On 28 Apr 2015, at 8:45, Kristjan Nii wrote:
Thank you for your response!
I viewed the some emails in the queue and did not see DKIM signatures
in
them. Also, our network guys confirmed, that ASA version is 7.3, which
should be bug-free.
Perhaps it "should be" (a slippery English idiom that might mean a few
different things...) but your logging indicates otherwise. The "enabling
PIX workarounds" warnings are not random accidents.
The Cisco implementation of semi-transparent SMTP proxying that
interferes with what extensions a server is allowed to advertise to a
client is one big bug in design: a functional mode that should not have
ever been offered. It is impossible to operate a sound modern mail
server behind that filter. Historically it has also had a series of
implementation bugs as well (i.e. malfunctions that were not part of the
intentional design) and it would be unwise to assume that series has
ended, but ultimately any MTA behind an ASA with that switched on will
have chronic insoluble problems even if Cisco's code is finally doing
precisely all that they intend and nothing more.
Any other ideas or things I should/could check and test?
Note that by obliterating all of the domain name and IP address details
from your log excerpt you protect nothing and assure that no one else is
able to examine the problem directly or inform your troubleshooting with
specific useful information. The relationship between these two machines
is unclear and made more so by your obfuscation. So my recommendations
are necessarily vague...
Examine the behavior of any other devices and software besides the
supposedly "bug-free" ASA that might be interfering with the
conversation. This could include other networking devices or local
packet filtering software with an unusual configuration. If this
connection is not using TLS, you might also benefit from an examination
of packet captures of a session on both ends.
Also, you may need to figure out exactly what this log line means:
Apr 22 16:32:12 mailhost amavis[22879]: (22879-15-3) Passed BAD-HEADER-8
{RelayedInbound,Quarantined}, [xxx.xxx.xxx.xxx]:55925 [xx.xx.xx.xx]
<noreply.supp...@isp.zz> -> <u...@example.zz>, quarantine:
k/badh-kptbg9M-W8dx, Queue-ID: 04F22C848E, mail_id: kptbg9M-W8dx, Hits:
-0.041, size: 6451, queued_as: E2A36C84B2, 2886 ms
I don't run Amavis so I don't know exactly what that signifies, but it
looks a bit ominous. I suppose it might be possible that Amavis is doing
something unobvious to the messages that is somehow causing the inside
machine to take a very long time to analyze them and so causing the
timeouts at end of data.
Correlating the log entries of the internal and external machines for a
more complete picture may also help.
Kristjan
On Mon, Apr 27, 2015 at 5:09 PM, Wietse Venema <wie...@porcupine.org>
wrote:
Kristjan Nii:
Apr 22 16:55:01 mailhost postfix/qmgr[30648]: E2A36C84B2:
from=<noreply.supp...@isp.zz>, size=7385, nrcpt=1 (queue active)
Apr 22 16:55:22 mailhost postfix/smtp[23649]: E2A36C84B2: enabling
PIX
workarounds: disable_esmtp delay_dotcrlf for x.x.x.x[x.x.x.x]:25
Apr 22 17:05:32 mailhost postfix/smtp[23649]: E2A36C84B2:
to=<u...@example.zz>, relay=x.x.x.x[x.x.x.x]:25, delay=1999,
delays=1369/20/0.02/610, dsn=4.4.2, status=deferred (conversation
with
x.x.x.x[x.x.x.x] timed out while sending end of data -- message may
be
sent
more than once)
The Cisco PIX (ASA) has a history of bugs that break email. As the
logging shows, Postfix can work around some bugs but but it cannot
work around other bugs, such as bugs in their handling of DKIM-signed
email.
Wietse
