On Sat, Sep 04, 2021 at 01:18:17PM -0400, John C Klensin wrote:
> > Absent a time-machine, and given that the ultimate decision is
> > made after the initial banner and greet pause, and that
> > refusing SMTP service (521 banner) is supposed to only happen
> > to botnet and similar clients, the postscreen(8) service has
> > no choice but to appear to change its mind after the initial
> > "220-".
>
> If, by "change its mind", you mean "send a response sequence
> with different codes", not true. First, if it cared about the
> SMTP spec (and I understand the reasons why it might not), it
> should accumulate whatever information it thinks useful before
> sending the initial connection response and then reply with
> either 220 or 521 (or something else) as it thinks appropriate,
> not try to mix them.
The greet pause test is *specifically* designed to detect botnet spam
engines that don't wait for the complete multi-line response, and start
talking as soon as they detect the first line of the response. That's
why the pause is after, and not before, "220-". This is also why the
final response code is unavoidably different from the initial.
> Second, it could return 220 (normally considered the correct response
> if it accepts mail from anyone) and then return 521 reply codes to any
> further commands until either those commands stopped coming or it go
> fed up and just closed the connection.
Once the client is believed to be an undesirable source of email
connections, we don't bother with niceties, and drop the connection.
The "521" is a best effort concession to rough protocol conformance.
Clients blacklisted by postscreen(8) don't get to talk SMTP the real
Postfix SMTP server.
> It does occur to me that a "no mail accepted right now" code
> might help to clarify the situation. Watch for rfc5321bis-04.
In practice, there are just 5 response codes in SMTP:
2XY
4XY vs 421
5XY vs 521
No values of "XY" other than "21" make any difference to most
implementations. So I don't see much point in new response codes.
What could perhaps be clarified further is the meaning of 5XY greetings.
Should a sending system that encounters a 5XX greeting defer or bounce
the message envelope. The right answer depends on understanding when
5XX greetings occur in recent practice.
--
Viktor.