1 (edited by promexce 2023-05-29 13:52:45)

Topic: 503 STARTTLS command used when not advertised postfix

Hi,
Since March, I cannot send email to specific ISP, I receive error message
maillog

mail postfix/smtp[2057399]: 4QV43c1RGQz5Kjq: to=<XXXXXXXX@bigpond.com>, relay=extmail.bigpond.com[203.42.22.10]:25, delay=0.4, delays=0.02/0/0.37/0, dsn=5.0.0, status=bounced (host extmail.bigpond.com[203.42.22.10] said: 503 STARTTLS command used when not advertised (in reply to MAIL FROM command))

I can send to everyone else without issue

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version : 1.6.2 MARIADB edition
- Deployed with iRedMail the downloadable
- Linux/BSD distribution : Rocky Linux 9.1
- Store mail accounts in : MARIADB
- Web server :NGINX
- Manage mail accounts with iRedadmin
====



Command [root@mail certs]# postconf | grep _tls

lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_block_early_mail_reply = no
lmtp_tls_cert_file =
lmtp_tls_chain_files =
lmtp_tls_ciphers = medium
lmtp_tls_connection_reuse = no
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_eccert_file =
lmtp_tls_eckey_file = $lmtp_tls_eccert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_force_insecure_host_tlsa_lookup = no
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_servername =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_trust_anchor_file =
lmtp_tls_verify_cert_match = hostname
lmtp_tls_wrappermode = no
lmtp_use_tls = no
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file =
smtp_tls_chain_files =
smtp_tls_ciphers = medium
smtp_tls_connection_reuse = no
smtp_tls_dane_insecure_mx_policy = ${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_force_insecure_host_tlsa_lookup = no
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
smtp_tls_note_starttls_offer = yes
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
smtp_tls_servername =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_trust_anchor_file =
smtp_tls_verify_cert_match = hostname
smtp_tls_wrappermode = no
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail.crt
smtpd_tls_CApath = /etc/pki/tls/certs
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail.crt
smtpd_tls_chain_files =
smtpd_tls_ciphers = medium
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file = /etc/pki/tls/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/pki/tls/dh512_param.pem
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
tlsproxy_client_CAfile = $smtp_tls_CAfile
tlsproxy_client_CApath = $smtp_tls_CApath
tlsproxy_client_cert_file = $smtp_tls_cert_file
tlsproxy_client_chain_files = $smtp_tls_chain_files
tlsproxy_client_dcert_file = $smtp_tls_dcert_file
tlsproxy_client_dkey_file = $smtp_tls_dkey_file
tlsproxy_client_eccert_file = $smtp_tls_eccert_file
tlsproxy_client_eckey_file = $smtp_tls_eckey_file
tlsproxy_client_enforce_tls = $smtp_enforce_tls
tlsproxy_client_fingerprint_digest = $smtp_tls_fingerprint_digest
tlsproxy_client_key_file = $smtp_tls_key_file
tlsproxy_client_level = $smtp_tls_security_level
tlsproxy_client_loglevel = $smtp_tls_loglevel
tlsproxy_client_loglevel_parameter = smtp_tls_loglevel
tlsproxy_client_per_site = $smtp_tls_per_site
tlsproxy_client_policy = $smtp_tls_policy_maps
tlsproxy_client_scert_verifydepth = $smtp_tls_scert_verifydepth
tlsproxy_client_use_tls = $smtp_use_tls
tlsproxy_enforce_tls = $smtpd_enforce_tls
tlsproxy_tls_CAfile = $smtpd_tls_CAfile
tlsproxy_tls_CApath = $smtpd_tls_CApath
tlsproxy_tls_always_issue_session_ids = $smtpd_tls_always_issue_session_ids
tlsproxy_tls_ask_ccert = $smtpd_tls_ask_ccert
tlsproxy_tls_ccert_verifydepth = $smtpd_tls_ccert_verifydepth
tlsproxy_tls_cert_file = $smtpd_tls_cert_file
tlsproxy_tls_chain_files = $smtpd_tls_chain_files
tlsproxy_tls_ciphers = $smtpd_tls_ciphers
tlsproxy_tls_dcert_file = $smtpd_tls_dcert_file
tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file
tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file
tlsproxy_tls_dkey_file = $smtpd_tls_dkey_file
tlsproxy_tls_eccert_file = $smtpd_tls_eccert_file
tlsproxy_tls_eckey_file = $smtpd_tls_eckey_file
tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade
tlsproxy_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
tlsproxy_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
tlsproxy_tls_key_file = $smtpd_tls_key_file
tlsproxy_tls_loglevel = $smtpd_tls_loglevel
tlsproxy_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_req_ccert = $smtpd_tls_req_ccert
tlsproxy_tls_security_level = $smtpd_tls_security_level
tlsproxy_use_tls = $smtpd_use_tls

postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 3
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
lmtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
mail_owner = postfix
mailq_path = /usr/bin/mailq
message_size_limit = 15728640
mlmmj_destination_recipient_limit = 1
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mail.fowlerscaff.com.au
myhostname = mail.fowlerscaff.com.au
mynetworks = 192.168.15.0/24 54.79.113.70 3.104.81.254 202.174.110.221
myorigin = mail.fowlerscaff.com.au
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = drop
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:12340
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender reject_unlisted_sender permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail.crt
smtpd_tls_CApath = /etc/pki/tls/certs
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/pki/tls/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/pki/tls/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /media/data/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

Thank you for your help

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: 503 STARTTLS command used when not advertised postfix

Is there any security firewall or antispam gateway sitting between your server and internet?
Does it allow TLS for smtp?

FYI https://forums.zimbra.org/viewtopic.php … 24#p279658

3 (edited by promexce 2023-05-30 05:38:49)

Re: 503 STARTTLS command used when not advertised postfix

Thank you zhang,
And thank you for the link.
I have untangle firewall, and I checked the settings of antipsam, the option  "Allow and ignore TLS sessions" which was ticked. I disabled ant antispam and still the same issue.

 
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 220 exhprdmxe22 - SMTP Ready
May 29 13:25:49 mail postfix/smtp[2048302]: > extmail.bigpond.com[203.42.40.138]:25: EHLO mail.fowlerscaff.com.au
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 250-exhprdmxe22 Hello mail.mydomain.com.au [220.XXX.XXX.138]
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 250-SIZE 31457280
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 250-DSN
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 250-HELP
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 250 STARTTLS
May 29 13:25:49 mail postfix/smtp[2048302]: > extmail.bigpond.com[203.42.40.138]:25: STARTTLS
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 501 Syntax error (no parameters allowed)
May 29 13:25:49 mail postfix/smtp[2048302]: > extmail.bigpond.com[203.42.40.138]:25: MAIL FROM:<sam@fowlerhire.com.au> SIZE=24299
May 29 13:25:49 mail postfix/smtp[2048302]: < extmail.bigpond.com[203.42.40.138]:25: 503 STARTTLS command used when not advertised
May 29 13:25:49 mail postfix/smtp[2048302]: send attr original_recipient = XXXXXX@bigpond.com
May 29 13:25:49 mail postfix/smtp[2048302]: send attr recipient = XXXXXXX@bigpond.com
May 29 13:25:49 mail postfix/smtp[2048302]: send attr dsn_orig_rcpt = rfc822;XXXXXXX@bigpond.com
May 29 13:25:49 mail postfix/smtp[2048302]: send attr mta_mname = extmail.bigpond.com
May 29 13:25:49 mail postfix/smtp[2048302]: send attr reason = host extmail.bigpond.c

4

Re: 503 STARTTLS command used when not advertised postfix

Thank you Zhang,
I removed the antispam from the untangle server. still rejected.
I disconnected the untangle firewall and the message went through.
The problem is with the firewall.
I need to find a new firewall OS.