On Montag, 29. April 2019 13:07:32 CEST Wietse Venema wrote:
> /etc/postfix/main.cf:
> smtp_pix_workarounds = delay_dotcrlf
>
> I.e. turn off 'disable_esmtp'.
>
> Wietse
Hi Wietse,
I already mentioned this as my workaround in my previous mail. Perhaps a bit
to much in the floating text. ;-)
But my Mail on the list is mainly the request to make this the default or to
dynamically ignore the disable_esmtp if TLS is really enforced. I am
requesting this to prevent further Postfix users from running into this.
In my eyes the old default would get a widespread problem, especially when
technologies to enforce TLS (like DANE and MTA-STS) are getting more
widespread. And one of the most widespread firewall devices in the world of
enterprise networks is also by default causing postfix to not beeing able to
deliver mail to destination host behind that, if the destination host once has
been unreachable for more than 500sec. The default delivery time is 5 days but
that would only help if the postfix admin would get noticed in that time,
since postfix wont get on any green branch in that time any more. At least as
far I read the documentation.
And that would always happen if the postfix admin has enabled DANE, MTA-STS or
any other way to enforce TLS without thinking of the old pix_workaround.
That's a really nasty case, in my eyes.
I would expect the decision to have TLS enforced to be done, before the
session starts, and before the decision to use the workaccound. But I don't
know the code that far. So I think both options would be possible.
The probably easiest way to fix this would be to change the default. I'm not
completely sure but I strongly hope this should not have any side effects
after that long time. And this should IMHO be documented in some way, since it
will take some time until this change spreads to the common distributions. ;-)
But the default to disable ESMTP is IMHO dangerous, if TLS enforcement is
done. I don't think I'm the last one who stumbled into this. ;-)
Kind regards,
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: l...@man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
