I did enable a lot more verboseness, smtpd -vvvvvvv, Did a postfix reload.
Another twist, when I do a powershell, from the client behind the asa,
"Send-MailMessage ..." The message will go through. Head Scratcher, WHY?
But this happens below from the client behind the asa,
When I connect and get a 220 *********, There were no entries in the warning
file, postfix-warning.log.
This is logged in postfix-info.log (see below) when I connect from a client and
get a 200 ******* banner, and type in helo myserver.com
Each of the 'vstream_buf_get_ready: fd 10 got 1' appears when I type a
character in (helo myserver.com).
After the last vstream_buf... line I pressed enter.
postfix/smtpd[8385]: > ip-10-DELETEDcompute.internal[DELETED]: 220
ip-10-DELETEDcompute.internal ESMTP Postfix (Red Hat)
postfix/smtpd[8385]: watchdog_pat: 0x55ffcd9ef590
postfix/smtpd[8385]: vstream_fflush_some: fd 10 flush 73
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 1
postfix/smtpd[8385]: vstream_buf_get_ready: fd 10 got 2
postfix/smtpd[8385]: < ip-10-DELETEDcompute.internal[DELETED]: XXXX XXXXXXXXXXXX
postfix/smtpd[8385]: match_string: XXXX ~? CONNECT
postfix/smtpd[8385]: match_string: XXXX ~? GET
postfix/smtpd[8385]: match_string: XXXX ~? POST
postfix/smtpd[8385]: match_list_match: XXXX: no match
postfix/smtpd[8385]: > ip-10-DELETEDcompute.internal[DELETED]: 502 5.5.2 Error:
command not recognized
postfix/smtpd[8385]: watchdog_pat: 0x55ffcd9ef590
postfix/smtpd[8385]: vstream_fflush_some: fd 10 flush 41
-----Original Message-----
From: Wietse Venema <wie...@porcupine.org>
Sent: Thursday, June 10, 2021 12:36 PM
To: Apelin, Eulogio <eulogio.ape...@hawaiianair.com>
Cc: postfix-users@postfix.org
Subject: Re: [NON-HA] Re: Need help with response to HELO, 502 5.5.2 Error
Apelin, Eulogio:
> This looks like the case. Some networks on prem going through the ASA
> encounter banner with *****, will error out, while other networks on
> prem get the nicely formatted Banner (not through ASA) will work (helo
> servername). I am getting a list of vlans from network team that
> identify all the networks that go through the ASA and validate with
> tests.
After the Postfix SMTP client sees the "220 ***..." greeting it logs a warning
(you DID look in the logs?) and will by default disable ESMTP and send HELO
instead of EHLO.
This default setting is:
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
You can configure that to not disable ESMTP, so that Postfix will send EHLO
instead:
smtp_pix_workarounds = delay_dotcrlf
That might get you past the HELO problem.
Wietse
> Was there a workaround, or the only resolution/option was to turn off
> ESMTP inspection (whatever it's called) on the ASA?
>
> -----Original Message-----
> From: owner-postfix-us...@postfix.org
> <owner-postfix-us...@postfix.org> On Behalf Of Viktor Dukhovni
> Sent: Wednesday, June 9, 2021 6:15 PM
> To: postfix-users@postfix.org
> Subject: [NON-HA] Re: Need help with response to HELO, 502 5.5.2 Error
>
> *** CAUTION: This email originated from outside the organization *** Do NOT
> click links or open attachments unless you recognize the sender and know the
> content is safe.
>
>
> On Thu, Jun 10, 2021 at 02:59:02AM +0000, Apelin, Eulogio wrote:
>
> > I am testing my mail server setup, when telnetting to port 25, I receive
> > this interaction when I type 'helo myserver.com'
> >
> > 220
> > *******************************************************************
>
> This banner typicall results from a Cisco ESA firewall with SMTP inspection
> enabled that is located between client and server.
>
> The Cisco ESA adds no value in front of Postfix, just breaks SMTP.
> Disable SMTP inspection on that device.
>
> --
> Viktor.
>
