SUSE Support

Here When You Need Us

Remote mail server returns error "Must issue a STARTTLS command first" on connection by postfix' smtp client

This document (000020587) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15

Situation

Postfix has been configured correctly as a TLS capable  SMTP client, but the remote server rejects any connection with "Must issue a STARTTLS command first" after a HELO command. A communication log with debug_peer_level and debug_peer_list being set appropriately, reveals the following exchange: 
clnthost postfix/smtp[815]: < relay.example.com[10.0.0.2]:25: 220 *********************************
clnthost postfix/smtp[815]: name_mask: disable_esmtp
clnthost postfix/smtp[815]: name_mask: delay_dotcrlf
clnthost postfix/smtp[815]: A123456789B: enabling PIX workarounds: disable_esmtp delay_dotcrlf for relay.example.com[10.0.0.2]:25
clnthost postfix/smtp[815]: > relay.example.com[10.0.0.2]:25: HELO clnthost.example.com
clnthost postfix/smtp[815]: < relay.example.com[10.0.0.2]:25: 530 #5.7.0 Must issue a STARTTLS command first


 

Resolution

Disable the PIX workaround "disable_esmtp" with 
postconf "smtp_pix_workarounds=delay_dotcrlf"

 

Cause

A TCP proxy or content filtering firewall intercepting SMTP traffic is in between the client system and the remote email server, replacing the SMTP greeting of the remote mail server with a series of asterisks. Postfix uses this string to enable a workaround for old PIX firewalls that did not (fully) implement ESMTP. Subsequently, postfix does not initiate the transaction with the EHLO command but falls back to HELO. This disables ESMTP extensions such as STARTTLS. The remote server will reject the session if it is configured to only accept TLS connections.

Status

Top Issue

Additional Information

PIX workarounds can be set by destination with lookup tables specified with the smtp_pix_workaround_maps parameter. Please refer to postfix documentation such as the man page smtp(8) for details.

Note that the TCP proxy must pass ESMTP commands for STARTTLS to work at all in this scenario.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020587
  • Creation Date: 14-Feb-2022
  • Modified Date:10-Jan-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center