3

Am trying to configure a Sophos Appliance (SEA) to handle anti-spam. Part of this service is recipient validation, which interrogates the downstream MTA, in our case, Exchange 2010, for a valid recipient.

There looks like there is an issue with this, pertaining to Exchange 2010 not handling pipelined SMTP commands correctly.

The SMTP conversation goes as follows: 

Escape character is '^]'.
220 <my domain> Microsoft ESMTP MAIL Service ready at Sun, 16 Nov 2014 14:07:15 +1100
EHLO <valid domain>
250-<my downstream server Hello [<an ip>]
250-SIZE
**250-PIPELINING**
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XSHADOW

Then, to verify the recipient, the SEA sends the following, in a single packet (verified by a packet trace

MAIL FROM:<a temp but valid email> SIZE=278
RCPT TO:<validrecipient> ORCPT=rfc822;validrecipient
RSET
QUIT

However, the Exchange server seems to ignore the first 3 commands and only response to the QUIT

221 2.0.0 Service closing transmission channel

Now, in the interim I can turn off the intermediate recipient validation, but the more pressing question is why Exchange isn't supporting pipelining correctly. One thought is that RFC2920, section 4, suggests that no parameters can be added to the MAIL FROM command for pipelining to work properly.

I wonder if this is it? I will test that manually, but other suggestions would be nice.

Thanks

danielgo
  • 41
  • 3
  • I tried removing the SIZE from the MAIL FROM command and same error, so it's not that. – danielgo Nov 16 '14 at 03:35
  • What do you expect to happen? – sebix Nov 16 '14 at 08:49
  • 1
    I expect pipelining to work as per RFC2920 - the responses to mail from, rcpt to and rset should be returned as, before an as well as the quit message.... – danielgo Nov 16 '14 at 11:29
  • What happens if you don't issue the rset command? Is the behavior still the same? – Mike B Nov 17 '14 at 06:22
  • Not sure, cant test now, it's live and in prod - however regardless, that won't solve this particular problem, as there is no way to control what the SEA will send. – danielgo Nov 18 '14 at 07:00

2 Answers2

1

I simply disabled pipelining on the receive connector to work around this with satisfactory results. Unless I hear otherwise, I will assume it's a bug in Microsoft's pipelining implementation/ESMTP implementation in Exchange 2010.

danielgo
  • 41
  • 3
1

This happens to me too, disabling pipelining worked for me.

Set-ReceiveConnector "Connector Name" -PipeliningEnabled $false

For me, the sender was pipelining Mail From, Rcpt To, then Data. Exchange 2010 would reply to Mail From, Rcpt To, but not data and the sender would get a "Timed Out" bounce back.

kasperd
  • 29,894
  • 16
  • 72
  • 122
user1591770
  • 21
  • 3