http://www.cisco.com/c/en/us/about/security-center/intellige...
"When Cisco ASA is configured for ESMTP inspection, the ASA is not able to examine the TLS session because it is encrypted. Therefore the ASA will prevent the establishment of the STARTTLS session and allow the SMTP endpoints to determine whether the SMTP session should continue in clear text (that is, with no privacy)."
(I once billed a client just over $30k to investigate/diagnose/resolve that problem - there was a piece of Cisco gear on the edge of their network that nobody ever admitted to even knowing existed which was stripping out the STARTTLS instruction between a webapp running inside their own datacenter and their own 3rd party mail service - and everybody was pointing their fingers at _me_ for the mail not coming through encrypted... Twitch. Twitch. Twitch...)
