[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo

Mon, 01 Apr 2024 11:32:43 -0700 

On Mon, Apr 01, 2024 at 01:45:11PM -0400, David Mehler via Postfix-users wrote:

> I've tried configuring with both the automatic configuration and the
> manual configuration, in both cases I am getting an error in my
> maillog from submission/smtpd service stating error improper command
> pipelining after helo. 

Instead if reinterpreting/summarising the log message, you should post
it verbatim, and in full.

> # postconf -n
> 
> compatibility_level = 9999

This is not a good idea.  Set it to 3.6, if you've resolved all the
compatibility issues through that release level.

> maximal_backoff_time = 15m

This is too short IMHO, I'd like to recommend 2 hours.

> maximal_queue_lifetime = 1h

This is absurdly short, make it at least 2 days, the recommended value
is 5 days.

> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

You don't typically need this, unless you use "secure" or "verify" in
your policy table for some destinations.

> smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf

> smtpd_tls_eecdh_grade = strong

This should be "auto", the "strong" setting is outdated.

> smtpd_tls_mandatory_exclude_ciphers = aNULL

This is not useful.

> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Make that:

    smtpd_tls_mandatory_protocols = >=TLSv1.2

> tls_high_cipherlist = 
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
>  
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

Not a good idea.  Use the defaults.

> #cat /etc/postfix/master.cf

$ postconf -Mf submission/inet

> submission inet n       -       n       -       -       smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>     -o smtpd_sasl_type=dovecot
>     -o smtpd_sasl_path=private/auth
>   -o smtpd_tls_auth_only=yes
>   -o smtpd_reject_unlisted_recipient=no
>   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>   -o smtpd_client_auth_rate_limit=0
>   -o smtpd_client_connection_rate_limit=0
>   -o cleanup_service_name=submission-header-cleanup
>   -o milter_macro_daemon_name=ORIGINATING

No obvious issues.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to