Re: [exim] exim can't handle 521 response from remote MX

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] exim can't handle 521 response from remote MX
On Sat, Sep 04, 2021 at 04:51:29PM -0400, John C Klensin wrote:

> As I assume you may have guessed given that you follow
> EMAILCORE, my main interest in this right now is to think about
> what changes, if any, are needed in 5431bis. Watch for a note
> on that list and some changes in -04 that reflect this
> conversation, for which thanks to everyone.


Will do, thanks.

> From that particular perspective and purpose, as soon as someone says
> "for my specific application or bright idea, it does not matter what
> the standard says", I sort of lose interest.


FWIW, the "does not matter" in question is very narrowly scoped to the
fine-grained detail in the second and third digits of 3-digit SMTP
responses.

You might recall the "what dogs hear" analogy from an earlier thread on
emailcore. Many an SMTP client doesn't look beyond the first digit of
the SMTP server's response. Postfix is among them, perhaps Exim is not?

We do strive to emit the expected 2XY/4XY/5XY codes, but expect others
to use them consistently in return.

> However, while (apparently unlike many of the rest of you) I
> have not spent any significant time in more than a decade
> pouring over logs looking for mail transaction behavior
> anomalies, I don't believe "worked well enough for 22+ years"
> actually conveys much information.


What's worked well in this context is using the response from the last
line. Actually emitting a different response code on the last last is
a much more recent "innovation", and is used very narrowly to turn away
abusive botnet nodes without the cost of tying up a heavy-weight SMTP
server process to handle the connection.

The postscreen(8) service is an optional feature, that is off by
default, and greet pauses are also off by default, even when
postscreen(8) is enabled.

Legitimate MTAs are typically not turned away by postscreen(8), so
seeing the "220-" followed by a "521" is by far the exception rather
than the rule, and if a legitimate MTA ends up retrying the message,
that could be argued to be a feature, the undeserved IP reputation
might have been resolved by then.

Indeed Postfix (as a client) defaults to retrying (another MX or defer
to later) after a 5XX greeting. So Exim is not doing anything
unexpected.

> When I was last looking at those logs, the number of times I saw a
> server returning a multiline reply with mixed codes was zero or very
> close to it.


This both recent and unusual when the client is not a botnet, ...

> If all of the codes are the same, as SMTP requires, then things will
> work well no matter which one is picked. Now, if you were to say
> "there haven't been any problems since this behavior first became
> common N years ago", that would be useful information. But...


The variable multi-line response code server-side behaviour is new with
postscreen(8), which was first released in Feb 2011.

As mentioned above, it should be rather rare for a legitimate MTA as a
client to see such responses. Users of postscreen(8) should be cautious
to not make it too aggressive in its policies. The intent is to reduce
the number of bad connections that make it through to the real SMTP
servers, not eliminate all possibility of unwanted clients getting
through. Light-weight first stage of defense in depth.

-- 
    Viktor.