[SOLVED] enabling PIX workarounds: disable_esmtp for receiver server?

P

poetry

Active Member
May 28, 2020
206
63
33
Been noticing this in the logs for some senders, receivers. Any idea how it works and if it's good or bad?

Example from logs:
Code: 
Nov 21 15:54:35 server postfix/smtpd[8412]: connect from mail-yw1-f171.google.com[209.85.128.171]
Nov 21 15:54:35 server postfix/smtpd[8412]: Anonymous TLS connection established from mail-yw1-f171.google.com[209.85.128.171]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Nov 21 15:54:36 server postfix/smtpd[8412]: NOQUEUE: client=mail-yw1-f171.google.com[209.85.128.171]
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: new mail message-id=<CAAC-M+EhSyP6L0iZy=dUhpcaG8K_tw9m_xR-7Q=wZ2A1o2XRrQ@mail.gmail.com>#012
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: SA score=0/5 time=0.435 bayes=undefined autolearn=disabled hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.25),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),FREEMAIL_FROM(0.25),HTML_MESSAGE(0.001),KAM_BLANKSUBJECT(0.25),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.25)
Nov 21 15:54:36 server postfix/smtpd[8093]: connect from localhost.localdomain[127.0.0.1]
Nov 21 15:54:36 server postfix/smtpd[8093]: A52691217D7: client=localhost.localdomain[127.0.0.1], orig_client=mail-yw1-f171.google.com[209.85.128.171]
Nov 21 15:54:36 server postfix/cleanup[8094]: A52691217D7: message-id=<CAAC-M+EhSyP6L0iZy=dUhpcaG8K_tw9m_xR-7Q=wZ2A1o2XRrQ@mail.gmail.com>
Nov 21 15:54:36 server postfix/qmgr[944]: A52691217D7: from=<sender>, size=4281, nrcpt=1 (queue active)
Nov 21 15:54:36 server postfix/smtpd[8093]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: accept mail to <receiver> (A52691217D7) (rule: default-accept)
Nov 21 15:54:36 server postfix/smtp[9132]: A52691217D7: enabling PIX workarounds: disable_esmtp for 1.2.3.4[1.2.3.4]:25
Nov 21 15:54:36 server pmg-smtp-filter[9111]: 12158A637B912C1E446: processing time: 0.601 seconds (0.435, 0.059, 0.03)
Nov 21 15:54:36 server postfix/smtpd[8412]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (12158A637B912C1E446); from=<sender> to=<receiver> proto=ESMTP helo=<mail-yw1-f171.google.com>
Nov 21 15:54:36 server postfix/smtp[9132]: A52691217D7: to=<receiver>, relay=1.2.3.4[1.2.3.4]:25, delay=0.19, delays=0.05/0/0.01/0.13, dsn=2.6.0, status=sent (250 2.6.0 <CAAC-M+EhSyP6L0iZy=dUhpcaG8K_tw9m_xR-7Q=wZ2A1o2XRrQ@mail.gmail.com> [InternalId=67521180860442, Hostname=receiver.server.local] 5563 bytes in 0.102, 53,056 KB/sec Queued mail for delivery)
Nov 21 15:54:36 server postfix/qmgr[944]: A52691217D7: removed

This looks bad https://www.mail-archive.com/postfix-users@postfix.org/msg95392.html so why it's not using TLS should we check on the receiving server that TLS is enabled?
 
Last edited:
AFAICS from the linked thread, this is a workaround for middleboxes between your mailserver and the receiving one. do you have any firewall/proxy in between?
 
dcsapak said:
AFAICS from the linked thread, this is a workaround for middleboxes between your mailserver and the receiving one. do you have any firewall/proxy in between?
Click to expand...

Of course we have firewalls between locations. We filter mail for many domains for some domains we pass email to internal network others will pass email to external servers that are always behind some firewall.
I just quickly searched this warning message if anyone has more information about this it would be welcome.
 
AFAIK postfix enables these workarounds when it encounters a 'buggy' cisco smtp firewall, so it seems it's working as intended? or what exactly do you want to know?
 
dcsapak said:
AFAIK postfix enables these workarounds when it encounters a 'buggy' cisco smtp firewall, so it seems it's working as intended? or what exactly do you want to know?
Click to expand...
I am guessing we need to disable SMTP inspection on firewalls where this is happening I see three mail servers that are triggering this errors.
Will report if this fixes the issue. enabling workarounds seems to also increase processing time on massages.

This links seems more useful and related to this issue:
https://www.linuxquestions.org/ques...oing-emails-4175626523/page2.html#post5840323
https://community.sophos.com/email-...e-used-for-outbound-mail-proxy-postfix/295223

Tested telnet from our pmg and on servers where this is happening and TLS is enabled so I am guessing SMTP inspection is the problem.
250-STARTTLS
1669224344404.png

EDIT: I am confirming that disabling SMTP inspection on firewalls fixes this issue. Now working fine.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back