I've began to see quite a few "[client] did not issue MAIL/EXPN/VRFY/ETRN during connection" messages at my mail log files, from origins such as Mailchimp and Microsoft hosted systems. Not certain what changed, since I can still receive emails from other as large as places such as Google and Cisco - although a few Cisco originated emails fails with the same message, though.
Any hints where can I begin troubleshooting this, since I don't have any visibility to the remote end, or does anyone sees anything blatantly wrong on my heavily customized cf?
include(`../m4/cf.m4')
VERSIONID(`2024-04-26 v1.13 for mx.domain.com: SASL - RSA certs - Hardened TLSv1.2+ PCIDSS/HIPAA/NIST - DANE- IPv6 - MTA+MSA+SMTPS - EnhDNSBL for Internet hosts - OpenARC - OpenDMARC+SPF - OpenDKIM - SpamAssassin - dovecot procmail - 4096bit FF DHParam - MTA-STS - SMTPUTF8 - More aggressive timeouts - SMTP smuggling fix')dnl
OSTYPE(`linux')dnl
define(`confLOG_LEVEL', `14')dnl
define(`confOPENSSL_CNF',`')dnl
define(`confSMTP_LOGIN_MSG',`$j $b')
define(`confDOMAIN_NAME', `domain.com')dnl
define(`confHELO_NAME', `mx.domain.com')dnl
define(`confCACERT_PATH', `/etc/ssl/certs')
define(`confCACERT', `/etc/mail/domain.com.chain.rsa.pem')
define(`confSERVER_CERT', `/etc/mail/domain.com.rsa.pem')
define(`confSERVER_KEY', `/etc/mail/domain.com.rsa.key')
define(`confCLIENT_CERT', `/etc/mail/domain.com.rsa.pem')
define(`confCLIENT_KEY', `/etc/mail/domain.com.rsa.key')
define(`confDH_PARAMETERS',`/etc/ssl/certs/ffdhe4096.pem')
dnl# Cert uses OCSP only
dnl# define(`confCRL', `/etc/ssl/certs/revoke.crl')
define(`confPRIVACY_FLAGS', `authwarnings,goaway,restrictqrun,restrictmailq')dnl
define(`SMART_HOST',`mx.domain.com')
define(`confTO_IDENT', `0')dnl
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnl
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl
define(`confDANE', `always')dnl
define(`confTO_HELO', `1m')dnl
define(`confTO_MAIL', `30s')dnl
define(`confTO_RCPT', `30s')dnl
define(`confTO_DATAINIT', `45s')dnl
define(`confTO_DATABLOCK', `5m')dnl
define(`confTO_DATAFINAL', `1m')dnl
define(`confTO_AUTH', `30s')dnl
define(`confTO_STARTTLS', `1m')dnl
define(`confTO_COMMAND', `1m')dnl
define(`confMAX_RCPTS_PER_MESSAGE', `5')dnl
define(`confBAD_RCPT_THROTTLE', `5')dnl
define(`LOCAL_SRV_FEATURES',`F,o')dnl
define(`confTLS_FALLBACK_TO_CLEAR', `False')dnl
define(`confSERVER_SSL_OPTIONS',`+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE +SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +SSL_OP_NO_COMPRESSION')
define(`confCLIENT_SSL_OPTIONS',`+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE +SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +SSL_OP_NO_COMPRESSION +SSL_OP_NO_RENEGOTIATION')
define(`confCIPHER_LIST',`ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA')
DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSA-v6, Port=submission, Modifiers=Ea')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTAS-v6, Port=smtps, Modifiers=Eas')dnl
EXPOSED_USER(`root')dnl
FEATURE(`no_default_msa')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`relay_hosts_only')dnl
FEATURE(`sts',`socket -d5 -T<TMPF> inet:
8895@127.0.0.1')dnl
FEATURE(`tls_session_features')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`local_procmail', `/usr/libexec/dovecot/dovecot-lda',`/usr/libexec/dovecot/dovecot-lda -d $u')
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"554 IP address listed in Spamhaus ZEN. See
https://www.spamhaus.org/query/ip/" $&{client_addr}', `127.0.0.2', `127.0.0.3', `127.0.0.4', `127.0.0.9', `127.0.0.10', `127.0.0.11')dnl
FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
INPUT_MAIL_FILTER(`opendkim', `S=inet:
8894@127.0.0.1,F=T,T=R:2m')
INPUT_MAIL_FILTER(`openarc', `S=inet:
8893@127.0.0.1,F=T,T=R:2m')
INPUT_MAIL_FILTER(`opendmarc',`S=inet:
8892@127.0.0.1,F=T,T=R:2m')
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {verify}, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVFROM',`i, {auth_authen}, {auth_type}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z, b, _')dnl
LOCAL_DOMAIN(`mx.domain.com')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
MODIFY_MAILER_FLAGS(`LOCAL', `-f')
MASQUERADE_AS(`domain.com')dnl
MASQUERADE_DOMAIN(`domain.com')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
LOCAL_CONFIG
O SmtpUTF8=True
Kcheck_client dns -R a -T T -q
# Exclude specific hosts of networks from DNSBL checks
HSubject: $>CheckRcptTo $: $>3 $1
HSubject: $* OK $>3
This is what I see when I start sendmail:
Apr 26 13:15:28 mxhost sm-mta[128462]: starting daemon (8.18.1): SMTP+
queueing@00:25:00
Apr 26 13:15:28 mxhost sm-mta[128462]: STARTTLS: CRLFile missing
Apr 26 13:15:28 mxhost sm-mta[128462]: STARTTLS=server, Diffie-Hellman init, key=4096 bit (/)
Apr 26 13:15:28 mxhost sm-mta[128462]: STARTTLS=server, init=1
Apr 26 13:15:28 mxhost sm-mta[128462]: started as: /usr/sbin/sendmail -L sm-mta -bd -q25m
Apr 26 13:15:28 mxhost sm-msp-queue[128465]: starting daemon (8.18.1):
queueing@00:25:00
Here's a section of the logs with the debug lvl 14 enabled for a server that failed:
Apr 26 13:16:01 mxhost sm-mta[126129]: NOQUEUE: connect from mx0a-0017d901.pphosted.com [208.84.65.218]
Apr 26 13:16:01 mxhost sm-mta[126129]: AUTH warning: no mechanisms
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: Milter (opendkim): init success to negotiate
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: Milter (openarc): init success to negotiate
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: Milter (opendmarc): init success to negotiate
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: Milter (spamassassin): init success to negotiate
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: Milter: connect to filters
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: milter=opendkim, action=connect, continue
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: milter=openarc, action=connect, continue
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: milter=opendmarc, action=connect, continue
Apr 26 13:16:01 mxhost sm-mta[126129]: 43QHG1xY126129: milter=spamassassin, action=connect, continue
Apr 26 13:17:01 mxhost sm-mta[126129]: 43QHG1xY126129: timeout waiting for input from mx0a-0017d901.pphosted.com during server cmd read
Apr 26 13:17:01 mxhost sm-mta[126129]: 43QHG1xY126129: mx0a-0017d901.pphosted.com [208.84.65.218] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
And another section for a server that delivered:
Apr 26 13:17:24 mxhost sm-mta[127026]: NOQUEUE: connect from mail.domain2.com [x.x.x.x]
Apr 26 13:17:24 mxhost sm-mta[127026]: AUTH warning: no mechanisms
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: Milter (opendkim): init success to negotiate
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: Milter (openarc): init success to negotiate
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: Milter (opendmarc): init success to negotiate
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: Milter (spamassassin): init success to negotiate
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: Milter: connect to filters
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: milter=opendkim, action=connect, continue
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: milter=openarc, action=connect, accepted
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: milter=opendmarc, action=connect, accepted
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr3127026: milter=spamassassin, action=connect, accepted
Apr 26 13:17:24 mxhost sm-mta[127026]: tls_srv_features="", relay=mail.domain2.com [x.x.x.x]
Apr 26 13:17:24 mxhost sm-mta[127026]: STARTTLS=server, relay=mail.domain2.com [x.x.x.x], version=TLSv1.3, verify=NO, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Apr 26 13:17:24 mxhost sm-mta[127026]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
Apr 26 13:17:24 mxhost sm-mta[127026]: AUTH: available mech=LOGIN PLAIN, allowed mech=LOGIN PLAIN
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr4127026: milter=opendkim, action=mail, continue
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr4127026: milter=opendkim, action=rcpt, continue
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr4127026: from=<
destination@domain.com>, size=334, class=0, nrcpts=1, msgid=<
bb87fef9-1919-4509-89c5-202782208823@domain.com>, proto=ESMTPS, daemon=MTA-v6, relay=mail.domain2.com [x.x.x.x]
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr4127026: milter=opendkim, action=header, continue
Apr 26 13:17:24 mxhost last message buffered 4 times
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr4127026: milter=opendkim, action=eoh, accepted
Apr 26 13:17:24 mxhost sm-mta[127026]: 43QHKOr4127026: Milter accept: message
Apr 26 13:17:24 mxhost dovecot: lda(destination)<127032><izUNH1jiK2Y48AEAsEWjtw>: msgid=<
bb87fef9-1919-4509-89c5-202782208823@domain.com>: saved mail to INBOX
Apr 26 13:17:24 mxhost sm-mta[127031]: 43QHKOr4127026: to=<
destination@domain.com>, ctladdr=<
destination@domain.com> (uid/gid), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30607, dsn=2.0.0, stat=Sent
Apr 26 13:17:24 mxhost sm-mta[127031]: 43QHKOr4127026: done; delay=00:00:00, ntries=1
[client] did not issue MAIL/EXPN/VRFY/ETRN during connection
Re: [client] did not issue MAIL/EXPN/VRFY/ETRN during connection