Viktor Dukhovni via Postfix-users:
> On Thu, Sep 25, 2025 at 05:37:18PM +0200, lejeczek via Postfix-users wrote:
>
> > Inasmuch I do not, well, did not until now, use 465 but I've been using -
> > not with Ceph though - 587 all the time.
> > Is it ok to assume that, that part - 587 - of the config is good and it's
> > only Ceph which is incapable to of working with that?
I would not assume anything abouit your port 587 service, but that
service should support SASL login only after the client sends
STARTTLS. Otherwse, the client may complain that SASL is unavailable.
> At this point in time you would typically expect a mixture of SMTP
> submission client behaviours, with some using "implicit TLS" on port 465
> and others usine "STARTTLS" on port 587. Expect to support both for
> some time to come, with essentially identical settings, other than
> wrapper mode = yes/no.
>
> > Lastly - that decimal/hex lines or whichever non-human notations, in my logs
> > - that has got be this way & it's only for source-code-speakers or can be
> > tweaked so "regular" humans could make use of it?
>
> Postfix logs unexpected input, converting non-printable data to escaped
> numeric form. When a client sends a TLS packet instead of ASCII SMTP
> commands, the result will look like noise to neophytes, but others will
> recognise the payload as misdirected TLS traffic (or a misconfigured
> service that should be, but isn't, expecting TLS).
Indeed, Postfix has no built-in translator for unexpected protocols.
An unexpected TLS HELLO is not the only connection error: I regularly
see what looks like fragments of SSH negotiation, and RDP handshake
attempts, though they are less common.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
