violating 822.bis section 2.3?

[keeka]

I've configured PMG to use a single relay (smarthost). I recently saw a rejected mail with the response:

552 Message contains bare CR and is violating 822.bis section 2.3 (in reply to end of DATA command)

I changed my mail client to use plaintext and the mail was accepted.

I guess this is a mail client issue. But I was wondering if rejecting mail based on the above is the norm.

 

[fabian]

it's the mitigation recently introduced for the SMTP-Smuggling issue:

https://forum.proxmox.com/threads/smtp-smuggling-mitigation.138576/

edit: sorry, read too fast - that would have been a bare LF, not CR. your message is still broken did the message get rejected by PMG or got bounced back to the PMG with that error?

 

[Stoiko Ivanov]

552 Message contains bare CR and is violating 822.bis section 2.3 (in reply to end of DATA command)

hm - could you please share the logs where this line comes from?
smtp-smuggling was more related to bare LF and not bare CR (correct separator is CR LF).
bare CR seems disallowed for quite a longer period.

I don't think that this is a serious issue (or an issue at all) - but am curious.

Thanks!

 

[keeka]

The email concerned was an html quoted reply to an html email, to which I attached 2 PDFs. I tried several times to get it accepted. I am guessing it was something in the quoted html message or the way the mail client quoted that meesage? PMG accepted the message on each occassion, but the remote server only accepted it once I changed the mail client (kopano webclient) to plaintext. I understand it is not an issue with PMG but would like to understand.

2024-01-17T13:40:35.356307+00:00 smtp postfix/smtpd[44184]: connect from mail.local.lan[192.168.0.31]
2024-01-17T13:40:35.361539+00:00 smtp postfix/smtpd[44184]: Anonymous TLS connection established from mail.local.lan[192.168.0.31]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
2024-01-17T13:40:35.377367+00:00 smtp postfix/smtpd[44184]: 5C17161371: client=mail.local.lan[192.168.0.31]
2024-01-17T13:40:35.379126+00:00 smtp postfix/cleanup[44188]: 5C17161371: message-id=<kcEE.+EefRUcgQJyO6C4N6u/xYQ.gIt+v0pJ2gE@mail.local.lan>
2024-01-17T13:40:35.400029+00:00 smtp postfix/qmgr[374]: 5C17161371: from=<keeka@mydomain.com>, size=1095741, nrcpt=1 (queue active)
2024-01-17T13:40:35.400299+00:00 smtp postfix/smtpd[44184]: disconnect from mail.local.lan[192.168.0.31] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2024-01-17T13:40:35.533500+00:00 smtp pmg-smtp-filter[39712]: 611FE65A7D8D378ABF: new mail message-id=<kcEE.+EefRUcgQJyO6C4N6u/xYQ.gIt+v0pJ2gE@mail.local.lan>#012
2024-01-17T13:40:40.102802+00:00 smtp postfix/smtpd[44193]: connect from localhost[127.0.0.1]
2024-01-17T13:40:40.104351+00:00 smtp postfix/smtpd[44193]: 19718612C6: client=localhost[127.0.0.1], orig_client=mail.local.lan[192.168.0.31]
2024-01-17T13:40:40.108042+00:00 smtp postfix/cleanup[44188]: 19718612C6: message-id=<kcEE.+EefRUcgQJyO6C4N6u/xYQ.gIt+v0pJ2gE@mail.local.lan>
2024-01-17T13:40:40.176257+00:00 smtp postfix/qmgr[374]: 19718612C6: from=<keeka@mydomain.com>, size=1095892, nrcpt=1 (queue active)
2024-01-17T13:40:40.176572+00:00 smtp pmg-smtp-filter[39712]: 611FE65A7D8D378ABF: accept mail to <user@external.com> (19718612C6) (rule: default-accept)
2024-01-17T13:40:40.178555+00:00 smtp postfix/smtpd[44193]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-01-17T13:40:40.179293+00:00 smtp pmg-smtp-filter[39712]: 611FE65A7D8D378ABF: processing time: 4.665 seconds (0, 4.536, 0)
2024-01-17T13:40:40.179704+00:00 smtp postfix/lmtp[44189]: 5C17161371: to=<user@external.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=4.8, delays=0.03/0.05/0.05/4.7, dsn=2.5.0, status=sent (250 2.5.0 OK (611FE65A7D8D378ABF))
2024-01-17T13:40:40.180291+00:00 smtp postfix/qmgr[374]: 5C17161371: removed
2024-01-17T13:40:41.266815+00:00 smtp postfix/smtp[44194]: Trusted TLS connection established to relay.isp.net[123.123.123.123]:587: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2024-01-17T13:40:42.386793+00:00 smtp postfix/smtp[44194]: 19718612C6: to=<user@external.com>, relay=relay.isp.net[123.123.123.123]:587, delay=2.3, delays=0.07/0.05/1.1/1.1, dsn=5.0.0, status=bounced (host relay.isp.net[123.123.123.123] said: 552 Message contains bare CR and is violating 822.bis section 2.3 (in reply to end of DATA command))
2024-01-17T13:40:42.389268+00:00 smtp postfix/qmgr[374]: 19718612C6: removed

 

[keeka]

did the message get rejected by PMG or got bounced back to the PMG with that error?

It was accepted by PMG on the local smtpd port, then rejected by third party server.

 

[fabian]

then you'll likely have to take this up with the receiver's postmaster - maybe their server has a (potentially overly) strict policy in place..

 

[keeka]

then you'll likely have to take this up with the receiver's postmaster - maybe their server has a (potentially overly) strict policy in place..

I was not sure if it was related to the recent locking down of postfix (in PMG and third party servers).
The mail was accepted by PMG presumably because the same restriction aren't applied to the local smtpd port. Or at least not in my config!

I suspect it is caused by the way the mailclient quoted the message. I will have to work around that.