Apelin, Eulogio:
> This looks like the case. Some networks on prem going through the
> ASA encounter banner with *****, will error out, while other
> networks on prem get the nicely formatted Banner (not through ASA)
> will work (helo servername). I am getting a list of vlans from
> network team that identify all the networks that go through the
> ASA and validate with tests.
After the Postfix SMTP client sees the "220 ***..." greeting
it logs a warning (you DID look in the logs?) and will by
default disable ESMTP and send HELO instead of EHLO.
This default setting is:
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
You can configure that to not disable ESMTP, so that Postfix will
send EHLO instead:
smtp_pix_workarounds = delay_dotcrlf
That might get you past the HELO problem.
Wietse
> Was there a workaround, or the only resolution/option was to turn
> off ESMTP inspection (whatever it's called) on the ASA?
>
> -----Original Message-----
> From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On
> Behalf Of Viktor Dukhovni
> Sent: Wednesday, June 9, 2021 6:15 PM
> To: postfix-users@postfix.org
> Subject: [NON-HA] Re: Need help with response to HELO, 502 5.5.2 Error
>
> *** CAUTION: This email originated from outside the organization *** Do NOT
> click links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
> On Thu, Jun 10, 2021 at 02:59:02AM +0000, Apelin, Eulogio wrote:
>
> > I am testing my mail server setup, when telnetting to port 25, I receive
> > this interaction when I type 'helo myserver.com'
> >
> > 220
> > *******************************************************************
>
> This banner typicall results from a Cisco ESA firewall with SMTP inspection
> enabled that is located between client and server.
>
> The Cisco ESA adds no value in front of Postfix, just breaks SMTP.
> Disable SMTP inspection on that device.
>
> --
> Viktor.
>
