[pfx] Re: "Must issue a STARTTLS command first" is fixed text

Sat, 13 Sep 2025 01:31:05 -0700 


Am 10.09.25 um 18:58 schrieb Wietse Venema via Postfix-users:

The attached backport is just code, not documentation.


Thanks, Wietse!

I confirm, a slightly updated version (attached) works at a first test with 
postfix-3.10.4

master.cf
  12345 inet n - - - - smtpd
    -o smtpd_tls_security_level=encrypt
    -o 
smtpd_reject_filter_maps=pcre:${config_directory}/smtpd_reject_filter.pcre

smtpd_reject_filter.pcre
  # https://www.postfix.org/postconf.5.html#smtpd_reject_filter_maps
  /^(5.+[^.])\.*$/ $1. See you later.

$ swaks --from '<>' --to root --port 12345
=== Trying localhost:12345...
=== Connected to localhost.
<-  220 localhost ESMTP
 -> EHLO localhost
<-  250-localhost
<-  250-MUMBLE
<-  250 STARTTLS
 -> MAIL FROM:<>
<** 530 5.7.0 Must issue a STARTTLS command first. See you later.
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.


  


Andreas

diff -Naur postfix-3.10.4.orig/src/global/mail_params.h postfix-3.10.4/src/global/mail_params.h
--- postfix-3.10.4.orig/src/global/mail_params.h	2025-08-18 22:06:41.000000000 +0200
+++ postfix-3.10.4/src/global/mail_params.h	2025-09-10 22:34:18.259190123 +0200
@@ -2548,7 +2548,8 @@
 				" $" VAR_SMTP_BODY_CHKS \
 				" $" VAR_SMTP_HEAD_CHKS \
 				" $" VAR_SMTP_MIME_CHKS \
-				" $" VAR_SMTP_NEST_CHKS
+				" $" VAR_SMTP_NEST_CHKS \
+				" $" VAR_SMTPD_REJECT_FILTER_MAPS
 extern char *var_proxy_read_maps;
 
 #define VAR_PROXY_WRITE_MAPS	"proxy_write_maps"
@@ -4513,6 +4514,13 @@
 #define DEF_SMTPD_HIDE_CLIENT_SESSION	"no"
 extern int var_smtpd_hide_client_session;
 
+ /*
+  * SMTP server reject response filter.
+  */
+#define VAR_SMTPD_REJECT_FILTER_MAPS	"smtpd_reject_filter_maps"
+#define DEF_SMTPD_REJECT_FILTER_MAPS	""
+extern char *var_smtpd_reject_filter_maps;
+
 /* LICENSE
 /* .ad
 /* .fi
diff -Naur postfix-3.10.4.orig/src/smtpd/smtpd.c postfix-3.10.4/src/smtpd/smtpd.c
--- postfix-3.10.4.orig/src/smtpd/smtpd.c	2025-02-05 23:04:14.000000000 +0100
+++ postfix-3.10.4/src/smtpd/smtpd.c	2025-09-10 22:34:18.259190123 +0200
@@ -1478,6 +1478,7 @@
 char   *var_smtpd_cmd_filter;
 char   *var_smtpd_rej_footer;
 char   *var_smtpd_rej_ftr_maps;
+char   *var_smtpd_reject_filter_maps;
 char   *var_smtpd_acl_perm_log;
 char   *var_smtpd_dns_re_filter;
 
@@ -6635,9 +6636,9 @@
 			      var_smtpd_dns_re_filter);
 
     /*
-     * Reject footer.
+     * Reject filter and footer.
      */
-    if (*var_smtpd_rej_ftr_maps)
+    if (*var_smtpd_rej_ftr_maps || *var_smtpd_reject_filter_maps)
 	smtpd_chat_pre_jail_init();
 }
 
@@ -6911,6 +6912,7 @@
 	VAR_SMTPD_POLICY_CONTEXT, DEF_SMTPD_POLICY_CONTEXT, &var_smtpd_policy_context, 0, 0,
 	VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
 	VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0,
+	VAR_SMTPD_REJECT_FILTER_MAPS, DEF_SMTPD_REJECT_FILTER_MAPS, &var_smtpd_reject_filter_maps, 0, 0,
 	VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0,
 	VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0,
 	VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf, 1, 0,
diff -Naur postfix-3.10.4.orig/src/smtpd/smtpd_chat.c postfix-3.10.4/src/smtpd/smtpd_chat.c
--- postfix-3.10.4.orig/src/smtpd/smtpd_chat.c	2021-10-02 16:46:46.000000000 +0200
+++ postfix-3.10.4/src/smtpd/smtpd_chat.c	2025-09-10 22:34:18.259190123 +0200
@@ -112,8 +112,9 @@
 #include "smtpd_chat.h"
 
  /*
-  * Reject footer.
+  * Reject filter and footer maps.
   */
+static MAPS *smtpd_reject_filter_maps;
 static MAPS *smtpd_rej_ftr_maps;
 
 #define STR	vstring_str
@@ -129,6 +130,14 @@
 	msg_panic("smtpd_chat_pre_jail_init: multiple calls");
 
     /*
+     * SMTP server reject filter.
+     */
+    if (*var_smtpd_reject_filter_maps)
+	smtpd_reject_filter_maps = maps_create(VAR_SMTPD_REJECT_FILTER_MAPS,
+					 var_smtpd_reject_filter_maps,
+					 DICT_FLAG_LOCK);
+
+    /*
      * SMTP server reject footer.
      */
     if (*var_smtpd_rej_ftr_maps)
@@ -206,6 +215,7 @@
     char   *cp;
     char   *next;
     char   *end;
+    const char *alt_reply;
     const char *footer;
 
     /*
@@ -215,8 +225,30 @@
     if (state->error_count >= var_smtpd_soft_erlim)
 	sleep(delay = var_smtpd_err_sleep);
 
+    /*
+     * Postfix generates single-line reject responses, but Milters may
+     * generate multi-line rejects with the SMFIR_REPLYCODE request.
+     */
     vstring_vsprintf(state->buffer, format, ap);
-
+    cp = STR(state->buffer);
+    if ((*cp == '4' || *cp == '5')
+	&& smtpd_reject_filter_maps != 0
+	&& (alt_reply = maps_find(smtpd_reject_filter_maps, cp, 0)) != 0) {
+	const char *queue_id = state->queue_id ? state->queue_id : "NOQUEUE";
+
+	/* XXX Enforce this for each line of a multi-line reply. */
+	if ((alt_reply[0] != '4' && alt_reply[0] != '5')
+	    || !ISDIGIT(alt_reply[1]) || !ISDIGIT(alt_reply[2])
+	    || (alt_reply[3] != ' ' && alt_reply[3] != '-')
+	    || (ISDIGIT(alt_reply[4]) && (alt_reply[4] != alt_reply[0]))) {
+	    msg_warn("%s: ignoring invalid reject filter result: %s",
+		     queue_id, alt_reply);
+	} else {
+	    msg_info("%s: reply filter in: %s", queue_id, cp);
+	    msg_info("%s: reply filter out: %s", queue_id, alt_reply);
+	    vstring_strcpy(state->buffer, alt_reply);
+	}
+    }
     if ((*(cp = STR(state->buffer)) == '4' || *cp == '5')
 	&& ((smtpd_rej_ftr_maps != 0
 	     && (footer = maps_find(smtpd_rej_ftr_maps, cp, 0)) != 0)

_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to