On Tue, Apr 02, 2024 at 12:11:03PM -0400, David Mehler wrote: > Here is the complete log of the connections, IPS x-d out, but I tried > twice, once on 587, once with smtps enabled. Any help appreciated.
As noted by Wietse, debug (verbose) logging is not useful here. Just normal logging is quite sufficient. > 2024-04-02T09:48:08.293161-04:00 hostname postfix/submission/smtpd[1529]: > improper command pipelining after EHLO from > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n As noted by Wietse, Postfix is reporting actual improper pipelining by the client, prior to the EHLO reply. > This is the port 465 atempt. > > 2024-04-02T09:49:02.419571-04:00 hostname postfix/smtps/smtpd[1575]: > SSL_accept error from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: -1 > 2024-04-02T09:49:02.419716-04:00 hostname postfix/smtps/smtpd[1575]: > warning: TLS library problem: error:0A000412:SSL routines::sslv3 alert bad > certificate:../ssl/record/rec_layer_s3.c:1590:SSL alert number 42: This is also something to attend to, since Thunderbird is unable to verify your certificate chain, and is sending a "bad certificate" TLS alert. Your certificate chain may be incomplete (missing intermediate CAs) or expired, or not issued by a trusted CA, ... On Tue, Apr 02, 2024 at 02:24:35PM -0400, Wietse Venema wrote: > > Here is the complete log of the connections, IPS x-d out, but I tried > > twice, once on 587, once with smtps enabled. Any help appreciated. > > We DID NOT ask for verbose logs. > > All we asked for is this: > > > postfix/submission/smtpd[1529]: improper command pipelining after EHLO > > from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n > > and that is logged without verbose logging. > > I found on-line reports from 2018 where Thunderbird sends > > EHLO we-guess.mozilla.org\r\nQUIT\r\n > > I suppose that is an autoconf feature that hopefully can be turned > off in Thunderbird, otherwise someone on the mozilla needs to learn > how SMTP works. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1681946 > https://bugzilla.mozilla.org/show_bug.cgi?id=538809 This covers the port 587 illegal pipelining, but perhaps the bad certificate on port 465 is part of the story. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org