Postfix error message - improper command pipelining after EHLO

[Shyciii]

Hello. When set email account from Thunderbird or other email client (any location), I get error message in the mail.log (and fail2ban banned the ip): improper command pipelining after EHLO, or improper command pipelining after CONNECT.
In the past, this problem did not exist, it worked fine. If the account has been configured, we can send and receive mail. What could be the problem?

From mail.log:
2024-04-18T08:41:49.785147+02:00 isp postfix/smtps/smtpd[431782]: improper command pipelining after EHLO from dslC3E4F615.fixip.t-online.hu: QUIT\r\n

[reinob]

Unfortunately Thunderbird misbehaves when autoconfiguring mail accounts (last I remember was YEARS ago, and it still does). You can however set-up the account manually.

[Shyciii]

Unfortunately Thunderbird misbehaves when autoconfiguring mail accounts (last I remember was YEARS ago, and it still does). You can however set-up the account manually.

Now, I try iphone's own email client, and the problem is same:

Code: Select all

2024-04-19T14:42:41.998721+02:00 mail postfix/submission/smtpd[548034]: improper command pipelining after CONNECT from unknown[x.x.x.x]: \026\003\001\000u\001\000\000q\003\003L\313\236\277t=Yf\327\0257\206,\317\265\273\202?G\032\215[\v\003\261hv\004\361\026K\177\000\000\032\300/\300+\300\021\300\a\300\023\300\t\300\024\300\n\000\005\000/\0005\300\022\000\n\001\000\000.\000\005\000\005\001\000\000\000\000\000\n\000\b\000\006\000\027\000\030\000\031\000\v\000

[reinob]

It could be that you postfix is expecting StartTLS (port 587) but you have configured (implicit) TLS, aka port 465.
You might want to double check that, or you could post here the output of "postconf -n" as well as of "postconf -Mf submission" and "postconf -Mf smtps".

[Shyciii]

Other information: We use ispconfig program.

So the postconf -Mf submission:

Code: Select all

submission inet  n       -       -       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

postconf -Mf smtps:

Code: Select all

smtps      inet  n       -       -       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

postconf -n:

Code: Select all

address_verify_negative_refresh_time = 60s
address_verify_sender_ttl = 15686s
address_verify_transport_maps = static:smtp:[127.0.0.1]:10025
address_verify_virtual_transport = smtp:[127.0.0.1]:10025
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
authorized_flush_users =
authorized_mailq_users = nagios, icinga
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
compatibility_level = 2
content_filter = lmtp:[127.0.0.1]:10024
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
greylisting = check_policy_service inet:127.0.0.1:10023
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 26214400
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = isp.hrpark.hu, localhost, localhost.localdomain
myhostname = isp.hrpark.hu
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_dns_support_level = dnssec
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, permit
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_restriction_classes = greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtputf8_enable = no
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf

[reinob]

The first error you posted indicated that your client (Thunderbird) sends a QUIT directly after EHLO, without waiting for an answer (aka "improper pipelining"). This is (AFAIK, still) an issue of Thunderbird.

The second (iPhone client, no idea which) looks like implicit TLS is being used where explicit TLS should be used.

The postfix configuration looks OK.

You could do as I suggested in my first reply: try manual configuration in Thunderbird.

Or you could post which *client* configuration you were trying (w/ Thunderbird and/or iPhone). It could be that you selected "TLS" or "SSL" but gave port 587 (which should be "StartTLS").

(or there's some box between your client and your postfix server doing weird stuff. Unlikely, but it's been seen before).