Uhm... next bug or my faulty configuration?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Uhm... next bug or my faulty configuration?

A. Schulze
Hello,

updated from 3.4.1 to 3.4.3 and at the same time dovecot-2.2 to dovecot-2.3 ( + pigeonhole)
I assume the changes behavior is dovecot/pigeonhole now using the advertised "CHUNKING" extension.

Now an echo service (dovecot-2.3-pigeonhole) don't send messages anymore.
Reason: "Data command rejected: Multi-recipient bounce" while there is clearly only one recipient.

the relevant debug logs:

Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 220 signing-milter.org ESMTP
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: EHLO signing-milter.org
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-signing-milter.org
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-PIPELINING
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-SIZE 128000
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-ENHANCEDSTATUSCODES
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-8BITMIME
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-DSN
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-SMTPUTF8
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250 CHUNKING
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: MAIL FROM:<>
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250 2.1.0 Ok
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: RCPT TO:<[hidden email]>
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250 2.1.5 Ok
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: BDAT 882 LAST
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: >>> START Data command RESTRICTIONS <<<
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: generic_checks: name=reject_multi_recipient_bounce
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: 44JCRG5tYPzCqt2: reject: BDAT from signing-milter.org[84.200.211.109]: 550 5.5.3 <DATA>: Data command rejected: Multi-recipient bounce; from=<> to=<[hidden email]> proto=ESMTP helo=<signing-milter.org>
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: generic_checks: name=reject_multi_recipient_bounce status=2
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: >>> END Data command RESTRICTIONS <<<

Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 550 5.5.3 <DATA>: Data command rejected: Multi-recipient bounce, servertime=Mar 11 23:27:54, server=signing-milter.org, client=84.200.211.109


current solution: run the smtpd with "smtpd_discard_ehlo_keywords=CHUNKING"

Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 220 signing-milter.org ESMTP
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: EHLO signing-milter.org
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: discarding EHLO keywords: CHUNKING
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: match_list_match: signing-milter.org: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: match_list_match: 84.200.211.109: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-signing-milter.org
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-PIPELINING
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-SIZE 128000
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-ETRN
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-ENHANCEDSTATUSCODES
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-8BITMIME
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-DSN
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250 SMTPUTF8
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: MAIL FROM:<>
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250 2.1.0 Ok
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: RCPT TO:<[hidden email]>
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250 2.1.5 Ok
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: DATA
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: >>> START Data command RESTRICTIONS <<<
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_multi_recipient_bounce
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_multi_recipient_bounce status=0
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_unauth_pipelining
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: reject_unauth_pipelining: DATA
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_unauth_pipelining status=0
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=permit
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: smtpd_acl_permit: checking smtpd_log_access_permit_actions settings
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: match_list_match: permit: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: smtpd_acl_permit: smtpd_log_access_permit_actions: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=permit status=1
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: >>> END Data command RESTRICTIONS <<<
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 354 End data with <CR><LF>.<CR><LF>

since years I have "smtpd_data_restrictions = reject_multi_recipient_bounce,reject_unauth_pipelining,permit"
Must that be adjusted with 3.4.x?

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: Uhm... next bug or my faulty configuration?

Viktor Dukhovni
On Mon, Mar 11, 2019 at 11:48:56PM +0100, A. Schulze wrote:

> I assume the changes behavior is dovecot/pigeonhole now using the advertised "CHUNKING" extension.

Yes.

> Reason: "Data command rejected: Multi-recipient bounce" while there is clearly only one recipient.
>
> Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: 44JCRG5tYPzCqt2:
>  reject: BDAT from signing-milter.org[84.200.211.109]: 550 5.5.3 <DATA>:
>  Data command rejected: Multi-recipient bounce; from=<> to=<[hidden email]>
>  proto=ESMTP helo=<signing-milter.org>

> since years I have "smtpd_data_restrictions = reject_multi_recipient_bounce,reject_unauth_pipelining,permit"
> Must that be adjusted with 3.4.x?

Your no-BDAT work-around is sufficient until the code is updated
along lines below:

--
        Viktor.

--- a/src/smtpd/smtpd.h
+++ b/src/smtpd/smtpd.h
@@ -259,6 +259,10 @@ extern void smtpd_state_reset(SMTPD_STATE *);
 #define SMTPD_CMD_XFORWARD "XFORWARD"
 #define SMTPD_CMD_UNKNOWN "UNKNOWN"
 
+#define SMTPD_IN_BODY(state) \
+    (strcmp((state)->where, SMTPD_CMD_DATA) == 0 || \
+     strcmp((state)->where, SMTPD_CMD_BDAT) == 0)
+
  /*
   * Representation of unknown and non-existent client information. Throughout
   * Postfix, we use the "unknown" string value for unknown client information
--- a/src/smtpd/smtpd_check.c
+++ b/src/smtpd/smtpd_check.c
@@ -4582,8 +4582,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
     if (state->recipient && *state->recipient)
  status = check_recipient_rcpt_maps(state, state->recipient);
  } else if (strcasecmp(name, REJECT_MUL_RCPT_BOUNCE) == 0) {
-    if (state->sender && *state->sender == 0 && state->rcpt_count
- > (strcmp(state->where, SMTPD_CMD_DATA) ? 0 : 1))
+    if (state->sender && *state->sender == 0
+ && state->rcpt_count > (SMTPD_IN_BODY(state) ? 1 : 0))
  status = smtpd_check_reject(state, MAIL_ERROR_POLICY,
     var_mul_rcpt_code, "5.5.3",
  "<%s>: %s rejected: Multi-recipient bounce",
Reply | Threaded
Open this post in threaded view
|

Old bug: reject_multi_recipient_bounce

Wietse Venema
In reply to this post by A. Schulze
A. Schulze:
> Hello,
>
> updated from 3.4.1 to 3.4.3 and at the same time dovecot-2.2 to dovecot-2.3 ( + pigeonhole)
> I assume the changes behavior is dovecot/pigeonhole now using the advertised "CHUNKING" extension.
>
> Now an echo service (dovecot-2.3-pigeonhole) don't send messages anymore.
> Reason: "Data command rejected: Multi-recipient bounce" while there is clearly only one recipient.

This is 13 years old: reject_multi_recipient_bounce has had the same
false rejects in smtpd_end_of_data_restrictions since Postfix 2.2.

Victor's patch addresses the symptom (BDAT) but not the root cause.
The patch below fixes both BDAT and smtpd_end_of_data_restrictions.

In this case, smaller is better.

        Wietse

diff -bur /var/tmp/postfix-3.5-20190310/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c
--- /var/tmp/postfix-3.5-20190310/src/smtpd/smtpd_check.c 2018-08-23 09:44:18.000000000 -0400
+++ ./src/smtpd/smtpd_check.c 2019-03-12 08:28:20.627312192 -0400
@@ -4583,7 +4583,7 @@
  status = check_recipient_rcpt_maps(state, state->recipient);
  } else if (strcasecmp(name, REJECT_MUL_RCPT_BOUNCE) == 0) {
     if (state->sender && *state->sender == 0 && state->rcpt_count
- > (strcmp(state->where, SMTPD_CMD_DATA) ? 0 : 1))
+ > (strcmp(state->where, SMTPD_CMD_RCPT) != 0))
  status = smtpd_check_reject(state, MAIL_ERROR_POLICY,
     var_mul_rcpt_code, "5.5.3",
  "<%s>: %s rejected: Multi-recipient bounce",
Reply | Threaded
Open this post in threaded view
|

Re: Uhm... next bug or my faulty configuration?

A. Schulze
In reply to this post by Viktor Dukhovni

Viktor Dukhovni:

> Your no-BDAT work-around is sufficient until the code is updated
> along lines below


Hello Viktor,

Thanks for that patch. I confirm it works like expected....

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: Uhm... next bug or my faulty configuration?

Wietse Venema
A. Schulze:

>
> Viktor Dukhovni:
>
> > Your no-BDAT work-around is sufficient until the code is updated
> > along lines below
>
>
> Hello Viktor,
>
> Thanks for that patch. I confirm it works like expected....

Did you test it in smtpd_end_of_data_restrictions?

        Wietse