On 2019-10-13 16:05:07 (-0700), Wietse Venema wrote:
Philip Paeps:
On 2019-10-13 13:29:27 (-0700), Wietse Venema wrote:
Philip Paeps:
I've started noticing messages like these in my logs and the logs
on mx1.FreeBSD.org in recent months:
Oct 13 00:58:21 rincewind postfix/postscreen[76460]: COMMAND
PIPELINING from [46.101.147.153]:59818 after BDAT: DKIM-Signature:
v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=masozm.com;\r\n\t s=mail; h=Content- ...
There are two problems: one is big and one is small.
The big problem: it is a PROTOCOL ERROR when the remote SMTP client
sends a BDAT (or DATA) command, because postscreen rejects all RCPT
TO commands, and does not announce PIPELINING support.
So no matter what, this client should not pass strict postscreen
protocol enforcement.
I'll see if I can find an appropriate Exim mailing list to post this
on. Or is there an Exim lurker on postfix-users who can pick this
up? ;-)
I have filed a bug, and forgot to write down the number.
The small problem: the 20180903 patch incorrectly fixes a misleading
warning message; it tests the right flag, but in the wrong variable.
If I fix this, then postscreen in strict protocol mode should still
flag Exim's behavior as a protocol error.
Better error/warning messages are always appreciated. :) Even if
they don't make the real problem go away, they might make it slightly
easier to identify.
I have a fix (attached) that no longer flags this as a PIPELINING
error (because it isn't). It just logs "BDAT without valid RCPT"
without blocking mail.
That was quick, thank you! :-)
I'll rebuild with this patch this week.
Is there a way to remove individual entries from the postscreen cache
for easy testing? If I delete the whole cache, mail from senders who've
already passed the 'after-220' checks will get delayed.
Many thanks.
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
