[SOLVED] enabling PIX workarounds: disable_esmtp for receiver server?

poetry

Active Member
May 28, 2020
173
36
33
Been noticing this in the logs for some senders, receivers. Any idea how it works and if it's good or bad?

Example from logs:
Code:
Nov 21 15:54:35 server postfix/smtpd[8412]: connect from mail-yw1-f171.google.com[209.85.128.171]
Nov 21 15:54:35 server postfix/smtpd[8412]: Anonymous TLS connection established from mail-yw1-f171.google.com[209.85.128.171]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Nov 21 15:54:36 server postfix/smtpd[8412]: NOQUEUE: client=mail-yw1-f171.google.com[209.85.128.171]
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: new mail message-id=<CAAC-M+EhSyP6L0iZy=dUhpcaG8K_tw9m_xR-7Q=wZ2A1o2XRrQ@mail.gmail.com>#012
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: SA score=0/5 time=0.435 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.25),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_FROM(0.25),HTML_MESSAGE(0.001),KAM_BLANKSUBJECT(0.25),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.25)
Nov 21 15:54:36 server postfix/smtpd[8093]: connect from localhost.localdomain[127.0.0.1]
Nov 21 15:54:36 server postfix/smtpd[8093]: A52691217D7: client=localhost.localdomain[127.0.0.1], orig_client=mail-yw1-f171.google.com[209.85.128.171]
Nov 21 15:54:36 server postfix/cleanup[8094]: A52691217D7: message-id=<CAAC-M+EhSyP6L0iZy=dUhpcaG8K_tw9m_xR-7Q=wZ2A1o2XRrQ@mail.gmail.com>
Nov 21 15:54:36 server postfix/qmgr[944]: A52691217D7: from=<sender>, size=4281, nrcpt=1 (queue active)
Nov 21 15:54:36 server postfix/smtpd[8093]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: accept mail to <receiver> (A52691217D7) (rule: default-accept)
Nov 21 15:54:36 server postfix/smtp[9132]: A52691217D7: enabling PIX workarounds: disable_esmtp for 1.2.3.4[1.2.3.4]:25
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: processing time: 0.601 seconds (0.435, 0.059, 0.03)
Nov 21 15:54:36 server postfix/smtpd[8412]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12158A637B912C1E446); from=<sender> to=<receiver> proto=ESMTP helo=<mail-yw1-f171.google.com>
Nov 21 15:54:36 server postfix/smtp[9132]: A52691217D7: to=<receiver>, relay=1.2.3.4[1.2.3.4]:25, delay=0.19, delays=0.05/0/0.01/0.13, dsn=2.6.0, status=sent (250 2.6.0 <CAAC-M+EhSyP6L0iZy=dUhpcaG8K_tw9m_xR-7Q=wZ2A1o2XRrQ@mail.gmail.com> [InternalId=67521180860442, Hostname=receiver.server.local] 5563 bytes in 0.102, 53,056 KB/sec Queued mail for delivery)
Nov 21 15:54:36 server postfix/qmgr[944]: A52691217D7: removed

This looks bad https://www.mail-archive.com/postfix-users@postfix.org/msg95392.html so why it's not using TLS should we check on the receiving server that TLS is enabled?
 
Last edited:

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,520
1,097
164
34
Vienna
AFAICS from the linked thread, this is a workaround for middleboxes between your mailserver and the receiving one. do you have any firewall/proxy in between?
 

poetry

Active Member
May 28, 2020
173
36
33
AFAICS from the linked thread, this is a workaround for middleboxes between your mailserver and the receiving one. do you have any firewall/proxy in between?

Of course we have firewalls between locations. We filter mail for many domains for some domains we pass email to internal network others will pass email to external servers that are always behind some firewall.
I just quickly searched this warning message if anyone has more information about this it would be welcome.
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,520
1,097
164
34
Vienna
AFAIK postfix enables these workarounds when it encounters a 'buggy' cisco smtp firewall, so it seems it's working as intended? or what exactly do you want to know?
 

poetry

Active Member
May 28, 2020
173
36
33
AFAIK postfix enables these workarounds when it encounters a 'buggy' cisco smtp firewall, so it seems it's working as intended? or what exactly do you want to know?
I am guessing we need to disable SMTP inspection on firewalls where this is happening I see three mail servers that are triggering this errors.
Will report if this fixes the issue. enabling workarounds seems to also increase processing time on massages.

This links seems more useful and related to this issue:
https://www.linuxquestions.org/ques...oing-emails-4175626523/page2.html#post5840323
https://community.sophos.com/email-...e-used-for-outbound-mail-proxy-postfix/295223

Tested telnet from our pmg and on servers where this is happening and TLS is enabled so I am guessing SMTP inspection is the problem.
250-STARTTLS
1669224344404.png

EDIT: I am confirming that disabling SMTP inspection on firewalls fixes this issue. Now working fine.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!