On Fri, 23 Mar 2012 13:19:14 -0300 francis picabia <fpica...@gmail.com> wrote:
> On Fri, Mar 23, 2012 at 12:43 PM, Giles Coochey <gi...@coochey.net> > wrote: > > On 23/03/2012 15:37, francis picabia wrote: > >> > >> On Fri, Mar 23, 2012 at 11:33 AM, francis > >> picabia<fpica...@gmail.com> wrote: > >>> > >>> We have a difficulty delivering to a site running a barracuda > >>> appliance. I can email them from a gmail account, or via a telnet > >>> session, but not via postfix on our SMTP gateway. I've contacted > >>> the remote site from my gmail to discuss it but no progress so > >>> far. > >>> > >>> I have the default pix conf settings and we are running postfix > >>> 2.8.6 > >>> > >>> In the logs we see it times out. > >>> > >>> Mar 21 15:01:30 thabit postfix-internal/smtpd[9296]: 6E7211F44DD: > >>> client=localhost[127.0.0.1] > >>> Mar 21 15:01:30 thabit postfix-internal/cleanup[9274]: > >>> 6E7211F44DD: message-id=<moodlepost153...@acorn.mydomain.ca> > >>> Mar 21 15:01:30 thabit postfix-internal/qmgr[28954]: 6E7211F44DD: > >>> from=<lms.ad...@mydomain.ca>, size=6449, nrcpt=1 (queue active) > >>> Mar 21 15:01:30 thabit postfix-internal/lmtp[9288]: 2A0561F44EE: > >>> to=<usern...@theirdomain.ca>, relay=127.0.0.1[127.0.0.1]:10026, > >>> delay=189085, delays=189084/0.03/0.01/0.3, dsn=2.0.0, status=sent > >>> (250 2.0.0 Ok, id=09101-06, from MTA([127.0.0.1]:10027): 250 > >>> 2.0.0 Ok: queued as 6E7211F44DD) > >>> Mar 21 15:01:30 thabit postfix-internal/smtp[9198]: 6E7211F44DD: > >>> enabling PIX workarounds: disable_esmtp delay_dotcrlf for > >>> barracuda1.theirdomain.ca[24.224.X.Y]:25 > >>> Mar 21 15:11:30 thabit postfix-internal/smtp[9198]: 6E7211F44DD: > >>> conversation with barracuda1.theirdomain.ca[24.224.X.Y] timed out > >>> while sending end of data -- message may be sent more than once > >>> > >>> I saw an older article about delivering to a barracuda gateway and > >>> tried the solution with > >>> > >>> smtp_discard_ehlo_keyword_address_maps = > >>> hash:/etc/postfix-internal/smtp_discard_ehlo > >>> > >>> and that file containing: > >>> > >>> 24.224.X.Y pipelining > >>> > >>> This setting made no difference in the result and error. > >>> > >>> I wonder if the pix settings are not the right fit for this case? > >>> > >>> Is there a method to not use the pix workarounds for a single > >>> destination? > >> > >> I read another old thread about Cisco firewalls associated with the > >> pix workaround. > >> > >> When I telnet to the remote site, the response shows: > >> > >> 220 ************************************************************ > >> > >> Is this a sign of the Cisco firewall or could it be something else > >> masked? > >> > >> Should I look at suppressing dkim headers? > >> > > It is a sign of the PIX firewall removing data. > > > > To disable: > > > > 1. Logon to firewall command line > > 2. type enable > > 3. enter enable password or secret > > 4. type configure terminal > > 5. use 'no fixup protocol smtp 25' to disable SMTP protocol mangling > > 6. type 'write memory' to save config to device > > 7. restart or reload the PIX firewall > > > Thanks, but this issue is on the remote site. Given they can receive > email from gmail and other sites, I'm not sure I can convince > them to make these changes on their firewall. There must > be another solution so that I'm sending email to them > they can digest. http://blog.arschkrebs.de/blog/working-around-broken-cisco-pix-or-asa-installations/
