Remote mail server returns error "Must issue a STARTTLS command first" on connection by postfix' smtp client

This document (000020587) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15


Postfix has been configured correctly as a TLS capable  SMTP client, but the remote server rejects any connection with "Must issue a STARTTLS command first" after a HELO command. A communication log with debug_peer_level and debug_peer_list being set appropriately, reveals the following exchange:
clnthost postfix/smtp[815]: <[]:25: 220 *********************************
clnthost postfix/smtp[815]: name_mask: disable_esmtp
clnthost postfix/smtp[815]: name_mask: delay_dotcrlf
clnthost postfix/smtp[815]: A123456789B: enabling PIX workarounds: disable_esmtp delay_dotcrlf for[]:25
clnthost postfix/smtp[815]: >[]:25: HELO
clnthost postfix/smtp[815]: <[]:25: 530 #5.7.0 Must issue a STARTTLS command first



Disable the PIX workaround "disable_esmtp" with
postconf "smtp_pix_workarounds=delay_dotcrlf"



A TCP proxy or content filtering firewall intercepting SMTP traffic is in between the client system and the remote email server, replacing the SMTP greeting of the remote mail server with a series of asterisks. Postfix uses this string to enable a workaround for old PIX firewalls that did not (fully) implement ESMTP. Subsequently, postfix does not initiate the transaction with the EHLO command but falls back to HELO. This disables ESMTP extensions such as STARTTLS. The remote server will reject the session if it is configured to only accept TLS connections.


Top Issue

Additional Information

PIX workarounds can be set by destination with lookup tables specified with the smtp_pix_workaround_maps parameter. Please refer to postfix documentation such as the man page smtp(8) for details.

Note that the TCP proxy must pass ESMTP commands for STARTTLS to work at all in this scenario.


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020587
  • Creation Date: 14-Feb-2022
  • Modified Date:10-Jan-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center