Ubuntu
postfix package

Pix workaround should be (partially?) disabled when DANE is in use

Bug #1826534 reported by Lars Kollstedt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postfix (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi,

Postfix by default enables the pix workarround for an server after a message has been queued for more than 500s.

http://www.postfix.org/postconf.5.html#smtp_pix_workaround_threshold_time

If the server with an downtime of more than 500s has DANE enabled. And we're respecting DANE this leads tho the messages, when the server gets reachable again:

Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: enabling PIX
workarounds: disable_esmtp delay_dotcrlf for <ServerFQHN>[<ServerIP>]:25
Apr 26 09:39:46 <MyServer> postfix/smtp[22908]: E7CD35F79E: TLS is required, but
was not offered by host <ServerFQHN>[<ServerIP>]

And the mail won't be delivered any more, and it seems like also any further mail to this server is affected.

My workarround is to set
smtp_pix_workarounds = delay_dotcrlf
in the main.cf and leave ESMTP enabled this way. And hoping nobody is using Cisco PIXes without ESMTP today anymore. Disabling ESMTP breaks the STARTTLS support, which is necessary for DANE.

If it's really neccessary there are also ways to configure exceptions, but this is OT.

My suggestion for a real fix is to disable the pix workaround detection if DANE or TLS enforcement is enabled, or not to disable ESMTP in that case.

This is Postfix not Ubuntu specific, and in my case occured with a postfix 3.1.0-3ubuntu0.3, but I would expect this to happen with all versions, from the documented behavior.

Kind regards,
   Lars

See original description
Lars Kollstedt (lk-x)
description: updated
Revision history for this message
Lars Kollstedt (lk-x) wrote :

Hi again,

the 500second threshold is probably only trigggered when the server greeting is replaced by stars, Which is still done (by default) by newer Cisco ASAs, that at least support ESMTP and in the case we ran into this also let the STARTTLS pass properly.

Combining PIXes which are not ESMTP ready, and DANE or other ways to enforce STARTTLS would be deadly for SMTP anyway. So leaving ESMTP activiated if STARTTLS is enforced would fix this in any case.

Kind regards,
    Lars

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 1826534] [NEW] Pix workaround should be (partially?) disabled when DANE is in use

This is something that you should address with upstream (postfix-users mailing
list is the best venue).

Scott K

Revision history for this message
Lars Kollstedt (lk-x) wrote :

Hi Scott,

thanks.

Done so far:
http://postfix.1071664.n5.nabble.com/Pix-workaround-should-be-partially-disabled-when-DANE-is-in-use-td101264.html

Kind regards,
   Lars

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for doing this, Lars.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.