NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-04

telnet port 25 obscuration

From: Gary Casterline (casterlnnature.Berkeley.EDU)
Date: Thu Apr 05 2007 - 15:48:05 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry for the looong post.

My environment:
    postfix 2.2.4 (with policyd-weight, policyd, amavisd/maia)
    solaris 10
    cyrus-sasl-2.1.22
    openssl-0.9.8d

I am having trouble debugging our server using telnet to port 25.
Ultimately, I want to debug TLS and SASL authentication, but I
can't even get the first stage telnet to port 25 to work right.

When I test SMTP connections with telnet from localhost all seems fine.
However when I connect from any other host, the banner
string shows up as *****'s and 'EHLO remotehost.cnr.berkeley.edu' come
back as unrecognized.

Mail is successfully coming through outside of telnet, so
the SMTP handshaking seems to work fine outside of telnet,
but does that make any sense?
I've noted from a tcpdump that the correct banner string is
sent out to the client but it shows up as ***** stars on the
remote machine. Then the EHLO is not recognized.

Here is a paste of what I see when I telnet from a remote host:

remote host # telnet localhostname.berkeley.edu 25
Trying xxx.xxx.xxx.xxx...
Connected to nature.berkeley.edu.
Escape character is '^]'.
220
*********************************************************************************************************************************************************************************************************************************************************************************
EHLO remotehost.cnr.berkeley.edu
502 5.5.2 Error: command not recognized
quit
221 2.0.0 Bye
Connection to localhostname.berkeley.edu closed by foreign host.

However, when I connect from localhost all looks normal:

nature postfix # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhostname.berkeley.edu ESMTP Postfix This equipment is located in California. In accordance with 17538.45 of the California Business and Professional Code, unsolicited electronic mail advertisements are prohibited. See http://itpolicy.berkeley.edu/bpc17538.html for details.
EHLO example.com
250-localhostname.berkeley.edu
250-PIPELINING
250-SIZE 28240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 CRAM-MD5
250-AUTH=DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Here is what I see in the logs with a debug_peer_list added:

connect from remotehost.cnr.berkeley.edu[rem.ote.ip.add]
[snipped]
match_hostaddr: rem.ote.ip.add ~? rem.ote.ip.192/26
> remotehost.cnr.berkeley.edu[rem.ote.ip.add]: 220
  localhostname.berkeley.edu ESMTP Postfix This equipment
  is located in California. In accordance with 17538.45 of
  the California Business and Professional Code,
  unsolicited electronic mail advertisements are prohibited.
  See http://itpolicy.berkeley.edu/bpc17538.html for details.
< remotehost.cnr.berkeley.edu[rem.ote.ip.add]: XXXX remotehost.cnr.berkeley.edu
match_string: XXXX ~? CONNECT
match_string: XXXX ~? GET
match_string: XXXX ~? POST
match_list_match: XXXX: no match
> remotehost.cnr.berkeley.edu[rem.ote.ip.add]: 502 5.5.2 Error: command not recognized
watchdog_pat: 431ad8
< remotehost.cnr.berkeley.edu[rem.ote.ip.add]: quit
> remotehost.cnr.berkeley.edu[rem.ote.ip.add]: 221 2.0.0 Bye
match_hostname: remotehost.cnr.berkeley.edu ~? 127.0.0.0/8
[snip]
match_hostname: remotehost.cnr.berkeley.edu ~? 128.32.253.192/26
match_hostaddr: rem.ote.ip.add ~? rem.ote.ip.192/26
disconnect from remotehost.cnr.berkeley.edu[rem.ote.ip.add]

Any idea what should I check next?

------------------

Here is my setup (hopefully my obscurations haven't hidden
anything of importance):

postfinger - postfix configuration on Thu Apr 5 09:23:17 PDT 2007
version: 1.30

--System Parameters--
mail_version = 2.4.0
hostname = localhostname
uname = SunOS localhostname 5.10 Generic_118833-36 sun4u sparc SUNW,
Sun-Fire-880

--Packaging information--

--main.cf non-default parameters--
address_verify_map = btree:/var/spool/postfix/verify
address_verify_sender = <>
alias_database = $alias_maps
alias_maps = hash:/etc/mail/aliases hash:/opt/mailman/data/aliases
best_mx_transport = local
biff = no
body_checks = pcre:$config_directory/body_checks.pcre
body_checks_size_limit = 300000
broken_sasl_auth_clients = yes
canonical_maps = hash:$config_directory/canonical
command_directory = /opt/postfix/sbin
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /opt/postfix/libexec
debug_peer_list =
default_database_type = hash
defer_transports = hold
header_checks = regexp:$config_directory/block255
  pcre:$config_directory/header_checks.pcre
  regexp:$config_directory/header_checks.regexp
html_directory = /etc/postfix/html
ignore_mx_lookup_error = yes
invalid_hostname_reject_code = 554
local_command_shell = /usr/lib/smrsh -c
local_recipient_maps = $relocated_maps
  $alias_maps
  $canonical_maps
  unix:passwd.byname
mailbox_command = /opt/csw/bin/procmail -t
mailbox_size_limit = 243600000
message_size_limit = 28240000
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
multi_recipient_bounce_reject_code = 554
mydestination =
  $myhostname
  localhost.$mydomain
  localhost
  $config_directory/hosts-we-mx-for
mydomain = $myhostname
myhostname = localhostname.berkeley.edu
mynetworks = 127.0.0.0/8 ...[trimmed]
non_fqdn_reject_code = 554
notify_classes = resource,software
owner_request_special = no
queue_minfree = 66480000
readme_directory = /etc/postfix/readme
recipient_delimiter = +
relay_domains = $mydestination hash:$config_directory/relay_domains
relocated_maps = hash:$config_directory/relocated
sample_directory = /etc/postfix/samples
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/ca-bundle.crt
smtp_tls_cert_file = /etc/ssl/localhostname.berkeley.edu.crt
smtp_tls_key_file = /etc/postfix/certs/localhostname.berkeley.edu.key
smtp_tls_loglevel = 3
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name This equipment is located
in California. In accordance with 17538.45 of the California Business
and Professional Code, unsolicited electronic mail advertisements are
prohibited. See http://localhostname.berkeley.edu/CNR_UCE.html for details.
smtpd_helo_required = yes
smtpd_recipient_restrictions =
  check_recipient_access hash:/etc/postfix/verify_recipient,
  reject_unauth_pipelining,
warn_if_reject reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  check_client_access hash:$config_directory/relay_domains,
  check_client_access hash:$config_directory/pop-before-smtp,
  reject_unauth_destination,
warn_if_reject reject_invalid_hostname,
  reject_multi_recipient_bounce,
  check_sender_access pcre:$config_directory/sender_checks.pcre,
  check_sender_access hash:$config_directory/sender_checks,
  check_recipient_access regexp:$config_directory/recipient_checks.regexp,
  check_recipient_access pcre:$config_directory/recipient_checks.pcre,
  check_recipient_access hash:$config_directory/recipient_checks,
  check_client_access pcre:$config_directory/client_checks.pcre,
  check_client_access hash:$config_directory/client_checks,
  check_helo_access pcre:$config_directory/helohost_checks.pcre,
  check_helo_access hash:$config_directory/helohost_checks,
  check_sender_mx_access hash:/etc/postfix/mx_access,
  check_sender_mx_access cidr:/etc/postfix/mx_access.cidr,
warn_if_reject reject_unverified_sender,
  reject_unverified_recipient,
warn_if_reject check_sender_access hash:$config_directory/disallow_my_domain,
  check_policy_service inet:127.0.0.1:12525,
  check_policy_service inet:127.0.0.1:10031,
  reject_rhsbl_client blackhole.securitysage.com,
  reject_rhsbl_sender blackhole.securitysage.com,
  reject_rhsbl_recipient blackhole.securitysage.com,
  check_sender_access hash:$config_directory/rhsbl_sender_domain_exceptions,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client list.dsbl.org,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client combined.njabl.org,
  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = localhostname
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/postfix/certs/localhostname.berkeley.edu.crt
smtpd_tls_key_file = /etc/postfix/certs/localhostname.berkeley.edu.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
strict_rfc821_envelopes = yes
swap_bangpath = no
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

--master.cf--
smtp inet n - n - - smtpd
smtps inet n - n - - smtpd
          -o smtpd_tls_wrappermode=yes
          -o smtpd_sasl_auth_enable=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
        -o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
smtp-amavis unix - - n - 8 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o receive_override_options=no_address_mappings
127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_restriction_classes=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
retry unix - - n - - error

-- end of postfinger output --

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]