[pfx] Re: Postscreen STARTTLS bug?

Thu, 19 Jun 2025 13:35:45 -0700 

Nick Tait via Postfix-users:
> The following command illustrates this:
> 
> $ ( echo -en "EHLO foo.local\r\nSTARTTLS\r\n" ; sleep 0 ; echo -en "QUIT\r\n" 
> ) | nc mx.tait.net.nz 25
> 
> Note the "sleep 0" (which does nothing). For me, running the command 
> above terminates 50% of the time and hangs 50% of the time, but it all 
> depends on whether Postscreen receives the QUIT in the same read as the 
> EHLO+STARTTLS. If I replace the "sleep 0" with "sleep 1", then it works 
> 100% of the time.

It works for be 100% of the time me whether I use

( echo -en "EHLO foo.local\r\nSTARTTLS\r\nQUIT\r\n" ) | nc -w 1 host port

or

( echo -en "EHLO foo.local\r\nSTARTTLS\r\n" ; sleep 1 ; echo -en "QUIT\r\n" ) | 
nc -w 1 host port

In both cases the output is:

220-wzv.porcupine.org ESMTP Postfix
250-wzv.porcupine.org
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
502 5.5.1 Error: command not implemented
221 2.0.0 Bye

It processes the QUIT command and nothing is hanging.

As expected the PREGREET loggging shows three commands or two:

Jun 19 16:28:51 wzv postfix/postscreen[1138004]: PREGREET 32 after 0 from 
[168.100.3.7]:59922: EHLO foo.local\r\nSTARTTLS\r\nQUIT\r\n
Jun 19 16:28:51 wzv postfix/postscreen[1138004]: COMMAND PIPELINING from 
[168.100.3.7]:59922 after EHLO: STARTTLS\r\nQUIT\r\n
Jun 19 16:28:51 wzv postfix/postscreen[1138004]: DISCONNECT [168.100.3.7]:59922

and

Jun 19 16:28:59 wzv postfix/postscreen[1138004]: CONNECT from 
[168.100.3.7]:45530 to [168.100.3.7]:25
Jun 19 16:28:59 wzv postfix/postscreen[1138004]: PREGREET 26 after 0 from 
[168.100.3.7]:45530: EHLO foo.local\r\nSTARTTLS\r\n
Jun 19 16:28:59 wzv postfix/postscreen[1138004]: COMMAND PIPELINING from 
[168.100.3.7]:45530 after EHLO: STARTTLS\r\n
Jun 19 16:29:00 wzv postfix/postscreen[1138004]: DISCONNECT [168.100.3.7]:45530

This behavior is consistent with the postscreen code: the code that
logs the PREGREET event shows all available input, but does not
actually receive that input. The input is received, one line at a
time, by the postscreen dummy TLS engine.

So, I m closing this bug. You may reach out to your distro maintainer
to find out if the made any improvements to the postscreen code.

        Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to