I'm using spamd with greylisting on a new Postfix mail proxy, but
it's behaving strangely for accepted connections. If I make a
connection to the server from my whitelisted (<spamd-white>) external
test server, I see the following:
[root@colo root]# telnet mail.domain.com 25
Trying x.x.x.x
Connected to mail.domain.com (x.x.x.x).
Escape character is '^]'.
220
EHL mail.dixongroup.net
502 Error: command not implemented
QUIT
221 Bye
Connection closed by foreign host.
First, I'm not sure where that 220 banner is coming from. I've
checked "lsof -i tcp:25" and confirmed that Postfix's smtpd is
running there. I've also run "pfctl -vss" to verify that the
connection is being sent to Postfix (tcp/25) and not spamd (tcp/
8025). What's really odd is that if I connect to Postfix from
localhost (also whitelisted <spamd-white>), it behaves as expected:
# telnet localhost 25
Trying ::1
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1
Connected to localhost.
Escape character is '^]'.
220 mail.domain.com ESMTP Postfix
EHL localhost
250-mail.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
I have no problems sending mail if I resort to a HEL, but that
doesn't solve the issue. I'd like to know what MTA is actually
responding to those requests and why it's behaving differently.
Thanks,

Jason Dixon wrote:

I'm using spamd with greylisting on a new Postfix mail proxy, but
it's behaving strangely for accepted connections. If I make a
connection to the server from my whitelisted (<spamd-white>) external
test server, I see the following:

[root@colo root]# telnet mail.domain.com 25
Trying x.x.x.x
Connected to mail.domain.com (x.x.x.x).
Escape character is '^]'.
220
EHL mail.dixongroup.net
502 Error: command not implemented
QUIT
221 Bye
Connection closed by foreign host.

First, I'm not sure where that 220 banner is coming from. I've
checked "lsof -i tcp:25" and confirmed that Postfix's smtpd is
running there. I've also run "pfctl -vss" to verify that the
connection is being sent to Postfix (tcp/25) and not spamd (tcp/
8025). What's really odd is that if I connect to Postfix from
localhost (also whitelisted <spamd-white>), it behaves as expected:

# telnet localhost 25
Trying ::1
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1
Connected to localhost.
Escape character is '^]'.
220 mail.domain.com ESMTP Postfix
EHL localhost
250-mail.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.

I have no problems sending mail if I resort to a HEL, but that
doesn't solve the issue. I'd like to know what MTA is actually
responding to those requests and why it's behaving differently.

Thanks,

Sep 11, 2005, at 11:02 AM, Steve Williams wrote:

Jason Dixon wrote:
>
>I'm using spamd with greylisting on a new Postfix mail proxy, but
>it's behaving strangely for accepted connections. If I make a
>connection to the server from my whitelisted (<spamd-white>)
>external test server, I see the following:
>>
>[root@colo root]# telnet mail.domain.com 25
>Trying x.x.x.x
>Connected to mail.domain.com (x.x.x.x).
>Escape character is '^]'.
>220
>EHL mail.dixongroup.net
>502 Error: command not implemented
>QUIT
>221 Bye
>Connection closed by foreign host.
>
I get this type of "220" banner when I connect to my former work &
they had some Cisco email proxy type of hardware it might have
been embedded in the PIX, I'm not 100% sure

telnet mail.xxxxx.com smtp
220 200**0**00*20*00

Is there some CISC hardware in the picture?

Yes, there is a PIX (eventually to be replaced with BSD/PF), but
I don't understand how that could interfere. If I remove the
external system from <spamd-white>, I get redirected to spamd as
expected:

[jason@confusion jason]$ telnet mail.domain.com 25
Trying x.x.x.x
Connected to mail.domain.com (x.x.x.x).
Escape character is '^]'.
220
0**2**
200*
HEL localhost
250 Hello, spam sender. Pleased to be wasting your time.
QUIT
221 mail.domain.com
Connection closed by foreign host.

I guess it's possible that PIX software might be munging the 220
(unlikely), but I still see the connections in my maillog, so it's
not intercepting the SMTP session.

I guess it's possible that PIX software might be munging the 220
(unlikely), but I still see the connections in my maillog, so it's
not intercepting the SMTP session.

I think it's entirely likely that the PIX is munging things - this
is the smtp-fixup "feature" of the PIX units.

You might try disabling that and seeing if things start working as
you intend.

Benny

Sun, 11 Sep 2005, Jason Dixon wrote:

Yes, there is a PIX (eventually to be replaced with BSD/PF), but
I don't understand how that could interfere. If I remove the
external system from <spamd-white>, I get redirected to spamd as
expected:

pix interferes in every possible way, but your current particular
problem seems to be it "fixing" smtp. iirc what you will have to tell
the pix is `no fixup protocol smtp 25'. or something like that.

(unlikely), but I still see the connections in my maillog, so it's
not intercepting the SMTP session.

yes, it does

Sep 11, 2005, at 11:26 AM, jared r r spiegel wrote:

i don't recall having seen a PIX do a 220 banner with
_only_ asterisks. i think they've always had 2s and 0s mixed
in there in an f'd up fashion

but my knee-jerk is still to think of a PIX and getting it to
shut the hell up.

what is the command "no fix smtp" or something?

Yes, that was indeed the problem. Thanks to everyone (Steve, Jared,
Tamas, Benny) who suggested it. The commands to verify and "unfix"
the setting:

pixa(config)# sh fixup
<snip>
pixa(config)# no fixup protocol smtp 25

Sep 11, 2005, at 4:48 PM, Justin Krejci wrote:

The SMTP Fixup "feature" also includes several other "features"
such as
limiting concurrent connections from each external host. This
"feature"
causes so many problems for anyone with a lot of mail and are also
using an
external mail spam/virus filtering service because usually tons of
mail
originates from only a handful of servers, the filtering servers.

I don't know much about the Cisco fixup feature set, but limiting by
num of connections can be addressed with PF.

Mon, 12 Sep 2005, Lars Hansson wrote:

Sun, 11 Sep 2005 15:48:12 -0500
Justin Krejci <jus (AT) krytosvirus (DOT) comwrote:
>If anyone has any know how on tweaking Cisco's smtp fixup protocol, that would
>be great.
>
I don't know of *anyone* with an even remotely serious mail system that has
been able to use Cisco's "fixup" features for anything. Perhaps it should be
called "breakdown" instead.
Just leave it off and take Jason's advice to use PF for connection limiting.

Yes please! Lars is right.

"no fixup protocol smtp 25" from a config prompt on the PIX.

Cisco implemented their SMTP proxy less than poorly. I waste a great
deal of time dealing with mail admins or their firewall admins that have
it enabled and break when we try to mail them.

Additionally, they are known to do really retarded things like sending RST
to mailhosts during sessions that they INITIATED, for no good reason.

Seeing things in tcpdumps like "MAIL FRM: <foo (AT) bar (DOT) com>" then "RST" with
no QUIT tend to raise blood pressures.

Do the Internet a favor and shut that feature off.

*tongue-in-cheek* better yet, replace the PIX with a PF implementation.
*grin* (Yes, I know this is not always possible.)