[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo

Tue, 02 Apr 2024 11:48:27 -0700 

On Tue, Apr 02, 2024 at 12:11:03PM -0400, David Mehler wrote:

> Here is the complete log of the connections, IPS x-d out, but I tried
> twice, once on 587, once with smtps enabled. Any help appreciated.

As noted by Wietse, debug (verbose) logging is not useful here.  Just
normal logging is quite sufficient.

> 2024-04-02T09:48:08.293161-04:00 hostname postfix/submission/smtpd[1529]:
> improper command pipelining after EHLO from
> xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n

As noted by Wietse, Postfix is reporting actual improper pipelining by
the client, prior to the EHLO reply.

> This is the port 465 atempt.
> 
> 2024-04-02T09:49:02.419571-04:00 hostname postfix/smtps/smtpd[1575]:
> SSL_accept error from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: -1
> 2024-04-02T09:49:02.419716-04:00 hostname postfix/smtps/smtpd[1575]:
> warning: TLS library problem: error:0A000412:SSL routines::sslv3 alert bad
> certificate:../ssl/record/rec_layer_s3.c:1590:SSL alert number 42:

This is also something to attend to, since Thunderbird is unable to
verify your certificate chain, and is sending a "bad certificate" TLS
alert.  Your certificate chain may be incomplete (missing intermediate
CAs) or expired, or not issued by a trusted CA, ...

On Tue, Apr 02, 2024 at 02:24:35PM -0400, Wietse Venema wrote:

> > Here is the complete log of the connections, IPS x-d out, but I tried 
> > twice, once on 587, once with smtps enabled. Any help appreciated.
> 
> We DID NOT ask for verbose logs.
> 
> All we asked for is this:
> 
> > postfix/submission/smtpd[1529]: improper command pipelining after EHLO 
> > from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n
> 
> and that is logged without verbose logging.
> 
> I found on-line reports from 2018 where Thunderbird sends 
> 
>      EHLO we-guess.mozilla.org\r\nQUIT\r\n
> 
> I suppose that is an autoconf feature that hopefully can be turned
> off in Thunderbird, otherwise someone on the mozilla needs to learn
> how SMTP works.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1681946
> https://bugzilla.mozilla.org/show_bug.cgi?id=538809

This covers the port 587 illegal pipelining, but perhaps the bad
certificate on port 465 is part of the story.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to