January 27, 2011
Few days ago we released a patch for our BitDefender for Mail Servers products, more precisely for the BitDefender SMTP Proxy agent. So, if you’re using Communigate Pro, Courier, Postfix, qmail or Sendmail with standard BitDefender integration methods then this patch is not for you, everybody else using the BitDefender SMTP Proxy configured in front of the MTA please read on.
It’s always polite to start with the introductions, so please allow me to present you with the patch:
# ./bdsafe patch list [ ... ] Patch number: 5 Patch impact: ALL Patch release date: Mon Jan 24 03:13:37 2011 State: not installed Summary: Filter out TLS support from the list of supported SMTP features Description: This patch fixes an issue which caused bdsmtpd to drop e-mails becase it told the peer it can do TLS while, in reality, it couldn't.
What’s the story behind that? Well, it all starts with the “STARTTLS” ESMTP verb used for initiating encrypted communication over the standard SMTP plain text communication channel, port 25. The BitDefender SMTP Proxy needs mails to be sent in plain text, that way it can scan them for viruses, spam and all the other ugly things lurking around. If a remote server would say “STARTTLS” then BitDefender would reply with “502 Not implemented” forcing the other peer to send the mail unencrypted, thus making it’s scanning possible. Some mail servers will refuse to continue the SMTP conversation after getting such a response, and that’s what this patch fixes. It does that by removing “STARTTLS” from the supported features advertised in the “EHLO” reply. “EHLO” is the polite way to start an ESMPT conversation, the peer initiating it says “EHLO” and the other replies with the ESMTP verbs and features it supports. After installing this patch the BitDefender SMTP Proxy will remove “STARTTLS” from the “EHLO” reply so the remote server won’t try to use it and run away if rejected.
Enough with the stories, let’s get to work! There are two ways you can install the patch:
- Using “bdsafe”
# ./bdsafe patch install 5
- Using “Remote Admin”
Maintenance -> Patches -> Install on Patch #5
If the install process gets stuck at “Please wait ….” for more than two minutes you will need to open up a console, run the following commands, and try the install again:
# killall -9 bdradmind
# ./bdradmin start
This patch is not of critical importance, but we recommend installing it in order to avoid undesired conflicts with other mail servers.