT parameter value (this is abnormal, investigate!)
This has been seen to occur with smtp recipient systems running MS Exchange 5.5, and sendmail 8.8.8. It would also occur with ZMailer at the receiving end.

The error occurs with all SMTP servers that declare DSN-capability in their responses to the EHLO-command, while the cisco PIX firewall is running MailGuard function.

Following is directed to email receiving site firewall manager

If the error is present in your current firewall configuration, you can test it easily by contacting your designated mailhost from OUTSIDE, and using TELNET to do following protocol transaction:

$ telnet 25
220 ...
EHLO fubar ...
250 DSN
250 ok
RCPT TO:<you@your.domain> ORCPT=rfc822;you@your.domain
... here appears either error report, or an ok
250 ok

If you get an error report, your fine Cisco PIX is one of those that have faulty software version.

We have no definite knowledge of when cisco will fix the bug, but apparently it has not happened in software versions that have been released before March 1998.

However, there is a work-around:
Disable MailGuard function and let your SMTP mailer receive email directly from the world.

News on fix:

MailGuard ESMTP bugfix will be in

Matti Aarnio <>, 9-Apr-1998, 16-Apr-1998, 18-Jan-2006