There are two reasons here:
First, there is an ASA/PIX firewall with ESMTP inspection turned on within the communication path. This will disallow SMTP Authentication as well as TLS communication. The "250 STARTTLS" banner advertisement is changed to "250 XXXA" hence the sender (in this case - your appliance) will never attempt TLS. If the ASA/PIX is within your network perimeter, please consider to disable the ESMTP inspection or SMTP fixup option here.
Second: The TCP retransmission as well as your domain debug log confirms that ICMP traffic is blocked here. A TCP packet with 1368 bytes is not receiving an ACK from the desitination end and requires a retransmission that will never reach it's destination. The EHLO, MAIL FROM, RCPT TO and DATA commands pass through, as the resulting TCP packet size is way below 1368 bytes. The issue starts when the destination requires a lower MTU size than 1368 bytes (this is why some domains work while others do not). The first TCP packet with the mail data after the DATA command will use the manimum MTU size (unless you send a mail with much lower datat content in it
You can solve this in two ways: the correct fix would be to allow ICMP traffic across the network path (at least ICMP type 3 code 4), so that Path MTU discovery can negotiate the correct MTU size for each communicaton path. A "dirty" fix would be to set the ESA appliance to a way lower MTU size under CLI:etherconfig -> mtu and try again if this enables communication to the destination servers.Please do not forget to commit your changes in the CLI with the command "commit".
Best regards,
Martin
