Discussion:
Unable to get TLS working with Outlook
(too old to reply)
techlist06
2016-07-23 21:31:48 UTC
Permalink
I'm building a new server to replace an old one in production. I've never
had trouble in the past, but it's been a while and it is not going smoothly
this time. I've spent a week trying and not getting it going. I gave up
getting Cyrus-sasl to work, moved to Dovecot. Got farther but stuck now.
Eyes crossed. :)

This is on Centos 7, Postfix 2.10.1 from stock rpm, Dovecot 2.2.10.

I have my self signed certificates made and entered in main.cf and
/etc/dovecot/conf.d/10-ssl.conf I am no certificate guru, I think I have
them right.

I've checked everything best I can figure out how:

-----
test tunneled TLS connections to port 465
openssl s_client -connect tn2.myserver.com:465
Appears to work
-----
From remote server
test STARTTLS connections on port 25 or 587 with:
openssl s_client -connect tn2.myserver.com:587 -starttls smtp
appears to work, shows a bunch of info and the certificate text. Nothing
that looks like errors except a line that says:
verify error:num=18:self signed certificate
verify return:1
-----
From remote server
Tested my cacert.pem certificate with
openssl x509 -in cacert.pem -inform pem -noout -text
It did not ask for a PW, displayed contents, so I think that' s good (happy
to post output if it helps)
-----
checked if the cert and key match
(openssl x509 -noout -modulus -in /etc/certs/tn2.myserver.com.crt |
openssl md5 ;openssl rsa -noout -modulus -in
/etc/certs/tn2.myserver.com.key | openssl md5) | uniq
I only get one match so I think that' s good.
----
Telnet to the server and STARTTLS seems happy:
220 tn2.myserver.com ESMTP Postfix
ehlo sample.com
250-tn2.myserver.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

---------------

My postfix config is:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

------------------

MS Outlook is happy using port 587 (SASL only I think) I can deliver a test
message. POP also works and it will retrive same.

But with Outlook set to use port 465 it will not work. Times out.

----------------

The maillog for the timed out test shows below. It gets to that last line
and just hangs.

Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: connection established
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: master_notify: status 0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: name_mask: resource
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: name_mask: software
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: connect from
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: smtp_stream_setup:
maxtime=300 enable_deadline=0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: setting up TLS connection
from yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: auto_clnt_open: connected to
private/tlsmgr
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: send attr request = seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: send attr size = 32
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: status
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: status
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute value: 0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute value:
vyQmNnun9ko49YWyusMMmpdLoWMD3oF6j6MJwcWHXrs=
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: (list terminator)
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: (end)
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: SSL_accept:before/accept
initialization


Can someone see what I'm doing wrong? How to fix it? Hoping it's a config
error.

Please let me know if I've missed some piece of information. I'm a novice,
I'll be grateful if you temper your replies so I can take advantage of them.

Thanks very much
Bill Cole
2016-07-23 23:29:37 UTC
Permalink
Post by techlist06
-----
test tunneled TLS connections to port 465
openssl s_client -connect tn2.myserver.com:465
Appears to work
-----
From remote server
openssl s_client -connect tn2.myserver.com:587 -starttls smtp
appears to work, shows a bunch of info and the certificate text.
Nothing
verify error:num=18:self signed certificate
verify return:1
-----
You can confirm or refute on your "appears to work" conclusions 2 ways:

1. Look in your server logs for lines with content like this:

postfix/smtpd[123]: Anonymous TLS connection established from
host.example.com[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)

2. When using openssl s_client, you should be left connected in a SMTP
session so you can issue a EHLO command and should get a reasonable
reply. If not, there's something wrong.
Post by techlist06
------------------
MS Outlook is happy using port 587 (SASL only I think)
Your logs should tell you whether that session is doing TLS or not. It
is a misconfiguration to allow submission on port 587 without TLS. You
didn't include your settings for port 87 (the 'submission' service in
master.cf) but if STARTTLS via openssl s_client is working and Outlook
can submit mail, it is likely that Outlook used STARTTLS.
Post by techlist06
I can deliver a test
message. POP also works and it will retrive same.
POP and IMAP are irrelevant here, since they are not part of Postfix,
but it's good to know that you don't seem to have any issues with
Dovecot complicating things and obscuring your Postfix issues...
Post by techlist06
But with Outlook set to use port 465 it will not work. Times out.
Serious question: why do you care? Port 465 SSL-wrapped SMTP was never
made a standard and correctly never will be. No software that I'm aware
of can use that botch and cannot use STARTTLS except for a few clients
so outdated as to be inherently unsafe (e.g. antique versions of
Outlook.) Make sure Outlook is using STARTTLS on port 587 and be happy
with that: it's a service defined by a RFC which is supported by any
client software that isn't a danger to its users. Since port 465 service
owes its zombie existence to an early draft for SSLv3 that was never
made into any sort of standard, it is formally improper to offer ANY TLS
version over it, while all versions of SSL should be treated as broken
and obsolete. Do you see the problem?

Assuming you have a concrete need (e.g. The Boss uses Outlook Express on
Windows ME and won't upgrade,) if s_client is working to port 465 and
Outlook is not, you have an Outlook problem. Talk to your vendor about
that. Since you've not included your master.cf configuration for the
smtps (port 465) service, there's no hope of diagnosis here at present.
Post by techlist06
The maillog for the timed out test shows below. It gets to that last
line
and just hangs.
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: connection established
[...]
Post by techlist06
SSL_accept:before/accept
initialization
1. Back off smtpd_tls_loglevel to 1. All of the above happened within a
second and provides no useful clues.

2. Without knowing the config of the smtps service (i.e. the relevant
lines from master.cf) it is impossible to do anything more than make
wild guesses. I'm going to make the wild guess that you didn't uncomment
all of the essential continuation lines after the first one for smtps:
the indented ones starting with '-o'.
Post by techlist06
Can someone see what I'm doing wrong? How to fix it? Hoping it's a
config
error.
Very likely, but we'd need the whole relevant config to know.
Post by techlist06
220 tn2.myserver.com ESMTP Postfix
ehlo sample.com
250-tn2.myserver.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
You didn't say which port that was, so it isn't clear which service
config applies, but on a modern system there is rarely any good reason
to have an EHLO response in any circumstance that includes both AUTH and
STARTTLS. Modern best practice is to use STARTTLS and authenticate
inside the encrypted tunnel with plaintext mechanisms that do not
require the server to store passwords in recoverable forms. The above
response indicates that you are offering plaintext mechanisms over an
unencrypted connection, which is an invitation to cracked accounts and a
world of hurt. On most mail systems, port 25 should offer STARTTLS and
no AUTH even after TLS is established, with port 587 being the only
place you accept authenticated message submission and then only after
STARTTLS.

There's a chance that the above is in fact not dangerous because Dovecot
will refuse to allow authentication due to its disable_plaintext_auth
setting but I don't recall whether it can 'see' whether there's TLS or
not when servicing Postfix smtpd, and my guess would be not...

In any case, a safer config if for some reason you do want to allow
authentication over port 25 would use these settings:

smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

One reason you might want this is if you're providing relay services for
a 3rd party and want to apply the restrictions applied to inbound mail
to their transiting mail rather than the different and maybe less strict
ones applied to initial submissions by your direct users.
techlist06
2016-07-24 02:30:59 UTC
Permalink
Post by techlist06
Post by techlist06
test tunneled TLS connections to port 465
openssl s_client -connect tn2.myserver.com:465 Appears to work
-----
From remote server
openssl s_client -connect tn2.myserver.com:587 -starttls smtp
appears
Post by techlist06
to work, shows a bunch of info and the certificate text.
Nothing
verify error:num=18:self signed certificate
verify return:1
-----
postfix/smtpd[123]: Anonymous TLS connection established from
host.example.com[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA
2. When using openssl s_client, you should be left connected in a SMTP
session so you can issue a EHLO command and should get a reasonable
reply. If not, there's something wrong.
Well crap. Something I've done has caused the first test to port 465 to
stop working. I'm nearly positive it was working.

[***@tn1] # openssl s_client -connect tn2.myserver.com:465
CONNECTED(00000003)
26351:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:


When I run this command Anonymous is there.
openssl s_client -connect tn2.companypostoffice.com:587 -starttls smtp

Jul 23 19:23:59 tn2 postfix/smtpd[2007]: Anonymous TLS connection
established from tn1.myserver.com[xx.xx.xx.xx]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)

I can also ehlo and issue smtp commands after above.
Post by techlist06
Post by techlist06
------------------
MS Outlook is happy using port 587 (SASL only I think)
I can deliver a test
message. POP also works and it will retrive same.
POP and IMAP are irrelevant here, since they are not part of Postfix, but
it's
Post by techlist06
good to know that you don't seem to have any issues with Dovecot
complicating things and obscuring your Postfix issues...
Well, I spoke too soon there. I'm using Outlooks utilty to "test settings"
where it sends the message. If I send a message locally I can then get it
via POP.
I can only send the message via port 587 (no TLS I don't' think, about to
fix that). I can send and then POP a message using that port as is.

I had Dovecot jacked for a min trying to get mbox format to work, finally
got setting in each of them they were happy with. POPing again now. Can
fine tune that another day (want them in /var/spool/mail/user, have them in
HOME/mail/inbox).
Post by techlist06
Serious question: why do you care? Port 465 SSL-wrapped SMTP was never
made a standard and correctly never will be. No software that I'm aware of
can use that botch and cannot use STARTTLS except for a few clients so
outdated as to be inherently unsafe (e.g. antique versions of
Outlook.) Make sure Outlook is using STARTTLS on port 587 and be happy
with that: it's a service defined by a RFC which is supported by any client
software that isn't a danger to its users. Since port 465 service owes its
zombie existence to an early draft for SSLv3 that was never made into any
sort of standard, it is formally improper to offer ANY TLS version over it,
while
Post by techlist06
all versions of SSL should be treated as broken and obsolete. Do you see
the
Post by techlist06
problem?
Assuming you have a concrete need (e.g. The Boss uses Outlook Express on
Windows ME and won't upgrade,) if s_client is working to port 465 and
Outlook is not, you have an Outlook problem. Talk to your vendor about
that.
Post by techlist06
Since you've not included your master.cf configuration for the smtps (port
465) service, there's no hope of diagnosis here at present.
Re why do I care: I do not and will defer to your experience on this point
for sure. I was just replicating (trying to) what I had. If it's not
needed anymore I'm ALL FOR getting rid of it and making it simpler. I only
have a few local accounts on the box. Everything else is relayed . Old OL
versions are not an issue

So I need to get rid of the 465 setupand get 587 working right...Check.
But, I'm not sure how to do that right :(

So, here's my master.cf below. I'd be extremely grateful for any
pruning/editing
Post by techlist06
1. Back off smtpd_tls_loglevel to 1. All of the above happened within a
second and provides no useful clues.
How do I change the level? I only know how to add the -v
Post by techlist06
2. Without knowing the config of the smtps service (i.e. the relevant lines
from master.cf) it is impossible to do anything more than make wild
guesses.
Post by techlist06
I'm going to make the wild guess that you didn't uncomment all of the
the indented ones starting with '-o'.
I've been using my original config that I've used for years, and editing it
as I go trying to get it to work. I'm a little lost at this point. I'll
post what I have in its current state
Post by techlist06
Post by techlist06
220 tn2.myserver.com ESMTP Postfix
ehlo sample.com
250-tn2.myserver.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
You didn't say which port that was, so it isn't clear which service config
applies, but on a modern system there is rarely any good reason to have an
EHLO response in any circumstance that includes both AUTH and STARTTLS.
Modern best practice is to use STARTTLS and authenticate inside the
encrypted tunnel with plaintext mechanisms that do not require the server
to
Post by techlist06
store passwords in recoverable forms. The above response indicates that
you are offering plaintext mechanisms over an unencrypted connection,
which is an invitation to cracked accounts and a world of hurt. On most
mail
Post by techlist06
systems, port 25 should offer STARTTLS and no AUTH even after TLS is
established, with port 587 being the only place you accept authenticated
message submission and then only after STARTTLS.
I've done above on 465 and 587, they appear the same in the telnet replies,
both accept smtp commands or START TLS. Agree, need to get that fixed.
It's the whole point of having this stuff.
Post by techlist06
There's a chance that the above is in fact not dangerous because Dovecot
will refuse to allow authentication due to its disable_plaintext_auth
setting
Post by techlist06
but I don't recall whether it can 'see' whether there's TLS or not when
servicing Postfix smtpd, and my guess would be not...
In any case, a safer config if for some reason you do want to allow
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
One reason you might want this is if you're providing relay services for a
3rd
Post by techlist06
party and want to apply the restrictions applied to inbound mail to their
transiting mail rather than the different and maybe less strict ones
applied to
Post by techlist06
initial submissions by your direct users.
Here's my master.cf Again, very grateful for any pointers on fixing it.

And current state of the main.cf I'm going to leave it alone.

I'm posting the bulk of master.cf. In case it's easier to see what I've
commented or not. I left off the tail end where I had nothing uncommented
from the stock file.


master.cf:
=================================
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

#####################################
#####################################
#port 465
# my inbound mail comes here
smtps inet n - n - - smtpd -v
# next line below so I don't filter the mail I send in via 465
# -o content_filter=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_wrappermode=yes
# -o syslog_name=postfix/smtps
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi
ent_domain,permit_sasl_authenticated,reject


#port 587
submission inet n - n - - smtpd -v
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes
# -o smtpd_enforce_tls=yes
# -o smtpd_etrn_restrictions=reject
#
#
smtp-amavis unix - - n - 3 smtp
# -o smtpd_data_done_timeout=1200s
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes

# Amavis config:
# These are the usual input "smtpd" and local "pickup" servers already
# present in master.cf. We add an option to select a non-default
# cleanup service.
#
smtp inet n - n - - smtpd -v
-o cleanup_service_name=pre-cleanup

pickup fifo n - n 60 1 pickup
-o cleanup_service_name=pre-cleanup
#
#
# The following is the cleanup daemon that handles messages in front of
# the content filter. It does header_checks and body_checks (if any), but
# does no virtual alias or canonical address mapping, so that mail comes
# to a content filter with original recipient addresses still intact.
#
# Virtual alias or canonical address mapping happens in the second
# cleanup phase after the content filter. This gives the content_filter
# access to largely unmodified addresses for maximum flexibility.
#
# Note that some sites may specifically want to perform canonical and/or
# virtual address mapping in front of the content_filter. However, in that
# case you still have to enable address rewriting in the after-filter
cleanup
# instance in order to correctly process forwarded mail or bounced mail.

# handle both the canonicalization and virtual_alias_maps later
# (this will provide content filter with largely unmodified addresses)
#
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=

# The following is the normal cleanup daemon. No header or body checks here,
# because these have already been taken care of by the pre-cleanup service
# before the content filter. The normal cleanup instance does all
# the virtual alias and canonical address mapping that was disabled
# in the pre-cleanup instance before the content filter.
#
cleanup unix n - n - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o body_checks=
# -o header_checks=
# or use second-stage header checks, to be able to place mail bombs on HOLD
# -o header_checks=pcre:/etc/postfix/header_checks2
# consider also:
# -o always_bcc=***@example.com


127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks


#######################################
######################################

#628 inet n - n - - qmqpd
###pickup unix n - n 60 1 pickup
###cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#


=================================


Main.cf (postconf -n)
=================================
[***@tn2 shorton]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, x.x.x.x./32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = nnnn.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
=================================
Viktor Dukhovni
2016-07-24 13:21:45 UTC
Permalink
Post by techlist06
#port 465
# my inbound mail comes here
smtps inet n - n - - smtpd -v
# next line below so I don't filter the mail I send in via 465
# -o content_filter=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_wrappermode=yes
# -o syslog_name=postfix/smtps
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi
ent_domain,permit_sasl_authenticated,reject
Commenting out "-o smtpd_tls_wrappermode=yes" is rather unwise for port 465
--
Viktor.
techlist06
2016-07-24 15:54:50 UTC
Permalink
Post by Viktor Dukhovni
Post by techlist06
#port 465
# my inbound mail comes here
smtps inet n - n - - smtpd -v
# next line below so I don't filter the mail I send in via 465 # -o
content_filter= # -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_wrappermode=yes
# -o syslog_name=postfix/smtps
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_
recipi ent_domain,permit_sasl_authenticated,reject
Commenting out "-o smtpd_tls_wrappermode=yes" is rather unwise for port
465
Thanks Victor. It's probably where I was turning off things on this new box
to troubleshoot, or following some howto on the web in desperation. It is
un-commented on my production box.

I understand I don't need the 465 port anymore from a different poster. My
production box was set up a long time ago. I used the Oriley book, a
popular guide from HughesJR.com (gone now), and Jim Seymours Postfix
anti-UCE configuration, and notes from the occasional question on this
maillist a long time ago. I'd like to get back to that setup as it has
worked very well for many years. Just can't seem to get it all working on
Centos 7. :(

Thanks,
Scott
Viktor Dukhovni
2016-07-24 15:59:05 UTC
Permalink
Post by techlist06
It's probably where I was turning off things on this new box
to troubleshoot, or following some howto on the web in desperation. It is
un-commented on my production box.
Don't waste our time posting configuration data from the wrong machine.
Post by techlist06
I understand I don't need the 465 port anymore from a different poster. My
production box was set up a long time ago.
If you have mail clients that only support port 465 wrapper-mode SSL rather
than STARTTLS, you'll the port 465 service. Strident views to the contrary
don't change the facts. Good luck.
--
Viktor.
techlist06
2016-07-24 16:14:45 UTC
Permalink
Post by Viktor Dukhovni
Don't waste our time posting configuration data from the wrong machine.
I won't. I didn't. The posted configs are from the box I'm working on now.
Was just mentioning the other one to explain the commented line. Thank you
for the advice on that line in any case.
Post by Viktor Dukhovni
If you have mail clients that only support port 465 wrapper-mode SSL rather
than STARTTLS, you'll the port 465 service. Strident views to the contrary
don't change the facts. Good luck.
I do not have any such clients unless Outlook 2007 is one of them? If it is
I can upgrade that. Anyway, I understand the point, thank you.
Post by Viktor Dukhovni
re: ...Oriley...
I misspoke from being tired. The book I used was yours and Patrick's (Book
of Postfix 2005), had almost forgot about it. Last time I had to do this
was 2010. Had no trouble then.

Excuse my digression, back to my issue then...
techlist06
2016-07-24 18:59:25 UTC
Permalink
The problem is occurring with MS Outlook 2007. Can't get it to work on 465
or 587.

For the 587/submission port I changed it to the settings from Patrick
Koetter's guide
(http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_suppor
t.html)

## TLS
# Transport Layer Security
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


In master.cf I changed submission section to below for testing, Commented
some restrictions for now to test.

submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
# -o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual_users
# -o smtpd_sender_restrictions=reject_sender_login_mismatch
# -o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi
ent_domain,permit_sasl_authenticated,reject


I can send a mail via telnet from a different server to 587 (or 465)
including SASL authentication using:
openssl s_client -connect tn2.myserver.com:587 -starttls smtp -crlf
I used
echo -ne '\0myusername\0thatpassword' | openssl enc -base64
to generate the credentials for AUTH PLAIN

I'm shown the certificate then I ehlo through quit and the server delivers
the message to the local account I sent it to. The Outlook box retrieves it
via POP.

I also tried the same command above from a linux machine on the same
(home)IP as my desktop Outlook PC, it too will let me send a message through
the submission port 587 using the openssl comand above.

But if I try to send from Outlook to port 587, the connection fails.

Outlook's "Test account settings" reports: "Send test e-mail message: None
of the authentication methods supported by this client are supported by your
server."

The log from the Outlook connection here: hh.hh.hh.hh is my home/Outlook
PC's IP address

Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: ipv4
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: inet_addr_local: configured 2 IPv4
addresses
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: process generation: 102 (102)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
qmqpd_authorized_clients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
relay_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/local_recipient
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/relay_recipients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
qmqpd_authorized_clients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
relay_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
smtpd_access_maps
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/virtual_users
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
pcre:/etc/postfix/recipient_checks.pcre
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/helo_checks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/sender_checks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/client_checks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
pcre:/etc/postfix/client_checks.pcre
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open: hash:/etc/postfix/access
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_create: transport=unix
endpoint=postgrey/socket
Jul 24 13:35:11 tn2 postfix/smtpd[9553]:
unknown_helo_hostname_tempfail_action = defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: unknown_address_tempfail_action =
defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]:
unverified_recipient_tempfail_action = defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: unverified_sender_tempfail_action =
defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: 1
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_create: transport=local
endpoint=private/tlsmgr
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_open: connected to
private/tlsmgr
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr request = seed
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr size = 32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value: 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
seed
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: seed
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value:
sJ+G2MxfuwihHC4oCnIKRmXxz3FZti5SGanqlneSiqE=
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
(list terminator)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: (end)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr request = policy
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr cache_type = smtpd
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value: 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
cachable
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: cachable
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value: 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
(list terminator)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: (end)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: fast_flush_domains ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: fast_flush_domains ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_create: transport=local
endpoint=private/anvil
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: connection established
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: master_notify: status 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: resource
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: software
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: connect from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net: no match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match: hh.hh.hh.hh: no
match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net: no match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match: hh.hh.hh.hh: no
match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: smtp_stream_setup: maxtime=300
enable_deadline=0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? 65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 220
tn2.myserver.com ESMTP Postfix
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: <
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: EHLO HDPLEX2
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net: no match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match: hh.hh.hh.hh: no
match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]:
250-tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-PIPELINING
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-SIZE 10240000
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-ETRN
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-STARTTLS
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]:
250-ENHANCEDSTATUSCODES
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-8BITMIME
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250 DSN
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: smtp_get: EOF
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? 65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: lost connection after EHLO from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: disconnect from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: master_notify: status 1
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: connection closed
Jul 24 13:35:16 tn2 postfix/smtpd[9553]: auto_clnt_close: disconnect
private/tlsmgr stream





=====================
Full postconf -n and master.cf
=====================

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, ww.ww.ww.ww/32, hh.hh.hh.hh/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


=====================
postconf -M
=====================


smtps inet n - n - - smtpd -v
-o smtpd_tls_wrappermode=yes
-o syslog_name=postfix/smtps
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual_users
smtp-amavis unix - - n - 3 smtp -o
disable_dns_lookups=yes -o smtp_send_xforward_command=yes
smtp inet n - n - - smtpd -v -o
cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup -o
cleanup_service_name=pre-cleanup
pre-cleanup unix n - n - 0 cleanup -o
virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -o
recipient_canonical_maps= -o masquerade_domains=
cleanup unix n - n - 0 cleanup -o
mime_header_checks= -o nested_header_checks= -o body_checks=
127.0.0.1:10025 inet n - n - - smtpd -o
content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o
smtpd_restriction_classes= -o smtpd_delay_reject=no -o
smtpd_client_restrictions=permit_mynetworks,reject -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
mynetworks_style=host -o mynetworks=127.0.0.0/8 -o
strict_rfc821_envelopes=yes -o smtpd_client_connection_count_limit=0 -o
smtpd_client_connection_rate_limit=0 -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
Viktor Dukhovni
2016-07-24 19:20:43 UTC
Permalink
Post by techlist06
But if I try to send from Outlook to port 587, the connection fails.
Many versions of Outlook don't support port 587 STARTTLS submission,
they only support wrappner mode on port 465.
Post by techlist06
Outlook's "Test account settings" reports: "Send test e-mail message: None
of the authentication methods supported by this client are supported by your
server."
The server did not offer SASL "AUTH" in its EHLO reply. Perhaps
Outlook does not support delayed "AUTH" advertisement after STARTTLS,
however see below.
Post by techlist06
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 220 tn2.myserver.com ESMTP Postfix
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: < EHLO HDPLEX2
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250-tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250-PIPELINING
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250-SIZE 10240000
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250-ETRN
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250-STARTTLS
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250-ENHANCEDSTATUSCODES
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250-8BITMIME
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: > 250 DSN
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: smtp_get: EOF
Client gives up after EHLO and before STARTTLS, perhaps because
"AUTH" is missing, however you don't have "smtpd_tls_auth_only =
yes", in your reported configuration, so if SASL is enabled at
compile-time, perhaps your dovecot auth socket is not configured
in the correct location or has the wrong permissions. There
would then be warnings in the logs related to that problem.

Otherwise, the absense of "AUTH" in the EHLO reply might be
a configuration issue with dovecot, or is rather mysterious.

Perhaps you're reporting something other than the configuration
that Outlook is talking to.
--
Viktor.
techlist06
2016-07-24 20:57:01 UTC
Permalink
Otherwise, the absense of "AUTH" in the EHLO reply might be a configuration
issue with dovecot, or is rather mysterious.
Well, at least no AUTH was something to go on, thanks, I missed that detail.
Checked the socket path setting and the file permissions, all looked good
there.

I Found what I hope is the main issue and cure. Since I was able to send a
message to the server from an iPhone, I'm getting close.

Noob error but its something I haven't set in a while, didn't realize it was
there. An Outlook drop down for "Use the following type of encrypted
connection: None, SSL, TLS, or Auto. It was set to none. Fixed.

Now if I try to connect I get the AUTH

But the message is rejected with recipient address restrictions:

Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> START Recipient address
RESTRICTIONS <<<
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_invalid_hostname
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_invalid_hostname: HDPLEX2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_invalid_hostname status=0
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_non_fqdn_hostname
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_non_fqdn_hostname: HDPLEX2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: NOQUEUE: reject: RCPT from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 504 5.5.2
<HDPLEX2>: Helo command rejected: need fully-qualified hostname;
from=<***@tn2.myserver.com> to=<***@tn2.myserver.com> proto=ESMTP
helo=<HDPLEX2>
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_non_fqdn_hostname status=2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> END Recipient address
RESTRICTIONS <<<


The client PC's "name" is HDPLEX2. Is there a (safe) workaround to this
without changing all my Windows PC's to FQDN names?
Norton Allen
2016-07-24 21:03:15 UTC
Permalink
Post by techlist06
Noob error but its something I haven't set in a while, didn't realize it was
there. An Outlook drop down for "Use the following type of encrypted
connection: None, SSL, TLS, or Auto. It was set to none. Fixed.
I'm curious: what did you set it to? (or what *should* I set it to.)
Without a STARTTLS option, what is most likely to work?
Wietse Venema
2016-07-24 21:12:36 UTC
Permalink
Post by techlist06
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: NOQUEUE: reject: RCPT from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 504 5.5.2
<HDPLEX2>: Helo command rejected: need fully-qualified hostname;
helo=<HDPLEX2>
Don't use reject_non_fqdn_xxx with the master.cf 'submission' and
'smtps' services.

Instead use this in master.cf:

submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

and specify mua_client_restrictions, mua_helo_restrictions, and
mua_sender_restrictions in master.cf.

Oh, and DON'T TURN ON VERBOSE LOGGING unless someone tells you
to turn it on. It is totally unnecessary to debug this case.

Wietse
Viktor Dukhovni
2016-07-24 21:36:29 UTC
Permalink
Post by Wietse Venema
[...]
and specify mua_client_restrictions, mua_helo_restrictions, and
mua_sender_restrictions in master.cf.
The last "master.cf" should be "main.cf".
--
Viktor.
techlist06
2016-07-24 22:11:53 UTC
Permalink
Post by Viktor Dukhovni
The last "master.cf" should be "main.cf".
Check.
Post by Viktor Dukhovni
specify mua_client_restrictions, mua_helo_restrictions, and
mua_sender_restrictions in master.cf.
Done.

And I finally got a message to pass via submission from Outlook. <happy
dance>

What are good/reasonable restrictions to add for the submission service? I
will only have typical consumer useers using Windows Outlook and iPhone's to
send mail through that port once authenticated. On my old box I only have

smtpd_recipient_restrictions=permit_sasl_authenticated,reject

And that was working fine. Anything else I need to add to the mua
restrictions while I'm at it.

I'm so relieved to get this past this Outlook-send hurdle.


=================================================================
postconf -n
=================================================================
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
# New
####################################
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions =
mua_sender_restrictions =
###################################
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, x.x.x.x/32, y.y.y.y/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = xxx.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


=================================================================
Master.cf
=================================================================
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

smtp-amavis unix - - n - 3 smtp -o
disable_dns_lookups=yes -o smtp_send_xforward_command=yes
smtp inet n - n - - smtpd -v -o
cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup -o
cleanup_service_name=pre-cleanup
pre-cleanup unix n - n - 0 cleanup -o
virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -o
recipient_canonical_maps= -o masquerade_domains=
cleanup unix n - n - 0 cleanup -o
mime_header_checks= -o nested_header_checks= -o body_checks=

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks

qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
Peter
2016-07-24 22:24:24 UTC
Permalink
Post by Norton Allen
Post by techlist06
Noob error but its something I haven't set in a while, didn't realize
it was
there. An Outlook drop down for "Use the following type of encrypted
connection: None, SSL, TLS, or Auto. It was set to none. Fixed.
I'm curious: what did you set it to? (or what *should* I set it to.)
Without a STARTTLS option, what is most likely to work?
Outlook misnames STARTTLS as "TLS". TLS wrappermode is what outlook
calls "SSL".


Peter
Bill Cole
2016-07-25 05:24:12 UTC
Permalink
Post by Peter
Outlook misnames STARTTLS as "TLS". TLS wrappermode is what outlook
calls "SSL".
Minor bit of pedantry:

Short form:
A MUA that supports any version of TLS or STARTTLS has no excuse for not
supporting both. A server offering port 465 "wrappermode" is
implementing a service not described in any formal spec except for
proprietary 1996 SSLv3 drafts, i.e. NEVER mentioned in any TLS
specification. So, if a MUA offers SSL and TLS as distinct encryption
choices, it should be clear how those map to the concrete technical
options: SSL=wrappermode, TLS=STARTTLS.

Longer form:
The only specification for SMTP wrapped in transport encryption of the
TLS/SSL heritage was in a series of 1996 Netscape SSLv3 drafts, the last
of which got published in abridged form 15 years after the fact as the
explicitly historical RFC6101, with all references to a reserved port
for "SMTPS" (wrappermode) removed. It is not unreasonable for "SSL" to
refer to wrappermode, since there's no spec for TLS wrapping SMTP in
that way and no description in any version SSL of any mechanism for a
STARTTLS-like upgrade from an initially unencrypted session. It's
trivial to support TLS in a "wrappermode" deployment and probably harder
to avoid than the principle could be worth, but what formal spec exists
for SMTP wrapped in encryption from the initial connect is only for
SSLv3 and NOT any version of TLS. Similarly, there's no formal reason
for a STARTTLS implementation to support any version of SSL, although
many unfortunately do. It pains me to say it, but Outlook is right in
this case.

Rant:
There are blatantly obvious "Best Practices" in this area now and have
been for at least a decade, but software including most MUAs and most
MTAs including Postfix haven't adopted them as default, well-documented
config & behavior yet. Port 25 for inbound and authenticated transit
(relay) SMTP with opportunistic encryption. Port 587 for submission
requiring encryption with authentication inside the encryption, nothing
less than TLSv1.0. Port 465 wrappermode only where absolutely necessary
on a temporary provisional basis for clients that can't do TLS (and
hence STARTTLS.) This model is not hard to deploy: it's documented for
and supported by most if not all major MTAs, it's just not generally the
model that documentation and default configs focus on. We need to adjust
our thinking in Postfix terms to the idea that smtpd and submission are
distinct services that incidentally share a similar set of options,
somewhat like smtp and lmtp. In 2016, a need to use "permit_mynetworks"
or deploy port 465 wrappermode or allow SSLv3 for STARTTLS clients
should be treated as technical debt that demands retirement. Sure, many
sites need such crutches now and will for many years, but we should
recognize that reliance on authentication by IP and obsolete and/or
weakly-specified security mechanisms are bad things that we should work
to eliminate, rather than norms we should be cargo-culting into eternity
because some antique docs describe them.

Loading...