Loading ...
Sorry, an error occurred while loading the content.

Re: Status code of multiline responses logged

Expand Messages
  • Wietse Venema
    Florian Pritz: Checking application/pgp-signature: FAILURE -- Start of PGP signed section. [ Charset UTF-8 unsupported, converting... ] ... You assume that all
    Message 1 of 8 , Dec 7, 2012
    • 0 Attachment
      Florian Pritz:

      Checking application/pgp-signature: FAILURE
      -- Start of PGP signed section.
      [ Charset UTF-8 unsupported, converting... ]
      > Hi,
      >
      > I've just seen the following log entry:
      > > postfix/smtp[21188]: A494013804C: host eggs.gnu.org[208.118.235.92] said: 451-Your sender e-mail address could not be verified. You're greylisted for 20 451 minutes. Come back later. (in reply to RCPT TO command)
      ...
      > I know that the "451 " after in front of minutes is part of the SMTP
      > protocol, but I really think that postfix shouldn't log it like that.
      > IMHO the log entry should either be split into one line per response
      > line from the server or better yet, it should strip the status code from
      > all but the first line.

      You assume that all response lines will have the same reply code,
      but that is not necessarily true. If Postfix were to log the first
      reply code only, then you would never be aware of the discrepancy.

      > Is that behaviour intentional?

      Absolutely. If a site wants to use a complex reply layout, then
      that is their business. Postfix never preserves line boundaries
      in server SMTP responses, since they end up in logfiles, bounces
      messages and so on, and could be used in an attack to mis-lead
      users or programs that process the replies.

      I suppose you have heard of carriage returns or newlines being used
      to inject false messages into logfiles, splitting http replies, and
      so on.

      In Postfix I work hard to avoid such bugs.

      Wietse
    • Robert Sander
      ... RFC821 Appendix E states: The format for multiline replies requires that every line, except the last, begin with the reply code, followed immediately by a
      Message 2 of 8 , Dec 8, 2012
      • 0 Attachment
        Am 07.12.2012 22:29, schrieb Wietse Venema:
        > Florian Pritz:
        >
        > Checking application/pgp-signature: FAILURE
        > -- Start of PGP signed section.
        > [ Charset UTF-8 unsupported, converting... ]
        >> Hi,
        >>
        >> I've just seen the following log entry:
        >>> postfix/smtp[21188]: A494013804C: host eggs.gnu.org[208.118.235.92] said: 451-Your sender e-mail address could not be verified. You're greylisted for 20 451 minutes. Come back later. (in reply to RCPT TO command)
        > ...
        >> I know that the "451 " after in front of minutes is part of the SMTP
        >> protocol, but I really think that postfix shouldn't log it like that.
        >> IMHO the log entry should either be split into one line per response
        >> line from the server or better yet, it should strip the status code from
        >> all but the first line.
        >
        > You assume that all response lines will have the same reply code,
        > but that is not necessarily true. If Postfix were to log the first
        > reply code only, then you would never be aware of the discrepancy.

        RFC821 Appendix E states:

        The format for multiline replies requires that every line,
        except the last, begin with the reply code, followed
        immediately by a hyphen, "-" (also known as minus), followed by
        text. The last line will begin with the reply code, followed
        immediately by <SP>, optionally some text, and <CRLF>.


        So I would assume that you could leave out response codes except for the
        first line for the log output when concatenating a multiple response.

        Kindest Regards
        --
        Robert Sander
        Heinlein Support GmbH
        Schwedter Str. 8/9b, 10119 Berlin

        http://www.heinlein-support.de

        Tel: 030 / 405051-43
        Fax: 030 / 405051-19

        Zwangsangaben lt. §35a GmbHG:
        HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
        Geschäftsführer: Peer Heinlein -- Sitz: Berlin
      • Reindl Harald
        ... the problem is that nearly all clients are only display the LAST respsonse-line which is as example currently a real problem with smtpd_reject_footer
        Message 3 of 8 , Dec 8, 2012
        • 0 Attachment
          Am 08.12.2012 13:26, schrieb Robert Sander:
          >> You assume that all response lines will have the same reply code,
          >> but that is not necessarily true. If Postfix were to log the first
          >> reply code only, then you would never be aware of the discrepancy.
          >
          > RFC821 Appendix E states:
          >
          > The format for multiline replies requires that every line,
          > except the last, begin with the reply code, followed
          > immediately by a hyphen, "-" (also known as minus), followed by
          > text. The last line will begin with the reply code, followed
          > immediately by <SP>, optionally some text, and <CRLF>.
          >
          >
          > So I would assume that you could leave out response codes except for the
          > first line for the log output when concatenating a multiple response.

          the problem is that nearly all clients are only display the LAST
          respsonse-line which is as example currently a real problem with
          "smtpd_reject_footer" because the user wil never see anything except
          the footer, AFAIK the will be the possiblity on postfix 2.10 to
          add the reject-footer without a new line to solve this

          i had this last week again where i customer did not understand the
          error message (which contained only the request footer) and a look
          in the maillog showed me that "reject_non_fqdn_recipient" was the
          (correct) reason

          "Recipient address rejected: need fully-qualified address"
        • Wietse Venema
          ... No, because some server will use different reply codes on different lines of the same reply. ... It s been in Postfix 2.10 for a while now (for people who
          Message 4 of 8 , Dec 8, 2012
          • 0 Attachment
            Someone who didn't read my reply:
            > So I would assume that you could leave out response codes except for the
            > first line for the log output when concatenating a multiple response.

            No, because some server will use different reply codes on
            different lines of the same reply.

            Reindl Harald:
            > the problem is that nearly all clients are only display the LAST
            > respsonse-line which is as example currently a real problem with
            > "smtpd_reject_footer" because the user wil never see anything except
            > the footer, AFAIK the will be the possiblity on postfix 2.10 to
            > add the reject-footer without a new line to solve this

            It's been in Postfix 2.10 for a while now (for people who
            can use the development release).

            Wietse
          • Reindl Harald
            ... i know, but i am really unsure if i can use the devel-release for production, technically the update is done in 5 minutes and the same time i am impressed
            Message 5 of 8 , Dec 8, 2012
            • 0 Attachment
              Am 08.12.2012 17:14, schrieb Wietse Venema:
              > Reindl Harald:
              >> the problem is that nearly all clients are only display the LAST
              >> respsonse-line which is as example currently a real problem with
              >> "smtpd_reject_footer" because the user wil never see anything except
              >> the footer, AFAIK the will be the possiblity on postfix 2.10 to
              >> add the reject-footer without a new line to solve this
              >
              > It's been in Postfix 2.10 for a while now (for people who
              > can use the development release)

              i know, but i am really unsure if i can use the devel-release
              for production, technically the update is done in 5 minutes
              and the same time i am impressed about the way you are not
              breaking backward compatibility over many years like most other
              dveloper does i think you must have good reasons to call it a
              development release and not 2.10 GA
            • Noel Jones
              ... Hash: SHA1 ... As the postfix download page says, the developmental releases are production-quality; it s the features that are considered developmental.
              Message 6 of 8 , Dec 8, 2012
              • 0 Attachment
                -----BEGIN PGP SIGNED MESSAGE-----
                Hash: SHA1

                On 12/8/2012 10:35 AM, Reindl Harald wrote:
                > i know, but i am really unsure if i can use the devel-release
                > for production, technically the update is done in 5 minutes and
                > the same time i am impressed about the way you are not breaking
                > backward compatibility over many years like most other dveloper
                > does i think you must have good reasons to call it a
                > development release and not 2.10 GA
                >


                As the postfix download page says, the developmental releases are
                production-quality; it's the features that are considered
                developmental. I've probably used 100+ snapshot versions in
                production with no notable incidents.

                Updates with significant new code are clearly marked
                non-production until the code has been fully tested. These are
                only released occasionally; there isn't one available right now.

                The features and controls do change, so you're expected to use a
                reasonably current snapshot; if you want to install something and
                not touch it for years, stick with -stable.



                -- Noel Jones
                -----BEGIN PGP SIGNATURE-----
                Version: GnuPG v2.0.17 (MingW32)
                Comment: Using GnuPG with undefined - http://www.enigmail.net/

                iQEcBAEBAgAGBQJQw46BAAoJEJGRUHb5Oh6g2rEH/RiD6hM64zXmRZKa+SKaZMXL
                4Z5C4pPgQPFZxtCmWEN51PP/ciY/ELMHQbrTP5zqWa1fCpWVXj1OwBzNueOBOg6m
                i7dW68tdnx6pLiGqLkaYYFzXqLBxDg2d79IOGO/xiAGMSLaKZk4lrBm9X/KCzxUD
                N15zmZLKXmNDxV4AsImQReszQg/q/VvcpLH7D/WDK9kDt9/y2fSL7+fm18VnooGJ
                rJgoI4EFxb/U/PgMx4beV1ihccNIOoReFR12nv4Gld+Vwb1vVAHKWnuScIm9p5Qp
                Olia36wd0ogRddU1W4ius0k8WfCiAFt1PmS1UBdvZCWHy6I3eGgWt0rFyfxHUns=
                =OQqv
                -----END PGP SIGNATURE-----
              • Reindl Harald
                ... thank you for the feedback this sounds really good and i will give 2.10-devel a try as soon as i have my currently jobs finished, means in the days between
                Message 7 of 8 , Dec 8, 2012
                • 0 Attachment
                  Am 08.12.2012 20:01, schrieb Noel Jones:
                  > On 12/8/2012 10:35 AM, Reindl Harald wrote:
                  >> i know, but i am really unsure if i can use the devel-release
                  >> for production, technically the update is done in 5 minutes and
                  >> the same time i am impressed about the way you are not breaking
                  >> backward compatibility over many years like most other dveloper
                  >> does i think you must have good reasons to call it a
                  >> development release and not 2.10 GA
                  >>
                  > As the postfix download page says, the developmental releases are
                  > production-quality; it's the features that are considered
                  > developmental. I've probably used 100+ snapshot versions in
                  > production with no notable incidents.
                  >
                  > Updates with significant new code are clearly marked
                  > non-production until the code has been fully tested. These are
                  > only released occasionally; there isn't one available right now.
                  >
                  > The features and controls do change, so you're expected to use a
                  > reasonably current snapshot; if you want to install something and
                  > not touch it for years, stick with -stable.

                  thank you for the feedback

                  this sounds really good and i will give 2.10-devel a try as soon
                  as i have my currently jobs finished, means in the days between
                  christmas and new year

                  i thought so because i am impressed of the quality of postfix
                  at all and especially the way Wietses attitude to not break
                  configurations not just for fun - as said some months ago:

                  this world would be a better one if more developers would
                  have this attitude - throwing things away and restart from
                  scratch with all sorts of regressions is easy, a development
                  like postfix have since many years is real quality

                  thanks again for a real good application which works in a way
                  you sometimes forget that it exists!
                Your message has been successfully submitted and would be delivered to recipients shortly.