Description
Hello,
(Note: example.com denote my own domain name)
I experienced some issues regarding SMTP reception from other mail provider.
When using STARTTLS on port 25 as inboud, some provider will try multiple time without success to send email, repeating this sequence:
250-Hello mail-40134.protonmail.ch
maddy[100116]: smtp: 250-PIPELINING
maddy[100116]: smtp: 250-8BITMIME
maddy[100116]: smtp: 250-ENHANCEDSTATUSCODES
maddy[100116]: smtp: 250-CHUNKING
maddy[100116]: smtp: 250-STARTTLS
maddy[100116]: smtp: 250-SMTPUTF8
maddy[100116]: smtp: 250 SIZE 33554432
maddy[100116]: smtp: STARTTLS
maddy[100116]: smtp: 220 2.0.0 Ready to start TLS
maddy[100116]: smtp: QUIT
maddy[100116]: smtp: 221 2.0.0 Bye
But other provider like orange.fr can delivers mail without any issue, in that case the provider server will EHLO again after the STARTTLS query:
maddy[100116]: smtp: STARTTLS
maddy[100116]: smtp: 220 2.0.0 Ready to start TLS
maddy[100116]: smtp: EHLO smtp.smtpout.orange.fr
(more details logs files are available below)
When disabling STARTTLS on port 25 by enforcing tls off at the start of the smtp pipeline, the behaviour is even weirder:
- orange.fr: Everything works fine (STARTTLS is not used as expected)
- protonmail.ch: Mails are still not delivered, sometimes (one in ten time), maddy give the following reason for the unexpected quit:
rDNS error {"reason":"operation was canceled","src_ip":"185.70.41.104:44443"}however, manually checking rDNS for that ip is correct. - outlook.com: Mails are still not delivered, and again an rDNS error is returned (sometimes), but this time the reverseDNS indeed does not match !
(more details logs files are available below)
I've done further testing with rDNS by manually connecting to the smtp endpoint with openssl from another smtp provider, if it is missing rDNS, the error is correctly trigger, if rDNS is correctly setup, the error is not trigger as expected.
It's not a firewall issue, the port is unfiltered (or any statefull filtering) and accept inbound and outbound connection.
I can succesfully connect to the SMTP endpoint using: openssl s_client -starttls smtp -connect <IPv4>:25 then re-EHLO from there and initiate a MAIL.
I think it is related to how TLS session are handled, with or without TLS, v1.3 the issue happened (Except for outlook which give another similar issue as describe in: Issue:730. After 12h of failing delivery protonmail.ch answer with:
<[[email protected]](mailto:[email protected])>: TLS is required, but was not offered by host
[nodex.mx.example.com](http://nodex.mx.example.com/)[<IPv4>]
It's very likely that I'm missing something, or that I'm misinterpreting the logs, In that case please let me know.
Log files
With STARTTLS enable on port 25: https://hastebin.milkywan.fr/mugunetadi.apache
Without STARTLS (tls off in smtp pipeline): https://hastebin.milkywan.fr/litobakupe.apache
Configuration file
https://hastebin.milkywan.fr/eguhuqagat.properties
Environment information
0.7.1 linux/amd64 go1.23.2
default config: /etc/maddy/maddy.conf
default state_dir: /var/lib/maddy
default runtime_dir: /run/maddy