On Mon, March 9, 2015 15:23, Viktor Dukhovni wrote:
> On Mon, Mar 09, 2015 at 03:08:15PM -0400, James B. Byrne wrote:
>
>> > report the output of:
>> >
>> > $ printf "---%s---\n" "$(postconf -h myhostname)"
>> > $ printf "---%s---\n" "$(postconf -h smtp_helo_name)"
>> >
>> > Make that "-hx" instead of "-h" if your Postfix is recent enough.
>>
>> [root@inet08 ~]# printf "---%s---\n" "$(postconf -h myhostname)"
>> -bash: printf: --: invalid option
>
> Oops: $ printf -- "---%s---\n" ...
>
> That's why I in practice use printf "=== ...", but for some reason
> typed "---" instead when composing my reply.
>
>> [root@inet08 ~]# echo $(postconf -h myhostname)
>> inet08.hamilton.harte-lyne.ca
>
> And yet they object.
>
>> [root@inet08 ~]# echo $(postconf -h smtp_helo_name)
>> $myhostname
>>
>> [root@inet08 ~]# echo $(postconf -hx smtp_helo_name)
>> inet08.hamilton.harte-lyne.ca
>
> In that case you need to figure why the results might be different
> for the Postfix smtp(8) client.
>
> $ posttls-finger -l none -o
> myhostname=inet08.hamilton.harte-lyne.ca "[mx01.1and1.com]"
> posttls-finger: Connected to mx01.1and1.com[74.208.5.21]:25
> posttls-finger: < 220 perfora.net (mxeueus001) Nemesis ESMTP
> Service ready
> posttls-finger: > EHLO inet08.hamilton.harte-lyne.ca
> posttls-finger: < 250-perfora.net Hello
> inet08.hamilton.harte-lyne.ca [192.0.2.1]
> posttls-finger: < 250-SIZE 157286400
> posttls-finger: < 250 STARTTLS
> posttls-finger: > QUIT
> posttls-finger: < 221 perfora.net Service closing transmission
> channel
>
> You're almost certainly sending some other helo name. Check
> master.cf for overrides. If that does not make it obvious, put
> the destination IP on "debug_peer_list" and check what command is
> actually sent in verbose logs (or get a tcpdump).
>
> It is also possible some (firewall) proxy or other is interposed
> between your MTA and the Internet and the proxy is hijacking the
> EHLO/HELO command.
>
We do not have such a program as posttls-finger installed and I cannot
find one in any of our approved repositories.
yum clean all; yum provides */posttls-finger
. . .
updates/filelists_db | 1.6 MB 00:00
No Matches found
We have a ClassC netblock attached through our own routers (CentOS-6
based). There is no interception of SMTP packets and no proxy. What
happens upstream I cannot say. Our masquerade iptables settings are
these:
. . .
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -s 216.185.71.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -m comment -s 10.0.0.0/8 -o eth0 -j MASQUERADE
--comment "10.0.0.0/8 private"
-A POSTROUTING -m comment -s 172.16.0.0/12 -o eth0 -j MASQUERADE
--comment "172.16.0.0/12 private"
-A POSTROUTING -m comment -s 192.168.0.0/16 -o eth0 -j MASQUERADE
--comment "192.168.0.0/16 private"
COMMIT
. . .
This is master.cf
[root@inet08 ~]# postconf -Ff
smtp/inet/service = smtp
smtp/inet/type = inet
smtp/inet/private = n
smtp/inet/unprivileged = -
smtp/inet/chroot = n
smtp/inet/wakeup = -
smtp/inet/process_limit = -
smtp/inet/command = smtpd
-o smtpd_tls_security_level=may
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=10
-o smtpd_proxy_options=speed_adjust
-o syslog_name=postfix-p25
submission/inet/service = submission
submission/inet/type = inet
submission/inet/private = n
submission/inet/unprivileged = -
submission/inet/chroot = n
submission/inet/wakeup = -
submission/inet/process_limit = -
submission/inet/command = smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
-o
smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject
-o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix-p587
smtps/inet/service = smtps
smtps/inet/type = inet
smtps/inet/private = n
smtps/inet/unprivileged = -
smtps/inet/chroot = n
smtps/inet/wakeup = -
smtps/inet/process_limit = -
smtps/inet/command = smtpd -v
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
-o
smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix-p465
pickup/fifo/service = pickup
pickup/fifo/type = fifo
pickup/fifo/private = n
pickup/fifo/unprivileged = -
pickup/fifo/chroot = n
pickup/fifo/wakeup = 60
pickup/fifo/process_limit = 1
pickup/fifo/command = pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup/unix/service = cleanup
cleanup/unix/type = unix
cleanup/unix/private = n
cleanup/unix/unprivileged = -
cleanup/unix/chroot = n
cleanup/unix/wakeup = -
cleanup/unix/process_limit = 0
cleanup/unix/command = cleanup
qmgr/fifo/service = qmgr
qmgr/fifo/type = fifo
qmgr/fifo/private = n
qmgr/fifo/unprivileged = -
qmgr/fifo/chroot = n
qmgr/fifo/wakeup = 300
qmgr/fifo/process_limit = 1
qmgr/fifo/command = qmgr
tlsmgr/unix/service = tlsmgr
tlsmgr/unix/type = unix
tlsmgr/unix/private = -
tlsmgr/unix/unprivileged = -
tlsmgr/unix/chroot = n
tlsmgr/unix/wakeup = 1000?
tlsmgr/unix/process_limit = 1
tlsmgr/unix/command = tlsmgr
rewrite/unix/service = rewrite
rewrite/unix/type = unix
rewrite/unix/private = -
rewrite/unix/unprivileged = -
rewrite/unix/chroot = n
rewrite/unix/wakeup = -
rewrite/unix/process_limit = -
rewrite/unix/command = trivial-rewrite
bounce/unix/service = bounce
bounce/unix/type = unix
bounce/unix/private = -
bounce/unix/unprivileged = -
bounce/unix/chroot = n
bounce/unix/wakeup = -
bounce/unix/process_limit = 0
bounce/unix/command = bounce
defer/unix/service = defer
defer/unix/type = unix
defer/unix/private = -
defer/unix/unprivileged = -
defer/unix/chroot = n
defer/unix/wakeup = -
defer/unix/process_limit = 0
defer/unix/command = bounce
trace/unix/service = trace
trace/unix/type = unix
trace/unix/private = -
trace/unix/unprivileged = -
trace/unix/chroot = n
trace/unix/wakeup = -
trace/unix/process_limit = 0
trace/unix/command = bounce
verify/unix/service = verify
verify/unix/type = unix
verify/unix/private = -
verify/unix/unprivileged = -
verify/unix/chroot = n
verify/unix/wakeup = -
verify/unix/process_limit = 1
verify/unix/command = verify
flush/unix/service = flush
flush/unix/type = unix
flush/unix/private = n
flush/unix/unprivileged = -
flush/unix/chroot = n
flush/unix/wakeup = 1000?
flush/unix/process_limit = 0
flush/unix/command = flush
proxymap/unix/service = proxymap
proxymap/unix/type = unix
proxymap/unix/private = -
proxymap/unix/unprivileged = -
proxymap/unix/chroot = n
proxymap/unix/wakeup = -
proxymap/unix/process_limit = -
proxymap/unix/command = proxymap
proxywrite/unix/service = proxywrite
proxywrite/unix/type = unix
proxywrite/unix/private = -
proxywrite/unix/unprivileged = -
proxywrite/unix/chroot = n
proxywrite/unix/wakeup = -
proxywrite/unix/process_limit = 1
proxywrite/unix/command = proxymap
smtp/unix/service = smtp
smtp/unix/type = unix
smtp/unix/private = -
smtp/unix/unprivileged = -
smtp/unix/chroot = n
smtp/unix/wakeup = -
smtp/unix/process_limit = -
smtp/unix/command = smtp
relay/unix/service = relay
relay/unix/type = unix
relay/unix/private = -
relay/unix/unprivileged = -
relay/unix/chroot = n
relay/unix/wakeup = -
relay/unix/process_limit = -
relay/unix/command = smtp
-o smtp_fallback_relay=
showq/unix/service = showq
showq/unix/type = unix
showq/unix/private = n
showq/unix/unprivileged = -
showq/unix/chroot = n
showq/unix/wakeup = -
showq/unix/process_limit = -
showq/unix/command = showq
error/unix/service = error
error/unix/type = unix
error/unix/private = -
error/unix/unprivileged = -
error/unix/chroot = n
error/unix/wakeup = -
error/unix/process_limit = -
error/unix/command = error
retry/unix/service = retry
retry/unix/type = unix
retry/unix/private = -
retry/unix/unprivileged = -
retry/unix/chroot = n
retry/unix/wakeup = -
retry/unix/process_limit = -
retry/unix/command = error
discard/unix/service = discard
discard/unix/type = unix
discard/unix/private = -
discard/unix/unprivileged = -
discard/unix/chroot = n
discard/unix/wakeup = -
discard/unix/process_limit = -
discard/unix/command = discard
local/unix/service = local
local/unix/type = unix
local/unix/private = -
local/unix/unprivileged = n
local/unix/chroot = n
local/unix/wakeup = -
local/unix/process_limit = -
local/unix/command = local
virtual/unix/service = virtual
virtual/unix/type = unix
virtual/unix/private = -
virtual/unix/unprivileged = n
virtual/unix/chroot = n
virtual/unix/wakeup = -
virtual/unix/process_limit = -
virtual/unix/command = virtual
lmtp/unix/service = lmtp
lmtp/unix/type = unix
lmtp/unix/private = -
lmtp/unix/unprivileged = -
lmtp/unix/chroot = n
lmtp/unix/wakeup = -
lmtp/unix/process_limit = -
lmtp/unix/command = lmtp
anvil/unix/service = anvil
anvil/unix/type = unix
anvil/unix/private = -
anvil/unix/unprivileged = -
anvil/unix/chroot = n
anvil/unix/wakeup = -
anvil/unix/process_limit = 1
anvil/unix/command = anvil
scache/unix/service = scache
scache/unix/type = unix
scache/unix/private = -
scache/unix/unprivileged = -
scache/unix/chroot = n
scache/unix/wakeup = -
scache/unix/process_limit = 1
scache/unix/command = scache
mailman/unix/service = mailman
mailman/unix/type = unix
mailman/unix/private = -
mailman/unix/unprivileged = n
mailman/unix/chroot = n
mailman/unix/wakeup = -
mailman/unix/process_limit = -
mailman/unix/command = pipe flags=FR user=mailman:mailman
argv=/usr/lib/mailman/postfix/postfix-to-mailman.py ${nexthop}
${user}
127.0.0.1:2626/inet/service = 127.0.0.1:2626
127.0.0.1:2626/inet/type = inet
127.0.0.1:2626/inet/private = n
127.0.0.1:2626/inet/unprivileged = -
127.0.0.1:2626/inet/chroot = n
127.0.0.1:2626/inet/wakeup = -
127.0.0.1:2626/inet/process_limit = -
127.0.0.1:2626/inet/command = smtpd
-o smtpd_tls_security_level=none
-o smtpd_sasl_auth_enable=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix-p2626
policyd-spf/unix/service = policyd-spf
policyd-spf/unix/type = unix
policyd-spf/unix/private = y
policyd-spf/unix/unprivileged = n
policyd-spf/unix/chroot = n
policyd-spf/unix/wakeup = -
policyd-spf/unix/process_limit = -
policyd-spf/unix/command = spawn user=nobody
argv=/usr/libexec/postfix/policyd-spf
smtp-amavis/unix/service = smtp-amavis
smtp-amavis/unix/type = unix
smtp-amavis/unix/private = -
smtp-amavis/unix/unprivileged = -
smtp-amavis/unix/chroot = n
smtp-amavis/unix/wakeup = -
smtp-amavis/unix/process_limit = 6
smtp-amavis/unix/command = smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025/inet/service = 127.0.0.1:10025
127.0.0.1:10025/inet/type = inet
127.0.0.1:10025/inet/private = n
127.0.0.1:10025/inet/unprivileged = -
127.0.0.1:10025/inet/chroot = n
127.0.0.1:10025/inet/wakeup = -
127.0.0.1:10025/inet/process_limit = -
127.0.0.1:10025/inet/command = smtpd
-o content_filter=
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o mynetworks=127.0.0.0/8
-o relay_recipient_maps=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_delay_reject=no
-o smtpd_milters=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
The tcpdump stuff will have to wait until I can make time to
familiarize myself with what is involved.
We have never had this problem occur before and we are not
experiencing anything like it with anyone else, at least not for the
moment. My suspicion is that somebody at the other end decided to
shorten the allowable maximum label size in a domain name down from
63.
When I send directly to postmas...@land1.com then I see this:
Mar 9 16:02:41 inet08 postfix/smtp[6447]: 14604601DC:
to=<postmas...@1and1.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=2.1, delays=0.18/0/0.01/1.9, dsn=2.0.0, status=sent (250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1833360229)
Mar 9 16:02:53 inet08 postfix/smtp[6456]: 1833360229:
to=<postmas...@1and1.com>, relay=mxint01.1and1.com[212.227.17.16]:25,
delay=12, delays=0.05/0.04/1.2/11, dsn=2.0.0, status=sent (250 OK
id=1YV3t6-0001ZL-FB)
So, it does not seem to me that our E/HELO is causing the problem.
Thanks,
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
