On Montag, 29. April 2019 16:26:45 CEST Wietse Venema wrote:
> To really fix this requires some research and field testing.
Hi Wietse,
that's the reason why I also mentioned, the option to only change the behavior
in case of enforced TLS. By ignoring the disable_esmtp option in the case TLS
is enforced.
That will IMHO be the minimal change, for the case the PIX workaround breaks a
communication that would work otherwise. And leave the PIX workaround as it is
for the other cases at first.
But that will not fix the other ESMTP issues with ASA Firewalls you mentioned.
And you're right. People will probably earlier or later also stumble into
this, when they turn on TLS enforcement. If the minimal common standard/
dialect between MDA and MX is really SMTP not ESMTP that communication will
break immediately when TLS is enforced.
I stumbled into a, everything was fine until the downtime issue. So without
the PIX workaround everything was still working, and no one noticed something.
But that might indeed depend on what is exchanged between MDA (Postfix) and MX
(whatever, in the special case a Sendmail behind a Sophos Pure Message), and
how clean the standards are implemented there. If you are detecting ESMTP
dialects on the server greeting the stars from the ASA might also be a very
ugly thing.
And the termination of TLS on the ASA itself might be a special difficult use-
case, since the ASA manipulates deep inside the ESMTP in the STARTTLS tunnel.
Sounds to me like probably opening a big barrel, but will probably be
necessary earlier or later.
At the moment I know nothing about Mails that can't be delivered since I
introduced the workaround. But mail isn't our what we mainly do, so our
environment might not be very representative.
Kind regards,
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: l...@man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
