Michael Wyraz:
> Hello,
>
> I'm running a postfix mail server on a fresh IP address that has some
> bad reputation from the previous owner. So I had a lot of bounces in the
> last days which I had to clean up.
>
> One customer complained about a bounce that returned after few days (all
> other returned immediately), so I investigated and found the following
> issue:
>
> Postfix: connect to the remote MTA
>
> Remote: 220 mx.XXX.YYY ESMTP
>
> Postfix: EHLO mail.XXX.YYY
>
> Remote: 550-REJECT: 49.12.XXX.YYY is in csi.cloudmark.com
>
> Remote: 550 Remediation Portal https://csi.cloudmark.com/en/reset
>
> Remote: (closes connection)
>
> Postfix: HELO mail.XXX.YYY
>
> Postfix: logs "lost connection with ... while performing the HELO
> handshake" and defers the message.
>
> So in this case, postfix tries EHLO which fails, then tries to fall back
> to HELO (smtp_tls_security_level = may) which hits the closed
> connection. The 550 error get lost, so the message is defered, not bounced.
>
>
> I'm not 100% if that's a BUG or misconfiguration or misbehavior of the
> other MTA. But the resulting behavior is at least not what's expected.
If they were RFC-compliant, they would send a 5XX INITIAL server
greeting, and with "smtp_skip_5xx_greeting" Postfix would send
QUIT and hang up.
But no, they had to make up their own non-RFC solution.
To work around this you can set an smtp_reply_filter:
/etc/postfix/main.cf:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter.pcre
/etc/postfix/smtp_reply_filter.pcre
/^220 mx.XXX.YYY ESMTP/ 550 They won't talk to us
Or you can set an smtpd_dns_reply_filter that changes the MX lookup
result into "." (a null MX record means the domain does not accept
mail) or that drops all responses for their domain.
Wietse
