Hello Wietse,
thank you for the response. I tried to find the correct section in RFCs
that describes this but I did not find the place where it defines that a
EHLO cannot be answered with a 550.
Can you point me to the right RFC section?
Best regards,
Michael.
Michael Wyraz:
Hello,
I'm running a postfix mail server on a fresh IP address that has some
bad reputation from the previous owner. So I had a lot of bounces in the
last days which I had to clean up.
One customer complained about a bounce that returned after few days (all
other returned immediately), so I investigated and found the following
issue:
Postfix: connect to the remote MTA
Remote: 220 mx.XXX.YYY ESMTP
Postfix: EHLO mail.XXX.YYY
Remote: 550-REJECT: 49.12.XXX.YYY is in csi.cloudmark.com
Remote: 550 Remediation Portal https://csi.cloudmark.com/en/reset
Remote: (closes connection)
Postfix: HELO mail.XXX.YYY
Postfix: logs "lost connection with ... while performing the HELO
handshake" and defers the message.
So in this case, postfix tries EHLO which fails, then tries to fall back
to HELO (smtp_tls_security_level = may) which hits the closed
connection. The 550 error get lost, so the message is defered, not bounced.
I'm not 100% if that's a BUG or misconfiguration or misbehavior of the
other MTA. But the resulting behavior is at least not what's expected.
If they were RFC-compliant, they would send a 5XX INITIAL server
greeting, and with "smtp_skip_5xx_greeting" Postfix would send
QUIT and hang up.
But no, they had to make up their own non-RFC solution.
To work around this you can set an smtp_reply_filter:
/etc/postfix/main.cf:
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter.pcre
/etc/postfix/smtp_reply_filter.pcre
/^220 mx.XXX.YYY ESMTP/ 550 They won't talk to us
Or you can set an smtpd_dns_reply_filter that changes the MX lookup
result into "." (a null MX record means the domain does not accept
mail) or that drops all responses for their domain.
Wietse
