Alex via Postfix-users:
> Hi,
> 
> > Aug 22 01:36:33 iceman postfix-199/smtpd[584336]: connect from
> > > mail-dm6nam04on2133.outbound.protection.outlook.com[40.107.102.133]
> > > Aug 22 01:36:34 iceman postfix-199/smtpd[584336]: A5C98100002D6:
> > > client=mail-dm6nam04on2133.outbound.protection.outlook.com
> > [40.107.102.133]
> > > Aug 22 01:51:36 iceman postfix-199/smtpd[584336]: timeout after BDAT
> > > (3293244 bytes) from
> > > mail-dm6nam04on2133.outbound.protection.outlook.com[40.107.102.133]
> > > Aug 22 01:51:36 iceman postfix-199/smtpd[584336]: disconnect from
> > > mail-dm6nam04on2133.outbound.protection.outlook.com[40.107.102.133]
> > > ehlo=2 starttls=1 mail=1 rcpt=1 bdat=0/1 rset=1 commands=6/7
> > >
> > > I'm seeing quite a large number of those "timeout after BDAT" entries
> > > in my logs, all of which are from different
> > > outbound.protection.outlook.com servers.
> > >
> > > Given the instructions in https://www.postfix.org/BDAT_README.html
> > > I've disabled BDAT support for now, hoping this will alleviate the
> > > problem until I can identify the cause.
> >
> > Questions:
> >
> > - Is there a "firewall-in-the-middle" that "secures" your inbound
> > email streams? That could invalidate the byte count that was sent
> > by outlook.com versus the byte count that was received by Postfix.
> >
> 
> No, but this comment and your comment about not generally seeing these
> messages did make me think of a possible local network problem, and after
> updating the kernel and apparently some other packages, the problem appears
> to have resolved itself. Curious that it really only revealed itself with
> Microsoft 365 systems.

BDAT is different than other SMTP commands: the client sends a byte
count for the amount of data that follows the command, and Postfix
will not reply until it has received the number of bytes in the
BDAT command.  If that number is somehow made larger in transit,
or if some data bytes are lost in transit, then the BDAT command
will time out.

This session was using TLS, therefore it is unlikely that the bits
were changed after encryption in the SMTP client and before decryption
in the SMTP server (TLS has stronger integrity guarantees than TCP
checksums). It could however be a problem in data compression before
encryption or decompression after decryption. One could work around
that with "tls_ssl_options = NO_COMPRESSION".

        Wietse

> For completeness, I thought it might be helpful to still also answer your
> questions:
> 
> - How is SPF integrated into Postfix? Hint: provide output from
> > "postconf -nf" and "postconf -Mf". See also
> > https://www.postfix.org/DEBUG_README.html#mail.
> >
> 
> /etc/postfix-199/main.cf:
> policy-spf_time_limit = 3600s
> smtpd_recipient_restrictions =
>    ...
>    check_policy_service unix:private/policy-spf,
> 
> /etc/postfix-199/master.cf:
> policy-spf  unix  -       n       n       -       -      spawn
>      user=nobody argv=/usr/libexec/postfix/policyd-spf
> 
> - It's also good to know the output from "postconf mail_version",
> > and the OS version if you did not build postfix yourself.
> >
> 
> postfix-3.8.5, fedora40 and pypolicyd-spf-3.0.4. I always include this info
> with every post at the top of my message.
> 
> Thanks so much, as usual.

> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to