Re: conversation with ... timed out while sending end of data -- message may be sent more than once
* Benny Pedersen m...@junc.org: fail2ban could be ones friend if postfix have this fail2ban then just grep logs for outgoing mails that failed pr ip, and add this header ignore pr cidr maps Yeah, that's a great idea! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Wed, 15 Jun 2011 08:39:11 +0200, Ralf Hildebrandt wrote: * Benny Pedersen m...@junc.org: fail2ban could be ones friend if postfix have this fail2ban then just grep logs for outgoing mails that failed pr ip, and add this header ignore pr cidr maps Yeah, that's a great idea! it is ?, oh thanks :-)
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Am 15.06.2011 08:39, schrieb Ralf Hildebrandt: * Benny Pedersen m...@junc.org: fail2ban could be ones friend if postfix have this fail2ban then just grep logs for outgoing mails that failed pr ip, and add this header ignore pr cidr maps Yeah, that's a great idea! but what if there are other reasons, ok it doesnt hurt to much to remove dkim sigs, but the admin should be informed to this, or maybe it should expire, as far i remember this can be done with fail2ban too ( but i may fail here ) -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Wednesday June 15 2011 05:42:36 Noel Jones wrote: At this time I'm inclined to set this aside. The DKIM bug doesn't seem to be widespread; there is no compelling case to add a new workaround right now. Indeed the situation has much improved in the past year or two. Many sites have turned off smtp fixups or upgraded their ASA firmware or both. It also helps to send mail to postmasters of affected sites with a pointer to Ralf's web page and the Heise article, and suggest turning off the (mis)feature. Perhaps the incentive was when they started missing some of the mail from gmail.com and the like. Mark
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Victor Duchovni: On Tue, Jun 14, 2011 at 08:05:24PM -0500, Noel Jones wrote: I was thinking a setting integrated with smtp_pix_workarounds would be more automatic, with little maintenance once configured. Given that the banner detection is incomplete (some pixen are not obviously such) one still needs manual configuration for some cases, so I am not convinced that any new feature is warranted, the receiving systems need to be incented to fix their bug. If enough big mailers sign their email (gmail, yahoo, etc.) then that will provide the incentive. Wietse
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On 6/14/2011 8:34 AM, Ralf Hildebrandt wrote: Today I found that some sites behind a PIX/ASA firewall with smtp protocol fixup would not accept DKIM signed mails. Solution: = master.cf: nodkimunix - - - - - smtp -o smtp_header_checks=pcre:/etc/postfix/no_dkim.pcre main.cf: transport_maps = cdb:/etc/postfix/transport and in /etc/postfix/transport: mrnaz.com nodkim: /etc/postfix/no_dkim.pcre contains: /^DKIM-Signature:/ IGNORE # this strips a DKIM Signature I think I posted something almost exactly like this a while ago (year+?). Anyway, I can confirm that I've had this same problem and came up with the same workaround, still in place. -- Noel Jones
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
* Noel Jones njo...@megan.vbhcs.org: I think I posted something almost exactly like this a while ago (year+?). Anyway, I can confirm that I've had this same problem and came up with the same workaround, still in place. Yeah. Maybe it would make a cool addition to smtp_pix_workarounds! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Tue, Jun 14, 2011 at 07:48:54PM +0200, Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: I think I posted something almost exactly like this a while ago (year+?). Anyway, I can confirm that I've had this same problem and came up with the same workaround, still in place. Yeah. Maybe it would make a cool addition to smtp_pix_workarounds! I guess you'd like: smtp_pix_header_checks = ... this feature would be rather a large concession to a problem that needs to be fixed at the receiving system... -- Viktor.
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Ralf Hildebrandt: * Noel Jones njo...@megan.vbhcs.org: I think I posted something almost exactly like this a while ago (year+?). Anyway, I can confirm that I've had this same problem and came up with the same workaround, still in place. Yeah. Maybe it would make a cool addition to smtp_pix_workarounds! How does an SMTP client recognize an ASA box before it breaks email? Wietse
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
* Wietse Venema wie...@porcupine.org: Yeah. Maybe it would make a cool addition to smtp_pix_workarounds! How does an SMTP client recognize an ASA box before it breaks email? Only from the /^[02 *]+$/ banner. # telnet mx.interfree.it 25 Trying 213.158.72.46... Connected to mx.interfree.it. Escape character is '^]'. 220 ** # telnet mailamir.com 25 Trying 114.31.73.44... Connected to mailamir.com. Escape character is '^]'. 220 ** -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Ralf Hildebrandt: * Wietse Venema wie...@porcupine.org: Yeah. Maybe it would make a cool addition to smtp_pix_workarounds! How does an SMTP client recognize an ASA box before it breaks email? Only from the /^[02 *]+$/ banner. # telnet mx.interfree.it 25 Trying 213.158.72.46... Connected to mx.interfree.it. Escape character is '^]'. 220 ** # telnet mailamir.com 25 Trying 114.31.73.44... Connected to mailamir.com. Escape character is '^]'. 220 ** Hmm... % telnet mailamir.com 25 Trying 114.31.73.44... Connected to mailamir.com. Escape character is '^]'. 220 ** help 502 5.5.2 Error: command not recognized Wietse
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Tue, Jun 14, 2011 at 02:18:43PM -0400, Wietse Venema wrote: # telnet mailamir.com 25 Trying 114.31.73.44... Connected to mailamir.com. Escape character is '^]'. 220 ** Hmm... % telnet mailamir.com 25 Trying 114.31.73.44... Connected to mailamir.com. Escape character is '^]'. 220 ** help 502 5.5.2 Error: command not recognized A Postfix system with a PIX in front of it and STARTTLS censored as XXXA (same length). Connected to mailamir.com[114.31.73.44]:25 220 ** EHLO amnesiac.example.com 250-mailamir.com 250-PIPELINING 250-SIZE 2048 250-VRFY 250-ETRN 250-XXXA 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN -- Viktor.
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Ralf wrote: Today I found that some sites behind a PIX/ASA firewall with smtp protocol fixup would not accept DKIM signed mails. But you already knew that! :) ASA bug CSCsy28792 and a couple of related header-parsing bugs, triggered by encountering a content-type or content-transfer-encoding in a header field body of some unrelated header field, such as an 'h' tag of a DKIM signature: http://www.arschkrebs.de/postfix/postfix_cisco_pix_bugs.shtml Mark
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
* Victor Duchovni victor.ducho...@morganstanley.com: A Postfix system with a PIX in front of it and STARTTLS censored as XXXA (same length). Yes, thought so too. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
* Mark Martinec mark.martinec+post...@ijs.si: Ralf wrote: Today I found that some sites behind a PIX/ASA firewall with smtp protocol fixup would not accept DKIM signed mails. But you already knew that! :) Yes I know. ASA bug CSCsy28792 and a couple of related header-parsing bugs, triggered by encountering a content-type or content-transfer-encoding in a header field body of some unrelated header field, such as an 'h' tag of a DKIM signature: http://www.arschkrebs.de/postfix/postfix_cisco_pix_bugs.shtml Back then I didn't know the workaround! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
How does an SMTP client recognize an ASA box before it breaks email? Only from the /^[02 *]+$/ banner. # telnet mx.interfree.it 25 220 ** I think the newer versions of ASA can be configured to let ESMTP pass through without censoring the greeting, while still exhibiting one of the header parsing bugs - which can lead to dropping the TCP session without a RST (but with a message in the log ... which noone reads). Mark
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
* Mark Martinec mark.martinec+post...@ijs.si: I think the newer versions of ASA can be configured to let ESMTP pass through without censoring the greeting, while still exhibiting one of the header parsing bugs - which can lead to dropping the TCP session without a RST (but with a message in the log ... which noone reads). :( -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Am 14.06.2011 15:34, schrieb Ralf Hildebrandt: Today I found that some sites behind a PIX/ASA firewall with smtp protocol fixup would not accept DKIM signed mails. Solution: = master.cf: nodkimunix - - - - - smtp -o smtp_header_checks=pcre:/etc/postfix/no_dkim.pcre main.cf: transport_maps = cdb:/etc/postfix/transport and in /etc/postfix/transport: mrnaz.com nodkim: /etc/postfix/no_dkim.pcre contains: /^DKIM-Signature:/ IGNORE # this strips a DKIM Signature yes there a few of them out there -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Am 14.06.2011 20:48, schrieb Ralf Hildebrandt: * Mark Martinec mark.martinec+post...@ijs.si: I think the newer versions of ASA can be configured to let ESMTP pass through without censoring the greeting, while still exhibiting one of the header parsing bugs - which can lead to dropping the TCP session without a RST (but with a message in the log ... which noone reads). :( make it more public , firewall admins may awake, in germany heise postings help sometimes *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
Wietse Venema: Hmm... % telnet mailamir.com 25 Trying 114.31.73.44... Connected to mailamir.com. Escape character is '^]'. 220 ** help 502 5.5.2 Error: command not recognized FYI, this is how I quickly identify Postfix MTAs. Wietse
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
* Robert Schetterer rob...@schetterer.org: make it more public , firewall admins may awake, in germany heise postings help sometimes *g For that one would need large scale statistics. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Tue, 14 Jun 2011 19:48:54 +0200, Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: I think I posted something almost exactly like this a while ago (year+?). Anyway, I can confirm that I've had this same problem and came up with the same workaround, still in place. Yeah. Maybe it would make a cool addition to smtp_pix_workarounds! or list bad domains as rfc-ignorant if there is a rfc for this
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On 6/14/2011 5:49 PM, Benny Pedersen wrote: On Tue, 14 Jun 2011 19:48:54 +0200, Ralf Hildebrandt wrote: * Noel Jones njo...@megan.vbhcs.org: I think I posted something almost exactly like this a while ago (year+?). Anyway, I can confirm that I've had this same problem and came up with the same workaround, still in place. Yeah. Maybe it would make a cool addition to smtp_pix_workarounds! or list bad domains as rfc-ignorant if there is a rfc for this No, there is no RFC that says you must receive my properly formatted email even if your software chokes on it. I was thinking along the lines of a smtp_pix_workarounds keyword like removeDKIM or, more general and more complex, removeheaders with a matching smtp_pix_removeheaders list of header names to remove. the choices I see are A) single-purpose workaround: smtp_pix_workarounds = removeDKIM ... B) general anti-choke workaround smtp_pix_workarounds = removeheaders smtp_pix_removeheaders = DKIM, X-foo, Bar (proposed docs available if there is any interest) C) use existing smtp_header_checks solution. For me, the existing workaround (master.cf dumbpix transport with -o smtp_header_checks) is sufficient. I currently have only two domains on the dumbpix transport -- apparently unrelated government agencies, a school system in one city, police in another. -- Noel Jones
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Tue, 14 Jun 2011 19:32:39 -0500, Noel Jones wrote: C) use existing smtp_header_checks solution. extend to smtp_header_checks_maps, and then use any maps postfix support is smtp_header_checks already pr recipients server ?
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On 6/14/2011 7:42 PM, Benny Pedersen wrote: On Tue, 14 Jun 2011 19:32:39 -0500, Noel Jones wrote: C) use existing smtp_header_checks solution. extend to smtp_header_checks_maps, and then use any maps postfix support That's an interesting idea in itself, but in the scope of pix workarounds it's not a huge improvement since it still requires manual intervention per server/domain. anyway, don't think it's possible. I think all possible tables would need to be loaded before postfix knew which one to use, or postfix would need to wastefully launch a new smtp for each delivery. is smtp_header_checks already pr recipients server ? No, currently either a global setting or custom transports with -o smtp_header_checks option. I was thinking a setting integrated with smtp_pix_workarounds would be more automatic, with little maintenance once configured. -- Noel Jones
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Tue, Jun 14, 2011 at 08:05:24PM -0500, Noel Jones wrote: I was thinking a setting integrated with smtp_pix_workarounds would be more automatic, with little maintenance once configured. Given that the banner detection is incomplete (some pixen are not obviously such) one still needs manual configuration for some cases, so I am not convinced that any new feature is warranted, the receiving systems need to be incented to fix their bug. -- Viktor.
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On Tue, 14 Jun 2011 20:05:24 -0500, Noel Jones wrote: That's an interesting idea in itself, but in the scope of pix workarounds it's not a huge improvement since it still requires manual intervention per server/domain. fail2ban could be ones friend if postfix have this fail2ban then just grep logs for outgoing mails that failed pr ip, and add this header ignore pr cidr maps anyway, don't think it's possible. I think all possible tables would need to be loaded before postfix knew which one to use, or postfix would need to wastefully launch a new smtp for each delivery. as is now its not, but i think it could be solved :-) is smtp_header_checks already pr recipients server ? No, currently either a global setting or custom transports with -o smtp_header_checks option. okay I was thinking a setting integrated with smtp_pix_workarounds would be more automatic, with little maintenance once configured. suggest pfsense is out of the question for hosts that runs cisco hardware
Re: conversation with ... timed out while sending end of data -- message may be sent more than once
On 6/14/2011 8:22 PM, Victor Duchovni wrote: On Tue, Jun 14, 2011 at 08:05:24PM -0500, Noel Jones wrote: I was thinking a setting integrated with smtp_pix_workarounds would be more automatic, with little maintenance once configured. Given that the banner detection is incomplete (some pixen are not obviously such) one still needs manual configuration for some cases, so I am not convinced that any new feature is warranted, the receiving systems need to be incented to fix their bug. OTOH, the current pix detection and workarounds are not useless, so extending/improving them is worth discussing -- even if not necessarily worth doing. At this time I'm inclined to set this aside. The DKIM bug doesn't seem to be widespread; there is no compelling case to add a new workaround right now. Maybe an example of the current smtp_header_checks workaround (Ralf's was fine) could be added to the docs somewhere rather than a feature change. -- Noel Jones
