As I just finished setting TLS and SASL to secure the access to my Postfix server, I realized that it was working only from inside my network.
What I got from my lan :
$ telnet mars 25 Trying 192.168.222.10... Connected to phocean.net. Escape character is '^]'. 220 phocean.net ESMTP Postfix (Debian/GNU) ehlo phocean.net 250-phocean.net 250-PIPELINING 250-SIZE 200000000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH NTLM DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
I shows well that the TLS handshake is initiated.
But from this outside, I just got this weired thing :
$ telnet phocean.net 25 Trying 81.64.194.119... Connected to phocean.net. Escape character is '^]'. 220 ********************************************** ehlo phocean.net 502 5.5.2 Error: command not recognized
Of course, the firewall, a Cisco Pix one, was properly set to redirect port 25 UDP/TCP to my server.
However, I soon focused my effort on this equipment. I considered a while that the cause could be some filtering from my provider, but most probably, the problem came from the Pix.
That was not difficult to figure out : it had some protocol inspector activated for SMTP :
$ sh ru [...] fixup protocol smtp 25 [...]
Just after :
> no fixup protocol smtp 25
… it started to work perfectly well !!!
The engine for the SMTP protocol could not recognize the TLS handshake, considered that the SMTP session as not valid and therefore blocked it !
I can deactivate it without any fear as my Postfix server is already pretty well secured, or at least configured to reject any weired SMTP dialog.
Related posts:
