1 takyee发表 最后由 takyee (2012-04-02 23:26:08) 编辑

  • 注册日期: 2011-05-13
  • 文章数: 51

主题: Postfix and various CISCO PIX bugs

- iRedMail 版本:0.7.4
- 使用的 Linux/BSD 发行版名称及版本号:FreeBSD 8.2 p6
- 与您的问题相关的日志信息:
postqueue -p

(lost connection with mail100.uimax.com[63.219.18.28] while sending message body)

tail -f /var/log/maillog

0CAFA181441: enabling PIX workarounds: disable_esmtp delay_dotcrlf for mail1.uimax.com[116.6.45.200]:25

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: Postfix and various CISCO PIX bugs

在 Postfix main.cf 里设置:

smtp_pix_workarounds = disable_esmtp, delay_dotcrlf
  • 注册日期: 2011-05-13
  • 文章数: 51

回复: Postfix and various CISCO PIX bugs

张工您好!

感谢您的支持!

我用postconf -d 看到好像默认的就是 smtp_pix_workarounds = disable_esmtp, delay_dotcrlf。
现已在main.cf中添加,再试试看效果如果。

ZhangHuangbin 写道:

在 Postfix main.cf 里设置:

smtp_pix_workarounds = disable_esmtp, delay_dotcrlf

4 takyee回复 最后由 takyee (2012-04-03 22:51:24) 编辑

  • 注册日期: 2011-05-13
  • 文章数: 51

回复: Postfix and various CISCO PIX bugs

因使用webmail测试通过,使用客户端发送邮件时依然退信,GOOGLE上发现原来是POSTFIX PIX BUGS,
http://www.arschkrebs.de/postfix/postfi … bugs.shtml看来我只能暂时停用DKIM了,尝试连接对方管理员,不知道是否还有第三种途径
引用 http://www.arschkrebs.de/postfix/postfi … bugs.shtml

Postfix and various CISCO PIX bugs

There was a huge discussion "PIX problems with DKIM header fields" on the postfix-users@postfix.org mailinglist recently. One of the symptoms observed was that sites behind a CISCO PIX with "esmtp protocol fixup" wouldn't accept DKIM-signed emails. The connection would simply been dropped during the DATA stage.

Jim Fenton of CISCO solved the riddle for us and wrote this:

There are three bugs (all resolved) relating to Content-Type issues:

CSCsh33982
(E)SMTP Multiple Content-Type headers check is wrong
CSCsi01498
ESMTP inspect cannot handle content-type string in DKIM headers
CSCdi23740
ESMTP inspect does not match content-type properly in mail headers
These bug fixes are all incorporated in version 7.2(2.19) and 8.0(2.7).

7.2(2.19) is available to registered users on cisco.com by clicking the "interim releases" link on the software download page. I'm still unsure of the availability of 8.0(2.7).

According to one of the bug descriptions, the message

SMTP: Multiple Content-Type headers!
will be logged if ESMTP debugging is enabled and this is the cause.

Heise.de published an article about this as well: Cisco PIX behindert authentifizierten Mail-Versand

And another Cisco PIX and ASA problem with inspection of a SMTP protocol (actually, parsing of a mail header section):
CSCsy28792
SMTP session disconnects due to improper parsing of a DKIM header field by ASA
Problem description:

SMTP session is disconnected during DATA phase of a SMTP transaction for mail messages with a DKIM signature, where the start of a string "content-type" or "content-transfer-encoding" in a tag's value of an "h" tag of a DKIM signature happens to fall on a packet boundary at a start of a packet. The session is dropped with the next packet containing a Content-Type or Content-Transfer-Encoding header field.

Platform:
ASA5580-40
Cisco Adaptive Security Appliance Software Version 8.1(2)

To be fixed in releases 8.1.2(22) and 8.1.3



ZhangHuangbin 写道:

在 Postfix main.cf 里设置:

smtp_pix_workarounds = disable_esmtp, delay_dotcrlf