Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Michael Wyraz

Hello,

I'm running a postfix mail server on a fresh IP address that has some bad reputation from the previous owner. So I had a lot of bounces in the last days which I had to clean up.

One customer complained about a bounce that returned after few days (all other returned immediately), so I investigated and found the following issue:

Postfix: connect to the remote MTA

Remote: 220 mx.XXX.YYY ESMTP

Postfix: EHLO mail.XXX.YYY

Remote: 550-REJECT: 49.12.XXX.YYY is in csi.cloudmark.com

Remote: 550 Remediation Portal https://csi.cloudmark.com/en/reset

Remote: (closes connection)

Postfix: HELO mail.XXX.YYY

Postfix: logs "lost connection with ... while performing the HELO handshake" and defers the message.

So in this case, postfix tries EHLO which fails, then tries to fall back to HELO (smtp_tls_security_level = may) which hits the closed connection. The 550 error get lost, so the message is defered, not bounced.


I'm not 100% if that's a BUG or misconfiguration or misbehavior of the other MTA. But the resulting behavior is at least not what's expected.


Kind regards,

Michael.


Reply | Threaded
Open this post in threaded view
|

Re: Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Jos Chrispijn-4
On 28-7-20 23:02, Michael Wyraz wrote:

> I'm not 100% if that's a BUG or misconfiguration or misbehavior of the
> other MTA. But the resulting behavior is at least not what's expected.

Looks like your IP address is blocked by Cloudmark

-- CUT --

If you believe the reputation of your IP address is not correct or if
the reputation has changed, you may request a reset of all related email
traffic statistics within CSI for your IP address.

Please note this is not a portal for submitting complaints regarding
content based spam signatures. Those requests must be directed at the
service provider who is blocking the message. This portal will only
accept statistical reset requests for IP addresses published by
Cloudmark Sender Intelligence.

-- CUT --


-- With both feet on the ground you can't make any step forward
Reply | Threaded
Open this post in threaded view
|

Re: Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Michael Wyraz
Hello,


> Looks like your IP address is blocked by Cloudmark

I'm totally aware of that. My issue is not that I'm blocked but that the
message got deferred instead of bounced (although the remote sent a 550).


Best regards,

Michael.



Reply | Threaded
Open this post in threaded view
|

Re: Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Wietse Venema
In reply to this post by Michael Wyraz
Michael Wyraz:

> Hello,
>
> I'm running a postfix mail server on a fresh IP address that has some
> bad reputation from the previous owner. So I had a lot of bounces in the
> last days which I had to clean up.
>
> One customer complained about a bounce that returned after few days (all
> other returned immediately), so I investigated and found the following
> issue:
>
>     Postfix: connect to the remote MTA
>
>     Remote: 220 mx.XXX.YYY ESMTP
>
>     Postfix: EHLO mail.XXX.YYY
>
>     Remote: 550-REJECT: 49.12.XXX.YYY is in csi.cloudmark.com
>
>     Remote: 550 Remediation Portal https://csi.cloudmark.com/en/reset
>
>     Remote: (closes connection)
>
>     Postfix: HELO mail.XXX.YYY
>
>     Postfix: logs "lost connection with ... while performing the HELO
>     handshake" and defers the message.
>
> So in this case, postfix tries EHLO which fails, then tries to fall back
> to HELO (smtp_tls_security_level = may) which hits the closed
> connection. The 550 error get lost, so the message is defered, not bounced.
>
>
> I'm not 100% if that's a BUG or misconfiguration or misbehavior of the
> other MTA. But the resulting behavior is at least not what's expected.

If they were RFC-compliant, they would send a 5XX INITIAL server
greeting, and with "smtp_skip_5xx_greeting" Postfix would send
QUIT and hang up.

But no, they had to make up their own non-RFC solution.

To work around this you can set an smtp_reply_filter:

/etc/postfix/main.cf:
    smtp_reply_filter =  pcre:/etc/postfix/smtp_reply_filter.pcre

/etc/postfix/smtp_reply_filter.pcre
    /^220 mx.XXX.YYY ESMTP/ 550 They won't talk to us

Or you can set an smtpd_dns_reply_filter that changes the MX lookup
result into "." (a null MX record means the domain does not accept
mail) or that drops all responses for their domain.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Michael Wyraz
Hello Wietse,

thank you for the response. I tried to find the correct section in RFCs
that describes this but I did not find the place where it defines that a
EHLO cannot be answered with a 550.

Can you point me to the right RFC section?

Best regards,

Michael.


> Michael Wyraz:
>> Hello,
>>
>> I'm running a postfix mail server on a fresh IP address that has some
>> bad reputation from the previous owner. So I had a lot of bounces in the
>> last days which I had to clean up.
>>
>> One customer complained about a bounce that returned after few days (all
>> other returned immediately), so I investigated and found the following
>> issue:
>>
>>      Postfix: connect to the remote MTA
>>
>>      Remote: 220 mx.XXX.YYY ESMTP
>>
>>      Postfix: EHLO mail.XXX.YYY
>>
>>      Remote: 550-REJECT: 49.12.XXX.YYY is in csi.cloudmark.com
>>
>>      Remote: 550 Remediation Portal https://csi.cloudmark.com/en/reset
>>
>>      Remote: (closes connection)
>>
>>      Postfix: HELO mail.XXX.YYY
>>
>>      Postfix: logs "lost connection with ... while performing the HELO
>>      handshake" and defers the message.
>>
>> So in this case, postfix tries EHLO which fails, then tries to fall back
>> to HELO (smtp_tls_security_level = may) which hits the closed
>> connection. The 550 error get lost, so the message is defered, not bounced.
>>
>>
>> I'm not 100% if that's a BUG or misconfiguration or misbehavior of the
>> other MTA. But the resulting behavior is at least not what's expected.
> If they were RFC-compliant, they would send a 5XX INITIAL server
> greeting, and with "smtp_skip_5xx_greeting" Postfix would send
> QUIT and hang up.
>
> But no, they had to make up their own non-RFC solution.
>
> To work around this you can set an smtp_reply_filter:
>
> /etc/postfix/main.cf:
>      smtp_reply_filter =  pcre:/etc/postfix/smtp_reply_filter.pcre
>
> /etc/postfix/smtp_reply_filter.pcre
>      /^220 mx.XXX.YYY ESMTP/ 550 They won't talk to us
>
> Or you can set an smtpd_dns_reply_filter that changes the MX lookup
> result into "." (a null MX record means the domain does not accept
> mail) or that drops all responses for their domain.
>
> Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Wietse Venema
Michael Wyraz:
> Hello Wietse,
>
> thank you for the response. I tried to find the correct section in RFCs
> that describes this but I did not find the place where it defines that a
> EHLO cannot be answered with a 550.

Of course it can send 5XX any time.

Where does the RFC say that a server can hang up spontaneously?

Where does the RFC say that a server can hang up in the middle of EHLO
negotiation?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Peter Ajamian
In reply to this post by Michael Wyraz
On 29/07/20 9:54 am, Michael Wyraz wrote:
> Hello Wietse,
>
> thank you for the response. I tried to find the correct section in RFCs
> that describes this but I did not find the place where it defines that a
> EHLO cannot be answered with a 550
>
> Can you point me to the right RFC section?

It can be, but iit has a different meaning here.  RFC5321 5.3.2 states:
       EHLO or HELO

          S: 250
          E: 504 (a conforming implementation could return this code only
          in fairly obscure cases), 550, 502 (permitted only with an old-
          style server that does not support EHLO)

So Postfix assumes that the 550 means that the server does not support
EHLO and falls back to HELO as a result (which you can see happening).
The remote server then hangs up unexpectedly and so postfix assumes that
the connection got dropped and appropriately defers the message to retry
it later.

So Postfix is absolutely conforming to RFCs, the remote server errs by
(1) returning the wrong code in response to EHLO (unless they really
don't support EHLO) and (2) hanging up prematurely.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Outgoing mail is defered (not bounced) if EHLO returns 550 and closes connection

Michael Wyraz
In reply to this post by Michael Wyraz
Hello,

thank you for the Feedback. I'll contact the receiver's postmaster and
tell them the RFC violation.

> To work around this you can set an smtp_reply_filter:
>
> /etc/postfix/main.cf:
>      smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter.pcre
>
> /etc/postfix/smtp_reply_filter.pcre
>      /^220 mx.XXX.YYY ESMTP/    550 They won't talk to us

Wouldn't that stop delivery to that MTA at all? Can I workaround the
issue with a similar filter in a way that only the 5xx response to a
EHLO leads to a bounce?

Best Regards,

Michael.