[pfx] Re: Postscreen STARTTLS bug?

Wed, 18 Jun 2025 07:54:21 -0700 

On Wed, Jun 18, 2025 at 10:13:21AM -0400, Wietse Venema via Postfix-users wrote:

> > After setting "postscreen_tls_security_level = none", when I now send a 
> > STARTTLS, I get a "502 5.5.1 Error: command not implemented", and then 
> > /the SMTP session/ stops responding to any subsequent commands, /until 
> > the client disconnects or the postscreen_command_time_limit is reached/. 
> > /(Postscreen itself remains operational for processing other connections.)/
> 
> Does not reproduce. Here is evidence.
> 
> $ postconf -n|grep '^postscreen'
> postscreen_bare_newline_enable = yes
> ...
> postscreen_tls_security_level = none
> 
> $ telnet wzv smtp
> Trying 168.100.3.7...
> Connected to wzv.
> Escape character is '^]'.
> 220-wzv.porcupine.org ESMTP Postfix
> ...delay...
> 220 wzv.porcupine.org ESMTP Postfix
> ehlo wzv.porcupine.org
> 250-wzv.porcupine.org
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250-DSN
> 250-SMTPUTF8
> 250 CHUNKING
> starttls
> 502 5.5.1 Error: command not implemented
> quit
> 221 2.0.0 Bye

Ditto for me:

    $ (sleep 7; printf "EHLO foo.local\r\n"; sleep 2; printf "STARTTLS\r\n"; 
sleep 2; printf "QUIT\r\n") | nc -C 127.0.0.1 24
    220-amnesiac.example ESMTP Postfix
    <...6s pause...>
    220 amnesiac.example ESMTP Postfix
    250-amnesiac.example
    250-SIZE 157286400
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-DSN
    250-SMTPUTF8
    250 CHUNKING
    502 5.5.1 Error: command not implemented
    221 2.0.0 Bye

The relevant master.cf entries are:

    127.0.0.1:24 inet n      -       n       -       1       postscreen
            -o myhostname=amnesiac.example
            -o postscreen_bare_newline_enable=yes
            -o postscreen_greet_action=enforce
            -o postscreen_pipelining_enable=yes
            -o postscreen_access_list=
            -o postscreen_allowlist_interfaces=
            -o smtpd_tls_security_level=none
    smtpd      pass  -       -       n       -       -       smtpd
            -o smtpd_tls_security_level=none
    dnsblog    unix  -       -       n       -       0       dnsblog
    #tlsproxy  unix  -       -       n       -       0       tlsproxy

I doubt it matters, but I'm running 3.11-20250606, not 3.9.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to