DevHeads.net

Uhm... next bug or my faulty configuration?

Hello,

updated from 3.4.1 to 3.4.3 and at the same time dovecot-2.2 to dovecot-2.3 ( + pigeonhole)
I assume the changes behavior is dovecot/pigeonhole now using the advertised "CHUNKING" extension.

Now an echo service (dovecot-2.3-pigeonhole) don't send messages anymore.
Reason: "Data command rejected: Multi-recipient bounce" while there is clearly only one recipient.

the relevant debug logs:

Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 220 signing-milter.org ESMTP
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: EHLO signing-milter.org
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-signing-milter.org
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-PIPELINING
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-SIZE 128000
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-ENHANCEDSTATUSCODES
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-8BITMIME
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-DSN
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250-SMTPUTF8
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250 CHUNKING
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: MAIL FROM:<>
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250 2.1.0 Ok
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: RCPT TO:< ... at example dot org>
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 250 2.1.5 Ok
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: < signing-milter.org[84.200.211.109]: BDAT 882 LAST
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: >>> START Data command RESTRICTIONS <<<
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: generic_checks: name=reject_multi_recipient_bounce
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: 44JCRG5tYPzCqt2: reject: BDAT from signing-milter.org[84.200.211.109]: 550 5.5.3 <DATA>: Data command rejected: Multi-recipient bounce; from=<> to=< ... at example dot org> proto=ESMTP helo=<signing-milter.org>
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: generic_checks: name=reject_multi_recipient_bounce status=2
Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: >>> END Data command RESTRICTIONS <<<

Mar 11 23:27:54 dili postfix-smo/submission/smtpd[22427]: > signing-milter.org[84.200.211.109]: 550 5.5.3 <DATA>: Data command rejected: Multi-recipient bounce, servertime=Mar 11 23:27:54, server=signing-milter.org, client=84.200.211.109

current solution: run the smtpd with "smtpd_discard_ehlo_keywords=CHUNKING"

Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 220 signing-milter.org ESMTP
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: EHLO signing-milter.org
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: discarding EHLO keywords: CHUNKING
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: match_list_match: signing-milter.org: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: match_list_match: 84.200.211.109: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-signing-milter.org
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-PIPELINING
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-SIZE 128000
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-ETRN
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-ENHANCEDSTATUSCODES
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-8BITMIME
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250-DSN
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250 SMTPUTF8
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: MAIL FROM:<>
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250 2.1.0 Ok
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: RCPT TO:< ... at example dot org>
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 250 2.1.5 Ok
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: < signing-milter.org[84.200.211.109]: DATA
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: >>> START Data command RESTRICTIONS <<<
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_multi_recipient_bounce
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_multi_recipient_bounce status=0
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_unauth_pipelining
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: reject_unauth_pipelining: DATA
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=reject_unauth_pipelining status=0
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=permit
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: smtpd_acl_permit: checking smtpd_log_access_permit_actions settings
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: match_list_match: permit: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: smtpd_acl_permit: smtpd_log_access_permit_actions: no match
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: generic_checks: name=permit status=1
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: >>> END Data command RESTRICTIONS <<<
Mar 11 23:37:57 dili postfix-smo/submission/smtpd[22846]: > signing-milter.org[84.200.211.109]: 354 End data with <CR><LF>.<CR><LF>

since years I have "smtpd_data_restrictions = reject_multi_recipient_bounce,reject_unauth_pipelining,permit"
Must that be adjusted with 3.4.x?

Andreas

Comments

Old bug: reject_multi_recipient_bounce

By Wietse Venema at 03/12/2019 - 09:55

A. Schulze:
This is 13 years old: reject_multi_recipient_bounce has had the same
false rejects in smtpd_end_of_data_restrictions since Postfix 2.2.

Victor's patch addresses the symptom (BDAT) but not the root cause.
The patch below fixes both BDAT and smtpd_end_of_data_restrictions.

In this case, smaller is better.

Wietse

diff -bur /var/tmp/postfix-3.5-20190310/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c
--- /var/tmp/postfix-3.5-20190310/src/smtpd/smtpd_check.c 2018-08-23 09:44:18.000000000 -0400
+++ ./src/smtpd/smtpd_check.c 2019-03-12 08:28:20.627312192 -0400
@@ -4583,7 +4583,7 @@
status = check_recipient_rcpt_maps(state, state->recipient);
} else if (strcasecmp(name, REJECT_MUL_RCPT_BOUNCE) == 0) {
if (state->sender && *state->sender == 0 && state->rcpt_count
- > (strcmp(state->where, SMTPD_CMD_DATA) ? 0 : 1))
+ > (strcmp(state->where, SMTPD_CMD_RCPT) != 0))
status = smtpd_check_reject(state, MAIL_ERROR_POLICY,
var_mul_rcpt_code, "5.5.3",
"<%s>: %s rejected: Multi-recipient bounce",

Re: Uhm... next bug or my faulty configuration?

By Viktor Dukhovni at 03/11/2019 - 19:23

Yes.

Your no-BDAT work-around is sufficient until the code is updated
along lines below:

Re: Uhm... next bug or my faulty configuration?

By Andreas Schulze at 03/12/2019 - 10:56

Viktor Dukhovni:

Hello Viktor,

Thanks for that patch. I confirm it works like expected....

Andreas

Re: Uhm... next bug or my faulty configuration?

By Wietse Venema at 03/12/2019 - 11:03

A. Schulze:
Did you test it in smtpd_end_of_data_restrictions?

Wietse