SMTP Response "220-"

[qbercik]

Hi,

I deployed Proxmox Mail Gateway 6.3 and so far it's working well in my test environment. I want to monitor this smtp service using Zabbix simple check, but there is a problem. Zabbix simple check expect "Service Ready" response from server in format "220 ", but when I connect to Proxmox gateway it response is "220-" at the 1st time, and after "220 " for another 24 hours.

I was looking over internet what this hyphen (-) after "220" service ready means, but I can't find any information

Can someone please tell me what it means and if this can be switched off.
I have another SMTP Postfix servers, and it's response is always "220 "

Thanks
Qbercik

 

[Stoiko Ivanov]

Cannot quite follow you/reproduce this issue here.
When running on my test-instance:

nc -v pmg-test 25
Connection to pmg-test 25 port [tcp/smtp] succeeded!
220 pmg-test.proxmox.com ESMTP Proxmox

What's the output when run the netcat command in your environment?

I hope this helps!

 

[qbercik]

This is how it's looks in my situation:

$ nc -v -w1 10.56.68.12 25
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.56.68.12:25.
220-smtp1.example.com ESMTP
220 smtp1.example.coml ESMTP
^C

and since now, for another 24 hours I will only get reposes with "220 " code:

$ nc -v -w1 10.56.68.12 25
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.56.68.12:25.
220  smtp1.example.coml ESMTP
^C

 

[Stoiko Ivanov]

could you run the same command while being logged in via ssh on pmg
(additionally please also run `nc -v 127.0.0.1 25`)

 

[qbercik]

netcat against localhost is fine:

$ nc -v 127.0.0.1 25
localhost [127.0.0.1] 25 (smtp) open
220 smtp1.example.com ESMTP
^C

This deployment is done in AWS on Debian 10. I made another deployment and situation is this same. 1st connection from new host do this "220-" and after "220 ".
After this, any connections from this host to smtp servers for another 24 hours are getting response with "220 "

 

[Stoiko Ivanov]

This deployment is done in AWS on Debian 10. I made another deployment and situation is same. 1st connection from new host do this "220-" and after "220 ".

could the reason for the 220- response maybe be the AWS environment? (else I can't quite understand where this would come from)

 

[qbercik]

AWS environment probably not as there is no load balancer at front. I run few portfix servers as well and non of them have this issue.

I did another very basic deployment on Debian 10 in AWS N.Virginia (AMI ID: ami-0b493722cea9f95f6) EC2 instance t3.medium (2vpcu, 4GB RAM).

Very dirty installation:

# cat /etc/hosts
10.0.0.69 ip-10-0-0-69.ec2.internal ip-10-0-0-69

and after preparing script:

#! /bin/bash
systemctl stop apparmor
systemctl disable apparmor
apt remove --assume-yes --purge apparmor
rm -rf /var/cache/apparmor
rm -rf /etc/apparmor.d/local


echo "deb http://cdn-aws.deb.debian.org/debian buster main non-free
deb-src http://cdn-aws.deb.debian.org/debian buster main
deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb-src http://security.debian.org/debian-security buster/updates main
deb http://cdn-aws.deb.debian.org/debian buster-updates main non-free
deb-src http://cdn-aws.deb.debian.org/debian buster-updates main
deb http://cdn-aws.deb.debian.org/debian buster-backports main
deb-src http://cdn-aws.deb.debian.org/debian buster-backports main


# PMG pmg-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pmg buster pmg-no-subscription" > /etc/apt/sources.list


wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
apt update
apt upgrade -y


apt install -y libclamunrar p7zip-rar locales-all netcat

After I did install only postfix:

apt install -y postfix

After run nc from home:

$ nc -v -w1 3.238.134.126 25
Connection to 3.238.134.126 25 port [tcp/smtp] succeeded!
220 ip-10-0-0-69.ec2.internal ESMTP Postfix (Debian/GNU)

1st connection and no issue.
So now I installed Proxmox:

apt install -y proxmox-mailgateway-container

And right after apt stop working I run this same nc:

$ nc -v -w1 3.238.134.126 25
Connection to 3.238.134.126 25 port [tcp/smtp] succeeded!
220-ip-10-0-0-69.ec2.internal ESMTP Proxmox


$ nc -v -w5 3.238.134.126 25
Connection to 3.238.134.126 25 port [tcp/smtp] succeeded!
220-ip-10-0-0-69.ec2.internal ESMTP Proxmox


$ telnet 3.238.134.126 25
Trying 3.238.134.126...
Connected to 3.238.134.126.
Escape character is '^]'.
220-ip-10-0-0-69.ec2.internal ESMTP Proxmox
220 ip-10-0-0-69.ec2.internal ESMTP Proxmox
421 4.4.2 ip-10-0-0-69.ec2.internal Error: timeout exceeded
Connection closed by foreign host.

So straight away after installing "proxmox-mailgateway-container" package "220 " become "220-"

 

[qbercik]

I run smtp daemon in verbose mode (smtp -v in master.cf) and logs point me to `postfix/postscreen`.

I run connection from one of new hosts (new in this way, that I didn't connect to this smtp server before):
1 connection:

$ nc -v 3.238.134.126 25
Connection to 3.238.134.126 25 port [tcp/smtp] succeeded!
220-ip-10-0-0-69.ec2.internal ESMTP Proxmox
220 ip-10-0-0-69.ec2.internal ESMTP Proxmox
^C

Mar 17 22:04:05 ip-10-0-0-69 postfix/postscreen[15710]: CONNECT from [52.x.x.x]:49724 to [10.0.0.69]:25
Mar 17 22:04:11 ip-10-0-0-69 postfix/postscreen[15710]: PASS NEW [52.x.x.x]:49724
Mar 17 22:04:11 ip-10-0-0-69 postfix/smtpd[15712]: connect from ec2-xxxx.eu-west-1.compute.amazonaws.com[52.x.x.x]

Postscreen qualified my connection as new `postfix/postscreen[15710]: PASS NEW [52.x.x.x]:49724`
2nd connection:

$ nc -v 3.238.134.126 25
Connection to 3.238.134.126 25 port [tcp/smtp] succeeded!
220 ip-10-0-0-69.ec2.internal ESMTP Proxmox

and

Mar 17 22:05:09 ip-10-0-0-69 postfix/postscreen[15710]: CONNECT from [52.x.x.x]:49740 to [10.0.0.69]:25
Mar 17 22:05:09 ip-10-0-0-69 postfix/postscreen[15710]: PASS OLD [52.x.x.x]:49740
Mar 17 22:05:09 ip-10-0-0-69 postfix/smtpd[15712]: connect from ec2-xxxx.eu-west-1.compute.amazonaws.com[52.x.x.x]

This time connection has been qualified as OLD "Mar 17 22:05:09 ip-10-0-0-69 postfix/postscreen[15710]: PASS OLD [52.x.x.x]:49740" and I got "220 " Server ready code.

So to get this fixed, I have to whitelist IPs of monitoring servers to make Zabbix simple check works "Configuration -> Mail Proxy -> Whitelisting " and this will looks like this in logs:

Mar 17 22:20:10 ip-10-0-0-69 postfix/postscreen[15803]: CONNECT from [64.x.x.x]:57400 to [10.0.0.69]:25
Mar 17 22:20:10 ip-10-0-0-69 postfix/postscreen[15803]: WHITELISTED [64.x.x.x]:57400

 

[Stoiko Ivanov]

I just stumbled upon this by chance and realized that this is possibly postscreen's doing - see postscreen(8):

postscreen_greet_banner ($smtpd_banner)
The text in the optional "220-text..." server response that postscreen(8) sends ahead of the real Postfix SMTP server's "220 text..." response, in an attempt to confuse bad SMTP clients so that they speak before their turn (pre-greet).

Glad you found a workaround in any case - else you could maybe configure postscreen to skip the fake greeting (at the expense of not catching problematic senders which don't honor the SMTP protocol)

I hope this helps!

 

[arukashi]

I could acknowledge that this "problem" still happens in the latest PMG installation.

Condition almost the same: i run net.tcp.service checks from zabbix server, and catch 220- greeting, cloud provider is not AWS. Host that performs monitoring and pmg installations didn't changed for months, but problem shows from time to time.
I will try whitelisting and see if this helps.
Thanks

UPD: Whitelisting in "Configuration -> Mail Proxy -> Whitelisting" didn't help. For no reason it goes "220-" again. So i had to whitelist IP address in "Configuration -> Mail Proxy -> Networks". Works so far.