Hi Bill
Thanks for your reply.. >>>>> On April 17, 2025 Bill Cole via Postfix-users <postfix-users@postfix.org> >>>>> wrote: > On 2025-04-17 at 16:15:20 UTC-0400 (Thu, 17 Apr 2025 16:15:20 -0400) > Greg Klanderman via Postfix-users <g...@klanderman.net> > is rumored to have said: >> Hi, >> >> Am I correct that the after greeting tests are turned off by default? > Yes. You can trust the documentation. It may require careful reading and > logical > deduction. >> I believe they are controlled with the variables >> >> postscreen_pipelining_enable, >> postscreen_non_smtp_command_enable, and >> postscreen_bare_newline_enable >> >> which are all set to no on my mail server, but I am seeing the logging >> lines for these tests nevertheless. > Hard evidence of that would be helpful to show exactly what is logged and > exactly what configuration postscreen is > using. https://www.postfix.org/DEBUG_README.html#mail gives details. OK: % postconf | grep 'postscreen_.*_\(enable\|action\)' [output order rearranged] # pre-greet parameters: postscreen_blacklist_action = enforce postscreen_dnsbl_action = ignore postscreen_greet_action = enforce # post-greet parameters: postscreen_bare_newline_action = ignore postscreen_bare_newline_enable = no postscreen_non_smtp_command_action = drop postscreen_non_smtp_command_enable = no postscreen_pipelining_action = enforce postscreen_pipelining_enable = no I have a hash: access list in postscreen_access_list, no dnsbls. Here are two example log snippets: Apr 17 07:20:50 smtp2 postfix/postscreen[12005]: CONNECT from [3.139.99.213]:32858 to [10.10.0.5]:25 Apr 17 07:20:50 smtp2 postfix/postscreen[12005]: PREGREET 128 after 0 from [3.139.99.213]:32858: \026\003\001\000{\001\000\000w\003\003\321\t\237\327G\336\205\220t\\\261!\351\237P\323\020Lh\ 330\237 Apr 17 07:20:50 smtp2 postfix/postscreen[12005]: BARE NEWLINE from [3.139.99.213]:32858 after \026\003\001\000{\001\000\000w\003\003\321\t\237\327G\336\205\220t\\\261!\351\237P\323\020Lh\330 \237\376\332\373T\035\310o\217\233k6\000\000\032\300/\300+\300\021\300\a\300\023\300\t\300\024\300 Apr 17 07:20:50 smtp2 postfix/postscreen[12005]: COMMAND PIPELINING from [3.139.99.213]:32858 after ???: \000\005\000/\0005\300\022\000\n\001\000\0004\000\005\000\005\001\000\000\000\000\000\n\000\b\000\006\000\027\000\030\000\031\000\v\000\002\001\000\000\r\000\020\000\016\004\001\004\003\002\001\002\003\004\001\005\001\006\001\377\001\000\001\000 Apr 17 07:20:50 smtp2 postfix/postscreen[12005]: HANGUP after 0.02 from [3.139.99.213]:32858 in tests after SMTP handshake and Apr 17 07:13:08 smtp2 postfix/postscreen[11985]: CONNECT from [3.139.99.213]:60458 to [10.10.0.5]:25 Apr 17 07:13:08 smtp2 postfix/postscreen[11985]: PREGREET 170 after 0 from [3.139.99.213]:60458: GET / HTTP/1.1\r\nHost: 161.35.254.93:25\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15 Apr 17 07:13:08 smtp2 postfix/postscreen[11985]: NON-SMTP COMMAND from [3.139.99.213]:60458 after CONNECT: GET / HTTP/1.1 Apr 17 07:13:08 smtp2 postfix/postscreen[11985]: DISCONNECT [3.139.99.213]:60458 >> I guess that is because of pre-greet commands that have been sent, and >> postscreen is trying to parse? > I can attest to the fact that this does not happen if you set > "postscreen_greet_action=drop." Looking at the docs to refresh my recall, it > appears that it may happen if you have 'enforce' or 'ignore' set for either > "before 220" test action, to allow postscreen to log the offered SMTP args. OK, I do have postscreen_greet_action = enforce. Is drop preferred? The README didn't seem to suggest a preference.. > I don't recall it ever coming up here, which seems odd. >> The POSTSCREEN_README states: >> >> | This test is opportunistically enabled when postscreen(8) has to use >> | the built-in SMTP engine anyway. This is to make postscreen(8) logging >> | more informative. >> >> for these settings, but it is not entirely clear what 'has to use' >> means here. > Usually it means that one of the "after 220" tests is enabled, That's how I'd originally read it, before noticing that I thought I had all the post- greet tests turned off but was seeing logging to the contrary. > but as I say > above, a careful re-reading of the docs makes me believe that unless you drop > the connection in postscreen, it continues into the stub SMTP engine and > eventually says '550' to avoid actually accepting mail. OK, do you read it to mean it always proceeds to the SMTP engine, even if all post-greet tests are disabled? Or would you think only if the client spoke before its turn? I expected it to return 550 after the pre- greet phase if no post- greet tests are enabled. It is interesting, that under the heading 'When tests fail before the 220 SMTP server greeting', for the action 'enforce', it states 'and log the helo/sender/recipient information', which isn't expected to be available if the 550 response is sent before proceeding to post- greet tests when no post- greet tests are enabled. >> Are the action variables for these tests still applicable in the >> case where the tests are 'turned on opportunistically'? > That's what the docs say. Not explicitly, but logically. I could imagine that when turning on those tests 'opportunistically' for 'logging purposes', that you would use an action of ignore. It would seem highly unexpected to apply postscreen_non_smtp_command_action = drop when that test is not even enabled. cheers, Greg _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
