Community,

I recently ran into a situation where the ESMTP inspection in the default global service policy was not allowing TLS to take place between my mail relay (relay03) and the outside world. When I disabled it, it allowed relay03 to do TLS but it broke my other mail relays who were for whatever reason now trying to do TLS but couldn't, when I re-enabled ESMTP inspection it corrected the issue with the first 2 mail relays but the original mail relay (relay03) now cant do TLS again. Ill post the article here:

http://www.cisco.com/c/en/us/about/security-center/intelligence/asa-esmtp-starttls.html

I was thinking about creating an interface service policy that used an ACL to define only traffic coming from relay03 that didnt do esmtp inspection but still allowed the esmtp inspection for the other 2 relays. This way relay03 can do TLS while the esmtp inspection prevents the other two relays from soing so. All relays are in the same subnet. My question is this: Can I create an interface policy, defining only the relay03 address, where the policy has esmtp inspection disabled while allowing the other 2 relays to be deferred to the global policy that has esmtp enabled? Im assuming if I create the interface service policy and apply an ACL to it that defines only the relay03 address, that if the other 2 relays dont match that ACL they will then be funneled through the global policy, is that correct?

Any help you can provide is appreciated. Thanks.