cisco pix TLS is required, but was not offere STARTTLS issue

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

cisco pix TLS is required, but was not offere STARTTLS issue

Stefan Bauer-2
Dear Users,

we trying to deliver mail to remote party with enforced encrcyption.

63FFB80805: TLS is required, but was not offered by host mx0.esb.de[194.77.230.138]

But looks like, remote device is announcing TLS and can handle it:

# telnet mx0.esb.de 25
Trying 194.77.230.138...
Connected to mx0.esb.de.
Escape character is '^]'.
220 ****************
ehlo test
250-mx0.esb.de
250-8BITMIME
250-SIZE 52428800
250 STARTTLS
starttls
220 Go ahead with TLS

But the minus "-" is missing in STARTTLS correct?

Is there a known workaround available?

Maybe some rewrite-voodoo?

Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: cisco pix TLS is required, but was not offered STARTTLS issue

Claus Assmann-22
On Mon, Nov 26, 2018, Stefan Bauer wrote:

> ehlo test
> 250-mx0.esb.de
> 250-8BITMIME
> 250-SIZE 52428800
> 250 STARTTLS

> But the minus "-" is missing in STARTTLS correct?

No: it's the last line, hence no "-".

> Is there a known workaround available?

Looks like it should work... seems you have to do
some debugging (increase logging?)

Or was that only a temporary problem (i.e.,
can you reproduce it)?
Reply | Threaded
Open this post in threaded view
|

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Miwa Susumu
In reply to this post by Stefan Bauer-2
Hi.

2018年11月26日(月) 17:43 Stefan Bauer <[hidden email]>:

> # telnet mx0.esb.de 25
> Trying 194.77.230.138...
> Connected to mx0.esb.de.
> Escape character is '^]'.
> 220 ****************
> ehlo test
> 250-mx0.esb.de
> 250-8BITMIME
> 250-SIZE 52428800
> 250 STARTTLS
> starttls
> 220 Go ahead with TLS
>
> But the minus "-" is missing in STARTTLS correct?

that's correct.

see: https://tools.ietf.org/html/rfc5321#section-4.2

> The format for multiline replies requires that every line, except the
> last, begin with the reply code, followed immediately by a hyphen,
> "-" (also known as minus), followed by text.  The last line will
> begin with the reply code, followed immediately by <SP>, optionally
> some text, and <CRLF>.  As noted above, servers SHOULD send the <SP>
> if subsequent text is not sent, but clients MUST be prepared for it
> to be omitted.

--
miwarin
Reply | Threaded
Open this post in threaded view
|

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Patrick Ben Koetter-2
In reply to this post by Stefan Bauer-2
* Stefan Bauer <[hidden email]>:

> Dear Users,
>
> we trying to deliver mail to remote party with enforced encrcyption.
>
> 63FFB80805: TLS is required, but was not offered by host mx0.esb.de
> [194.77.230.138]
>
> But looks like, remote device is announcing TLS and can handle it:
>
> # telnet mx0.esb.de 25
> Trying 194.77.230.138...
> Connected to mx0.esb.de.
> Escape character is '^]'.
> 220 ****************
> ehlo test
> 250-mx0.esb.de
> 250-8BITMIME
> 250-SIZE 52428800
> 250 STARTTLS
> starttls
> 220 Go ahead with TLS
>
> But the minus "-" is missing in STARTTLS correct?

Look into your log and you will very likely find something that says:

    Cisco PIX enabled?


> Is there a known workaround available?
>
> Maybe some rewrite-voodoo?

Something – quite likely a Cisco ASA/PIX – manipulates the SMTP server banner
and the STARTTLS capability announcement. This is what it should look like:

220 mail.sys4.de ESMTP Submission
EHLO foo.sys4.de
250-mail.sys4.de
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
QUIT

The $something removes the "ESMTP" in den server banner. Without the string
"ESMTP" the mail client (read: Your Postfix smtp client) cannot know the
remote server supports any of the Enhanced SMTP features, which includes
STARTTLS. It *must* assume the server speak rudimentary SMTP only.

Thus it uses rudimentary SMTP only, which excludes STARTTLS. And that's why it
fails in the first. The missing minus "-" just adds to the dilemma.

p@rick

--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Stefan Bauer-2
Hi,

log shows:

enabling PIX workarounds: disable_esmtp delay_dotcrlf for mx0.esb.de

But the specific workaround 'disable_esmtp' looks like to be the reason for downgrading to plain smtp and disallowing any STARTTLS right?

Am Mo., 26. Nov. 2018 um 10:20 Uhr schrieb Patrick Ben Koetter <[hidden email]>:
* Stefan Bauer <[hidden email]>:
> Dear Users,
>
> we trying to deliver mail to remote party with enforced encrcyption.
>
> 63FFB80805: TLS is required, but was not offered by host mx0.esb.de
> [194.77.230.138]
>
> But looks like, remote device is announcing TLS and can handle it:
>
> # telnet mx0.esb.de 25
> Trying 194.77.230.138...
> Connected to mx0.esb.de.
> Escape character is '^]'.
> 220 ****************
> ehlo test
> 250-mx0.esb.de
> 250-8BITMIME
> 250-SIZE 52428800
> 250 STARTTLS
> starttls
> 220 Go ahead with TLS
>
> But the minus "-" is missing in STARTTLS correct?

Look into your log and you will very likely find something that says:

    Cisco PIX enabled?


> Is there a known workaround available?
>
> Maybe some rewrite-voodoo?

Something – quite likely a Cisco ASA/PIX – manipulates the SMTP server banner
and the STARTTLS capability announcement. This is what it should look like:

220 mail.sys4.de ESMTP Submission
EHLO foo.sys4.de
250-mail.sys4.de
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
QUIT

The $something removes the "ESMTP" in den server banner. Without the string
"ESMTP" the mail client (read: Your Postfix smtp client) cannot know the
remote server supports any of the Enhanced SMTP features, which includes
STARTTLS. It *must* assume the server speak rudimentary SMTP only.

Thus it uses rudimentary SMTP only, which excludes STARTTLS. And that's why it
fails in the first. The missing minus "-" just adds to the dilemma.

p@rick

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Reply | Threaded
Open this post in threaded view
|

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Stefan Bauer-2
Yes and confirmed. Thank you.

Setting smtp_pix_workarounds = delay_dotcrlf (so that default setting disable_esmtp has no effect) delivers mail correctly with STARTTLS.

95EB580805: enabling PIX workarounds: delay_dotcrlf for mx1.esb.de[194.77.230.139]:25
Untrusted TLS connection established to mx1.esb.de[194.77.230.139]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
95EB580805: to=<[hidden email]>, relay=mx1.esb.de[194.77.230.139]:25, delay=0.9, delays=0.08/0.01/0.55/0.26, dsn=2.0.0, status=sent (250 ok:  Message 5896742 accepted)

There might be for sure good reasons, why 'disable_esmtp' is set by default.

Am Mo., 26. Nov. 2018 um 11:21 Uhr schrieb Stefan Bauer <[hidden email]>:
Hi,

log shows:

enabling PIX workarounds: disable_esmtp delay_dotcrlf for mx0.esb.de

But the specific workaround 'disable_esmtp' looks like to be the reason for downgrading to plain smtp and disallowing any STARTTLS right?

Am Mo., 26. Nov. 2018 um 10:20 Uhr schrieb Patrick Ben Koetter <[hidden email]>:
* Stefan Bauer <[hidden email]>:
> Dear Users,
>
> we trying to deliver mail to remote party with enforced encrcyption.
>
> 63FFB80805: TLS is required, but was not offered by host mx0.esb.de
> [194.77.230.138]
>
> But looks like, remote device is announcing TLS and can handle it:
>
> # telnet mx0.esb.de 25
> Trying 194.77.230.138...
> Connected to mx0.esb.de.
> Escape character is '^]'.
> 220 ****************
> ehlo test
> 250-mx0.esb.de
> 250-8BITMIME
> 250-SIZE 52428800
> 250 STARTTLS
> starttls
> 220 Go ahead with TLS
>
> But the minus "-" is missing in STARTTLS correct?

Look into your log and you will very likely find something that says:

    Cisco PIX enabled?


> Is there a known workaround available?
>
> Maybe some rewrite-voodoo?

Something – quite likely a Cisco ASA/PIX – manipulates the SMTP server banner
and the STARTTLS capability announcement. This is what it should look like:

220 mail.sys4.de ESMTP Submission
EHLO foo.sys4.de
250-mail.sys4.de
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
QUIT

The $something removes the "ESMTP" in den server banner. Without the string
"ESMTP" the mail client (read: Your Postfix smtp client) cannot know the
remote server supports any of the Enhanced SMTP features, which includes
STARTTLS. It *must* assume the server speak rudimentary SMTP only.

Thus it uses rudimentary SMTP only, which excludes STARTTLS. And that's why it
fails in the first. The missing minus "-" just adds to the dilemma.

p@rick

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Reply | Threaded
Open this post in threaded view
|

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Wietse Venema
In reply to this post by Patrick Ben Koetter-2
Patrick Ben Koetter:
> Something ? quite likely a Cisco ASA/PIX ? manipulates the SMTP server banner
> and the STARTTLS capability announcement. This is what it should look like:
>
> 220 mail.sys4.de ESMTP Submission

That's what I thought, too, but RFC 1651 (SMTP Service Extensions) disagrees.

This might work:

- Disable PIX workarounds. Specify an empty smtp_pix_workarounds value.

    smtp_pix_workarounds =

  Or at least, remove "disable_esmtp" from the smtp_pix_workarounds
  setting.

- Send 'blind' EHLO. This is already implemented with the default
  setting:

    smtp_always_send_ehlo = yes

- Fall back to sending HELO. That code already exists.

        Wietse