Public bug reported: Hi,
Postfix by default enables the pix workarround for an server after a message has been queued for more than 500s. http://www.postfix.org/postconf.5.html#smtp_pix_workaround_threshold_time If the server with an downtime of more than 500s has DANE enabled. And we're respecting DANE this leads tho the messages, when the server gets reachable again: Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: enabling PIX workarounds: disable_esmtp delay_dotcrlf for <ServerFQHN>[<ServerIP>]:25 Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: TLS is required, but was not offered by host <ServerFQHN>[<ServerIP>] And the mail won't be delivered any more, and it seems like also any further mail to this server is affected. My workarround is to set smtp_pix_workarounds = delay_dotcrlf in the main.cf and leave ESMTP enabled this way. And hoping nobody is using Cisco PIXes without ESMTP today anymore. Disabling ESMTP breaks the STARTTLS support, which is necessary for DANE. If it's really neccessary there are also ways to configure exceptions, but this is OT. My suggestion for a real fix is to disable the pix workaround detection if DANE or TLS enforcement is enabled, or not to disable ESMTP in that case. This is Postfix not Ubuntu specific, and in my case occured with a postfix 3.1.0-3ubuntu0.3, but I would expect this to happen with all versions, from the documented behavior. Kind regards, Lars ** Affects: postfix (Ubuntu) Importance: Undecided Status: New ** Description changed: Hi, Postfix by default enables the pix workarround for an server after a message has been queued for more than 500s. http://www.postfix.org/postconf.5.html#smtp_pix_workaround_threshold_time If the server with an downtime of more than 500s has DANE enabled. And - we're respecting dane this leads tho the messages, when the server gets + we're respecting DANE this leads tho the messages, when the server gets reachable again: - - Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: enabling PIX + Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: enabling PIX workarounds: disable_esmtp delay_dotcrlf for <ServerFQHN>[<ServerIP>]:25 - Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: TLS is required, but + Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: TLS is required, but was not offered by host <ServerFQHN>[<ServerIP>] And the mail won't be delivered any more, and it seems like also any further mail to this server is affected. - My workarround is to set + My workarround is to set smtp_pix_workarounds = delay_dotcrlf in the main.cf and leave ESMTP enabled this way. And hoping nobody is using Cisco PIXes without ESMTP today anymore. Disabling ESMTP breaks the STARTTLS support, which is necessary for DANE. If it's really neccessary there are also ways to configure exceptions, but this is OT. + My suggestion for a real fix is to disable the pix workaround detection + if DANE or TLS enforcement is enabled, or not to disable ESMTP in that + case. - My suggestion for a real fix is to disable the pix workaround detection if DANE or TLS enforcement is enabled, or not to disable ESMTP in that case. - - - This is Postfix not Ubuntu specific, and in my case occured with a postfix 3.1.0-3ubuntu0.3, but I would expect this to happen with all versions, from the documented behavior. + This is Postfix not Ubuntu specific, and in my case occured with a + postfix 3.1.0-3ubuntu0.3, but I would expect this to happen with all + versions, from the documented behavior. Kind regards, - Lars + Lars -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1826534 Title: Pix workaround should be (partially?) disabled when DANE is in use To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1826534/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
