[pfx] Re: smtp_tls_security_level = may vs. encrypt with "enabling PIX workarounds" on destination MX server

Sat, 19 Apr 2025 08:52:12 -0700 

On Sat, Apr 19, 2025 at 05:12:06PM +0200, Florian Piekert via Postfix-users 
wrote:

> #smtp_tls_security_level = may
> smtp_tls_security_level = encrypt
> 
> for a while, until just now. When I noticed that some target mx
> destination had delivery issues with this, I put the exception in my
> smtp_tls_policy_maps file, prior postfix-tlspol.
> 
> However, even with the exception
> mx2.neumuenster.de        may
> in the tls_policy... file, I received
> Apr 19 16:57:39 theater postfix/smtp[103385]: A2235122AC02: enabling PIX 
> workarounds: disable_esmtp for mx2.neumuenster.de[212.7.145.246]:25

You might instead try:

    # Mostly obsolete now:
    smtp_pix_workarounds =

After which, you'll get working TLS for this site:

    $ posttls-finger neumuenster.de
    posttls-finger: Connected to mx2.neumuenster.de[212.7.145.246]:25
    posttls-finger: < 220 ************************
    posttls-finger: > EHLO ...
    posttls-finger: < 250-mx2.neumuenster.de
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-SIZE 36700160
    posttls-finger: < 250 STARTTLS
    posttls-finger: > STARTTLS
    posttls-finger: < 220 Go ahead with TLS
    posttls-finger: certificate verification failed for 
mx2.neumuenster.de[212.7.145.246]:25: untrusted issuer /C=US/O=DigiCert 
Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
    posttls-finger: mx2.neumuenster.de[212.7.145.246]:25: 
subject_CN=*.neumuenster.de, issuer=Thawte TLS RSA CA G1, cert 
fingerprint=0A:D5:7D:56:D9:33:36:62:15:60:D7:D7:69:12:1F:92:81:83:5A:93:A5:28:E7:92:7C:43:41:69:C3:CB:F3:12,
 pkey 
fingerprint=4E:75:79:CE:0F:14:13:A1:AF:C4:73:82:66:6F:4E:C9:F0:8D:7A:52:1D:DA:3A:14:B7:93:7E:BF:96:8B:A8:51
    posttls-finger: Untrusted TLS connection established to 
mx2.neumuenster.de[212.7.145.246]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    posttls-finger: > EHLO ...
    posttls-finger: < 250-mx2.neumuenster.de
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250 SIZE 36700160
    posttls-finger: > QUIT
    posttls-finger: < 221 mx2.neumuenster.de

If you want to be more cautious, disable the PIX workarounds for just
the IP address in question:

    smtp_pix_workarounds_maps = cidr:{{
            {if !212.7.145.246
            {0.0.0.0/0 $smtp_pix_workarounds}
            {endif}
        }

But it may be time for Postfix to no longer enable the PIX workarounds
by default.

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to