On Montag, 29. April 2019 13:07:32 CEST Wietse Venema wrote: > /etc/postfix/main.cf: > smtp_pix_workarounds = delay_dotcrlf > > I.e. turn off 'disable_esmtp'. Lars Kollstedt: > I already mentioned this as my workaround in my previous mail. Perhaps a bit > to much in the floating text. ;-)
Yep, when people start ranting about 20th versus 21st century then it is my right to tune out. You just contributed one data point that we may have to update some defaults or make them context-dependent. Great. Thanks. For PIX bug workarounds, I have to rely on Postfix users to inform me of what no longer works and what new fixes may become necessary. To really fix this requires some research and field testing. According to CISCO documentation, the ASA can be configured with "allow-tls" to "allow ESMTP over TLS (encrypted connections) without inspection". Keeping the "delay_dotcrlf" workaround would not hurt, and it might even be needed if a future ASA software version adds support to terminate TLS sessions before the MTA, so that the ASA can inspect those sessions. https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-basic.html A problem with turning off Postfix's "disable_esmtp" is that the ASA will expose the "CHUNKING" feature in the server's EHLO response, but it will mangle the SMTP client's BDAT commands into XXXX, causing mail delivery to fail. There is some ASA configuration to pass BDAT but that I suspect that also means the BDAT content won't be inspected. Microsoft outbound servers want to use CHUNKING, so CISCO might actually have to do something about this. https://community.cisco.com/t5/firewalls/asa-and-inspect-esmtp/td-p/1263349 On the Postfix SMTP client side, this can be kludged around with, by using smtp_discard_ehlo_keyword_address_maps. Wietse
