Re: postscreen_pipelining_enable vs. Exim / BDAT

Sun, 13 Oct 2019 15:49:18 -0700 

On 2019-10-13 13:29:27 (-0700), Wietse Venema wrote:

Philip Paeps:
I've started noticing messages like these in my logs and the logs on mx1.FreeBSD.org in recent months: 


Oct 13 00:58:21 rincewind postfix/postscreen[76460]: COMMAND 
PIPELINING from [46.101.147.153]:59818 after BDAT: DKIM-Signature: 
v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=masozm.com;\r\n\t 
s=mail; h=Content-

...


There are two problems: one is big and one is small.


The big problem: it is a PROTOCOL ERROR when the remote SMTP client 
sends a BDAT (or DATA) command, because postscreen rejects all RCPT TO 
commands, and does not announce PIPELINING support.



So no matter what, this client should not pass strict postscreen 
protocol enforcement.



I'll see if I can find an appropriate Exim mailing list to post this on. 
 Or is there an Exim lurker on postfix-users who can pick this up? ;-)



The small problem: the 20180903 patch incorrectly fixes a misleading 
warning message; it tests the right flag, but in the wrong variable.  
If I fix this, then postscreen in strict protocol mode should still 
flag Exim's behavior as a protocol error.



Better error/warning messages are always appreciated. :)  Even if they 
don't make the real problem go away, they might make it slightly easier 
to identify.



I've turned postscreen_pipelining_enable off on mx1.FreeBSD.org for 
the time being because it was getting a lot of legitimate email 
deferred (and timed out).



Another reason to turn off all 'after-220' tests is that turning on 
one will turn on the others, too. That may be OK when a client has 
already failed the 'before-220' tests, but should probably not happen 
otherwise.



Thanks for the suggestion and the additional context.  I've grepped 
through my mailserver logs and the mx1.FreeBSD.org logs for the past 
week or so and it doesn't look like the 'after-220' checks are catching 
much spam.  Most spammers get killed by the RBL checks.


I've now turned all the 'after-220' checks off again.

```
postscreen_bare_newline_enable = no
postscreen_pipelining_enable = no
postscreen_non_smtp_command_enable = no
```


Perhaps the wording of the "Important note" in POSTSCREEN_README should 
be a little more strongly worded?


Philip

--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises






















					Reply via email to