Yes and confirmed. Thank you. Setting smtp_pix_workarounds = delay_dotcrlf (so that default setting disable_esmtp has no effect) delivers mail correctly with STARTTLS.
95EB580805: enabling PIX workarounds: delay_dotcrlf for mx1.esb.de [194.77.230.139]:25 Untrusted TLS connection established to mx1.esb.de[194.77.230.139]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits) 95EB580805: to=<serv...@esb.de>, relay=mx1.esb.de[194.77.230.139]:25, delay=0.9, delays=0.08/0.01/0.55/0.26, dsn=2.0.0, status=sent (250 ok: Message 5896742 accepted) There might be for sure good reasons, why 'disable_esmtp' is set by default. Am Mo., 26. Nov. 2018 um 11:21 Uhr schrieb Stefan Bauer < cubew...@googlemail.com>: > Hi, > > log shows: > > enabling PIX workarounds: disable_esmtp delay_dotcrlf for mx0.esb.de > > But the specific workaround 'disable_esmtp' looks like to be the reason > for downgrading to plain smtp and disallowing any STARTTLS right? > > Am Mo., 26. Nov. 2018 um 10:20 Uhr schrieb Patrick Ben Koetter <p...@sys4.de > >: > >> * Stefan Bauer <cubew...@googlemail.com>: >> > Dear Users, >> > >> > we trying to deliver mail to remote party with enforced encrcyption. >> > >> > 63FFB80805: TLS is required, but was not offered by host mx0.esb.de >> > [194.77.230.138] >> > >> > But looks like, remote device is announcing TLS and can handle it: >> > >> > # telnet mx0.esb.de 25 >> > Trying 194.77.230.138... >> > Connected to mx0.esb.de. >> > Escape character is '^]'. >> > 220 **************** >> > ehlo test >> > 250-mx0.esb.de >> > 250-8BITMIME >> > 250-SIZE 52428800 >> > 250 STARTTLS >> > starttls >> > 220 Go ahead with TLS >> > >> > But the minus "-" is missing in STARTTLS correct? >> >> Look into your log and you will very likely find something that says: >> >> Cisco PIX enabled? >> >> >> > Is there a known workaround available? >> > >> > Maybe some rewrite-voodoo? >> >> Something – quite likely a Cisco ASA/PIX – manipulates the SMTP server >> banner >> and the STARTTLS capability announcement. This is what it should look >> like: >> >> 220 mail.sys4.de ESMTP Submission >> EHLO foo.sys4.de >> 250-mail.sys4.de >> 250-PIPELINING >> 250-SIZE 40960000 >> 250-ETRN >> 250-STARTTLS >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250-DSN >> 250 SMTPUTF8 >> QUIT >> >> The $something removes the "ESMTP" in den server banner. Without the >> string >> "ESMTP" the mail client (read: Your Postfix smtp client) cannot know the >> remote server supports any of the Enhanced SMTP features, which includes >> STARTTLS. It *must* assume the server speak rudimentary SMTP only. >> >> Thus it uses rudimentary SMTP only, which excludes STARTTLS. And that's >> why it >> fails in the first. The missing minus "-" just adds to the dilemma. >> >> p@rick >> >> -- >> [*] sys4 AG >> >> https://sys4.de, +49 (89) 30 90 46 64 >> Schleißheimer Straße 26/MG,80333 München >> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief >> Aufsichtsratsvorsitzender: Florian Kirstein >> >>
