chris...@astron.com (Christos Zoulas) wrote:
> In article <55da8d55.Vwp89GtYfOZ+zHh/%j...@sdf.org>, <j...@sdf.org> wrote:
> >Up until yesterday the following was providing Postfix SMTP client SASL
> >TLS authentication with my email provider's outgoing email
> >server (configs have been sanitized for public posting):
> >
> > #/etc/postfix/main.cf
> > myhostname = beasty.sleepy.cat
> > mydomain = sleepy.cat
> > smtp_generic_maps = hash:/etc/postfix/generic
> > mynetworks_style = host
> > alias_maps = hash:/etc/mail/aliases
> > relayhost = [smtp.acme.com]:submission
> > smtp_sasl_auth_enable = yes
> > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> > smtp_sasl_security_options = noplaintext, noanonymous
> > smtp_sasl_tls_security_options = noanonymous
> > smtp_tls_security_level = may
> > smtp_sasl_type = saslc
> >
> > #../generic
> > m...@beasty.sleepy.cat m...@acme.com
> >
> > #../sasl_passwd
> > [smtp.acme.com]:submission m...@acme.com:secret_passwd
> >
> >Did chmod 600 for the sasl_passwd file and ran postmap(8) run on generic
> >and sasl_passwd for DB file generation, then checked with 'postfix check',
> >then reload configs with '/etc/rc.d/postfix reload'.
> >
> >Anyway, something has changed sometime since my previous -current update
> >dated ~May 2015; after upgrading to -current dated Aug 22, 2015 the above
> >configuration no longer works.
> >
> >Below appears to be the pertinent bits from /var/log/maillog; date prefix
> >removed for clarity:
> >
> > ..
> > beasty postfix/qmgr[7099]: 1AFE11F1FA9: \
> > from=<m...@beasty.sleepy.cat>, size=290, nrcpt=1 (queue active)
> > beasty postfix/qmgr[7099]: warning: \
> > private/smtp socket: malformed response
> > beasty postfix/master[5621]: warning: \
> > process /usr/libexec/postfix/smtp pid 7139 killed by signal 4
> > ..
> > beasty postfix/master[5621]: warning: \
> > /usr/libexec/postfix/smtp:bad command startup -- throttling
> > beasty postfix/error[5878]: 1AFE11F1FA9: \
> > to=<some...@somewhere.com>, relay=none, \
> > delay=1.4, delays=0.16/1.2/0/0.07, dsn=4.3.0, \
> > status=undeliverable (unknown mail transport error)
> >
> >I'm hoping someone can point me towards a solution or work-around
> >so I can go back to using the native tools for mail relaying.
>
> I don't see what could do it in the saslc code. Perhaps something changed
> in openssl? Can you try to use the previous openssl libraries and see if
> that fixes it?
>
Switching to previous openssl libraries will take some doing but I think I've
uncovered more clues using the posttls-finger(1) tool:
% posttls-finger -a ipv4 -L verbose -l encrypt -cS
'[smtp.acme.com]:submission'
posttls-finger: initializing the client-side TLS engine
posttls-finger: LHLO rejected: 502 unimplemented (#5.5.1)
^^^^
Should be "EHLO" right? Looks like a simple typo in the code somewhere. Hunting
around with strings(1) I found this:
% strings /usr/libexec/postfix/smtp | grep LHLO
performing the LHLO handshake
LHLO %s
Does that look like the likely suspect?
Jeff
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This email has a PGP signature attached; verify
using PGP public key at http://jgw.sdf.org/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUx97aAAoJELZg2zktVKWMNZUP/ispNTlNSjx0QoKChol0sZSF
55ZvdtINHvA5DL0M78kXVkFqzWDdnAjE857iK8fXbj5Az6tx05DY+iovf6qUyLKF
X/5Jm82B8xAlSu8AlM37su8TzAgh51rw0UPJ1qhfaiamjognk6Yc0fFCnsWlaElp
1toKk++UghXfcWkY4hs3t6S//Nzf1WTg3mwKHVfmMJy2I2doXjI1Ok2ogB11gQX9
7HqJVpHcRzdel3iAUgmzruexQzBXpuBdylAjLfGiF7bVgP3bK4teck/D46BP09qJ
XBPKgNwbHtCRqArfRjMb92EhzgZjUftadJwDmPFlE7N1nn2tBP2pmwb8lhq18CsS
2uyflSrVMwFuRYYCXcfPTYl+mUTg0kA9MAp/gNVOAc+9B7TfjWN1HkCBnOuBFtI2
7nH7xJ3eEeOaoTRZPXo0WSWcAtWDXXbdZXW8cgVUIxggQLVA22CTKMRUTGfeJwcS
KAbzyZu/z2/V04Ygnu2hzgAGulw4qvv0cREiOVHVdpgaq8hEH2/U/yKqaXTf5NCp
P+9NKQDGgnt2cWNibUAzF563uvnOL3OnnjeT6/PLsfzJkpOFPi/H/UHc8a6Hjc8F
l2S9u+5Lu4DFfXjewTRT8NLmeal3kppHBwHIeGVavWlmLET0bvSj486qimXVv2SN
fwEG5kbnu8pX89ZowR8U
=KFMw
-----END PGP SIGNATURE-----
