Postfix SMTP-TLS Renegotiation Error: Solving 554 5.5.1 “No Valid Recipients” After RCPT TO


2 views

When debugging SMTP-over-TLS issues in Postfix, one particularly frustrating scenario occurs when the server initiates renegotiation during RCPT TO, followed by a 554 5.5.1 Error: no valid recipients. Here's what we observed:

AUTH PLAIN (base64_credentials)
235 2.7.0 Authentication successful
MAIL FROM: lol@lol.com
250 2.1.0 Ok
RCPT TO: lol@lol.com
RENEGOTIATING
[...SSL certificate details...]
DATA
554 5.5.1 Error: no valid recipients

The key observation here is that non-TLS connections on port 25 work perfectly, while TLS-enabled connections fail during recipient verification. This points to either:

  • Certificate chain validation issues
  • Postfix TLS policy misconfiguration
  • SMTP client behavior differences

The session shows a self-signed certificate warning:

verify error:num=18:self signed certificate
verify return:1

While this alone shouldn't cause recipient rejection, combined with these Postfix settings it might:

# /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes

Postfix can get confused when:

  1. Client starts TLS but doesn't properly maintain the session state
  2. Server demands renegotiation mid-command
  3. Certificate validation occurs after the RCPT TO command

Add these to your main.cf:

smtpd_tls_auth_only = no
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

If you must keep self-signed certs, prevent renegotiation:

smtpd_tls_renegotiation_limit = 0

Verify your configuration works with:

openssl s_client -starttls smtp -connect yourserver.com:587 -crlf

Then issue SMTP commands manually to reproduce the issue.

When configuring Postfix with ISPConfig3 on Debian, you might encounter this peculiar sequence during SMTP-TLS communication:

RCPT TO: lol@lol.com
RENEGOTIATING
[...SSL certificate verification...]
DATA
554 5.5.1 Error: no valid recipients

The key observations point to two interrelated issues:

  • SSL certificate renegotiation during RCPT TO command
  • Self-signed certificate triggering verification warnings

First, check your Postfix TLS parameters in main.cf:

smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_cert_file = /path/to/cert.pem
smtpd_tls_key_file = /path/to/key.pem

Postfix might be forcing TLS renegotiation after authentication. Try adding:

smtpd_tls_auth_only = no
smtpd_tls_ask_ccert = no

For ISPConfig3 installations, additional steps are needed:

# In /etc/postfix/master.cf
smtps     inet  n       -       y       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Use this OpenSSL command to test TLS connectivity:

openssl s_client -connect your.server.com:465 -starttls smtp -debug

Then manually enter SMTP commands to replicate the issue.

While self-signed certificates work, consider these alternatives:

  • Let's Encrypt certificates (free and trusted)
  • Proper certificate chain configuration
  • Setting smtpd_tls_CAfile in Postfix

After changes, always run:

postfix check
service postfix reload