You can confirm or refute on your "appears to work" conclusions 2 ways:

1. Look in your server logs for lines with content like this:

postfix/smtpd[123]: Anonymous TLS connection established from
host.example.com[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)

2. When using openssl s_client, you should be left connected in a SMTP
session so you can issue a EHLO command and should get a reasonable
reply. If not, there's something wrong.
Your logs should tell you whether that session is doing TLS or not. It
is a misconfiguration to allow submission on port 587 without TLS. You
didn't include your settings for port 87 (the 'submission' service in
master.cf) but if STARTTLS via openssl s_client is working and Outlook
can submit mail, it is likely that Outlook used STARTTLS.
POP and IMAP are irrelevant here, since they are not part of Postfix,
but it's good to know that you don't seem to have any issues with
Dovecot complicating things and obscuring your Postfix issues...
Serious question: why do you care? Port 465 SSL-wrapped SMTP was never
made a standard and correctly never will be. No software that I'm aware
of can use that botch and cannot use STARTTLS except for a few clients
so outdated as to be inherently unsafe (e.g. antique versions of
Outlook.) Make sure Outlook is using STARTTLS on port 587 and be happy
with that: it's a service defined by a RFC which is supported by any
client software that isn't a danger to its users. Since port 465 service
owes its zombie existence to an early draft for SSLv3 that was never
made into any sort of standard, it is formally improper to offer ANY TLS
version over it, while all versions of SSL should be treated as broken
and obsolete. Do you see the problem?

Assuming you have a concrete need (e.g. The Boss uses Outlook Express on
Windows ME and won't upgrade,) if s_client is working to port 465 and
Outlook is not, you have an Outlook problem. Talk to your vendor about
that. Since you've not included your master.cf configuration for the
smtps (port 465) service, there's no hope of diagnosis here at present.
[...]
1. Back off smtpd_tls_loglevel to 1. All of the above happened within a
second and provides no useful clues.

2. Without knowing the config of the smtps service (i.e. the relevant
lines from master.cf) it is impossible to do anything more than make
wild guesses. I'm going to make the wild guess that you didn't uncomment
all of the essential continuation lines after the first one for smtps:
the indented ones starting with '-o'.
Very likely, but we'd need the whole relevant config to know.
You didn't say which port that was, so it isn't clear which service
config applies, but on a modern system there is rarely any good reason
to have an EHLO response in any circumstance that includes both AUTH and
STARTTLS. Modern best practice is to use STARTTLS and authenticate
inside the encrypted tunnel with plaintext mechanisms that do not
require the server to store passwords in recoverable forms. The above
response indicates that you are offering plaintext mechanisms over an
unencrypted connection, which is an invitation to cracked accounts and a
world of hurt. On most mail systems, port 25 should offer STARTTLS and
no AUTH even after TLS is established, with port 587 being the only
place you accept authenticated message submission and then only after
STARTTLS.

There's a chance that the above is in fact not dangerous because Dovecot
will refuse to allow authentication due to its disable_plaintext_auth
setting but I don't recall whether it can 'see' whether there's TLS or
not when servicing Postfix smtpd, and my guess would be not...

In any case, a safer config if for some reason you do want to allow
authentication over port 25 would use these settings:

smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

One reason you might want this is if you're providing relay services for
a 3rd party and want to apply the restrictions applied to inbound mail
to their transiting mail rather than the different and maybe less strict
ones applied to initial submissions by your direct users.

Well crap. Something I've done has caused the first test to port 465 to
stop working. I'm nearly positive it was working.

[***@tn1] # openssl s_client -connect tn2.myserver.com:465
CONNECTED(00000003)
26351:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:


When I run this command Anonymous is there.
openssl s_client -connect tn2.companypostoffice.com:587 -starttls smtp

Jul 23 19:23:59 tn2 postfix/smtpd[2007]: Anonymous TLS connection
established from tn1.myserver.com[xx.xx.xx.xx]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)

I can also ehlo and issue smtp commands after above.
it's
Well, I spoke too soon there. I'm using Outlooks utilty to "test settings"
where it sends the message. If I send a message locally I can then get it
via POP.
I can only send the message via port 587 (no TLS I don't' think, about to
fix that). I can send and then POP a message using that port as is.

I had Dovecot jacked for a min trying to get mbox format to work, finally
got setting in each of them they were happy with. POPing again now. Can
fine tune that another day (want them in /var/spool/mail/user, have them in
HOME/mail/inbox).
while
the
that.
Re why do I care: I do not and will defer to your experience on this point
for sure. I was just replicating (trying to) what I had. If it's not
needed anymore I'm ALL FOR getting rid of it and making it simpler. I only
have a few local accounts on the box. Everything else is relayed . Old OL
versions are not an issue

So I need to get rid of the 465 setupand get 587 working right...Check.
But, I'm not sure how to do that right :(

So, here's my master.cf below. I'd be extremely grateful for any
pruning/editing
How do I change the level? I only know how to add the -v
guesses.
I've been using my original config that I've used for years, and editing it
as I go trying to get it to work. I'm a little lost at this point. I'll
post what I have in its current state
to
mail
I've done above on 465 and 587, they appear the same in the telnet replies,
both accept smtp commands or START TLS. Agree, need to get that fixed.
It's the whole point of having this stuff.
setting
3rd
applied to
Here's my master.cf Again, very grateful for any pointers on fixing it.

And current state of the main.cf I'm going to leave it alone.

I'm posting the bulk of master.cf. In case it's easier to see what I've
commented or not. I left off the tail end where I had nothing uncommented
from the stock file.


master.cf:
=================================
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

#####################################
#####################################
#port 465
# my inbound mail comes here
smtps inet n - n - - smtpd -v
# next line below so I don't filter the mail I send in via 465
# -o content_filter=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_wrappermode=yes
# -o syslog_name=postfix/smtps
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi
ent_domain,permit_sasl_authenticated,reject


#port 587
submission inet n - n - - smtpd -v
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes
# -o smtpd_enforce_tls=yes
# -o smtpd_etrn_restrictions=reject
#
#
smtp-amavis unix - - n - 3 smtp
# -o smtpd_data_done_timeout=1200s
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes

# Amavis config:
# These are the usual input "smtpd" and local "pickup" servers already
# present in master.cf. We add an option to select a non-default
# cleanup service.
#
smtp inet n - n - - smtpd -v
-o cleanup_service_name=pre-cleanup

pickup fifo n - n 60 1 pickup
-o cleanup_service_name=pre-cleanup
#
#
# The following is the cleanup daemon that handles messages in front of
# the content filter. It does header_checks and body_checks (if any), but
# does no virtual alias or canonical address mapping, so that mail comes
# to a content filter with original recipient addresses still intact.
#
# Virtual alias or canonical address mapping happens in the second
# cleanup phase after the content filter. This gives the content_filter
# access to largely unmodified addresses for maximum flexibility.
#
# Note that some sites may specifically want to perform canonical and/or
# virtual address mapping in front of the content_filter. However, in that
# case you still have to enable address rewriting in the after-filter
cleanup
# instance in order to correctly process forwarded mail or bounced mail.

# handle both the canonicalization and virtual_alias_maps later
# (this will provide content filter with largely unmodified addresses)
#
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=

# The following is the normal cleanup daemon. No header or body checks here,
# because these have already been taken care of by the pre-cleanup service
# before the content filter. The normal cleanup instance does all
# the virtual alias and canonical address mapping that was disabled
# in the pre-cleanup instance before the content filter.
#
cleanup unix n - n - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o body_checks=
# -o header_checks=
# or use second-stage header checks, to be able to place mail bombs on HOLD
# -o header_checks=pcre:/etc/postfix/header_checks2
# consider also:
# -o always_bcc=***@example.com


127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks


#######################################
######################################

#628 inet n - n - - qmqpd
###pickup unix n - n 60 1 pickup
###cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#


=================================


Main.cf (postconf -n)
=================================
[***@tn2 shorton]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, x.x.x.x./32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = nnnn.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
=================================

Commenting out "-o smtpd_tls_wrappermode=yes" is rather unwise for port 465

Thanks Victor. It's probably where I was turning off things on this new box
to troubleshoot, or following some howto on the web in desperation. It is
un-commented on my production box.

I understand I don't need the 465 port anymore from a different poster. My
production box was set up a long time ago. I used the Oriley book, a
popular guide from HughesJR.com (gone now), and Jim Seymours Postfix
anti-UCE configuration, and notes from the occasional question on this
maillist a long time ago. I'd like to get back to that setup as it has
worked very well for many years. Just can't seem to get it all working on
Centos 7. :(

Thanks,
Scott

Don't waste our time posting configuration data from the wrong machine.
If you have mail clients that only support port 465 wrapper-mode SSL rather
than STARTTLS, you'll the port 465 service. Strident views to the contrary
don't change the facts. Good luck.

I won't. I didn't. The posted configs are from the box I'm working on now.
Was just mentioning the other one to explain the commented line. Thank you
for the advice on that line in any case.
I do not have any such clients unless Outlook 2007 is one of them? If it is
I can upgrade that. Anyway, I understand the point, thank you.
I misspoke from being tired. The book I used was yours and Patrick's (Book
of Postfix 2005), had almost forgot about it. Last time I had to do this
was 2010. Had no trouble then.

Excuse my digression, back to my issue then...

The problem is occurring with MS Outlook 2007. Can't get it to work on 465
or 587.

For the 587/submission port I changed it to the settings from Patrick
Koetter's guide
(http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_suppor
t.html)

## TLS
# Transport Layer Security
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


In master.cf I changed submission section to below for testing, Commented
some restrictions for now to test.

submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
# -o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual_users
# -o smtpd_sender_restrictions=reject_sender_login_mismatch
# -o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi
ent_domain,permit_sasl_authenticated,reject


I can send a mail via telnet from a different server to 587 (or 465)
including SASL authentication using:
openssl s_client -connect tn2.myserver.com:587 -starttls smtp -crlf
I used
echo -ne '\0myusername\0thatpassword' | openssl enc -base64
to generate the credentials for AUTH PLAIN

I'm shown the certificate then I ehlo through quit and the server delivers
the message to the local account I sent it to. The Outlook box retrieves it
via POP.

I also tried the same command above from a linux machine on the same
(home)IP as my desktop Outlook PC, it too will let me send a message through
the submission port 587 using the openssl comand above.

But if I try to send from Outlook to port 587, the connection fails.

Outlook's "Test account settings" reports: "Send test e-mail message: None
of the authentication methods supported by this client are supported by your
server."

The log from the Outlook connection here: hh.hh.hh.hh is my home/Outlook
PC's IP address

Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: ipv4
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: inet_addr_local: configured 2 IPv4
addresses
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: process generation: 102 (102)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: mynetworks ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
qmqpd_authorized_clients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: relay_domains ~?
relay_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string:
permit_mx_backup_networks ~? permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/local_recipient
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/relay_recipients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
mynetworks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
permit_mx_backup_networks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
qmqpd_authorized_clients
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
relay_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: smtpd_access_maps ~?
smtpd_access_maps
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/virtual_users
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
pcre:/etc/postfix/recipient_checks.pcre
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/helo_checks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/sender_checks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
hash:/etc/postfix/client_checks
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open:
pcre:/etc/postfix/client_checks.pcre
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Compiled against Berkeley DB:
5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: Run-time linked against Berkeley
DB: 5.3.21?
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: dict_open: hash:/etc/postfix/access
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_create: transport=unix
endpoint=postgrey/socket
Jul 24 13:35:11 tn2 postfix/smtpd[9553]:
unknown_helo_hostname_tempfail_action = defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: unknown_address_tempfail_action =
defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]:
unverified_recipient_tempfail_action = defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: unverified_sender_tempfail_action =
defer_if_permit
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: 1
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_create: transport=local
endpoint=private/tlsmgr
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_open: connected to
private/tlsmgr
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr request = seed
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr size = 32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value: 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
seed
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: seed
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value:
sJ+G2MxfuwihHC4oCnIKRmXxz3FZti5SGanqlneSiqE=
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
(list terminator)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: (end)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr request = policy
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: send attr cache_type = smtpd
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: status
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value: 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
cachable
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: cachable
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute value: 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: private/tlsmgr: wanted attribute:
(list terminator)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: input attribute name: (end)
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: fast_flush_domains ~?
debug_peer_list
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_string: fast_flush_domains ~?
fast_flush_domains
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: auto_clnt_create: transport=local
endpoint=private/anvil
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: connection established
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: master_notify: status 0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: resource
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: name_mask: software
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: connect from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net: no match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match: hh.hh.hh.hh: no
match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net: no match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match: hh.hh.hh.hh: no
match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: smtp_stream_setup: maxtime=300
enable_deadline=0
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? 65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 220
tn2.myserver.com ESMTP Postfix
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: <
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: EHLO HDPLEX2
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net: no match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_list_match: hh.hh.hh.hh: no
match
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]:
250-tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-PIPELINING
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-SIZE 10240000
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-ETRN
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-STARTTLS
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]:
250-ENHANCEDSTATUSCODES
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250-8BITMIME
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: >
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 250 DSN
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: smtp_get: EOF
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
localhost
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
tn2.myserver.com
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? 65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
65.183.104.20/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostname:
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net ~? hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: match_hostaddr: hh.hh.hh.hh ~?
hh.hh.hh.hh/32
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: lost connection after EHLO from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: disconnect from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: master_notify: status 1
Jul 24 13:35:11 tn2 postfix/smtpd[9553]: connection closed
Jul 24 13:35:16 tn2 postfix/smtpd[9553]: auto_clnt_close: disconnect
private/tlsmgr stream





=====================
Full postconf -n and master.cf
=====================

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, ww.ww.ww.ww/32, hh.hh.hh.hh/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


=====================
postconf -M
=====================


smtps inet n - n - - smtpd -v
-o smtpd_tls_wrappermode=yes
-o syslog_name=postfix/smtps
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual_users
smtp-amavis unix - - n - 3 smtp -o
disable_dns_lookups=yes -o smtp_send_xforward_command=yes
smtp inet n - n - - smtpd -v -o
cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup -o
cleanup_service_name=pre-cleanup
pre-cleanup unix n - n - 0 cleanup -o
virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -o
recipient_canonical_maps= -o masquerade_domains=
cleanup unix n - n - 0 cleanup -o
mime_header_checks= -o nested_header_checks= -o body_checks=
127.0.0.1:10025 inet n - n - - smtpd -o
content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o
smtpd_restriction_classes= -o smtpd_delay_reject=no -o
smtpd_client_restrictions=permit_mynetworks,reject -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
mynetworks_style=host -o mynetworks=127.0.0.0/8 -o
strict_rfc821_envelopes=yes -o smtpd_client_connection_count_limit=0 -o
smtpd_client_connection_rate_limit=0 -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache

Many versions of Outlook don't support port 587 STARTTLS submission,
they only support wrappner mode on port 465.
The server did not offer SASL "AUTH" in its EHLO reply. Perhaps
Outlook does not support delayed "AUTH" advertisement after STARTTLS,
however see below.
Client gives up after EHLO and before STARTTLS, perhaps because
"AUTH" is missing, however you don't have "smtpd_tls_auth_only =
yes", in your reported configuration, so if SASL is enabled at
compile-time, perhaps your dovecot auth socket is not configured
in the correct location or has the wrong permissions. There
would then be warnings in the logs related to that problem.

Otherwise, the absense of "AUTH" in the EHLO reply might be
a configuration issue with dovecot, or is rather mysterious.

Perhaps you're reporting something other than the configuration
that Outlook is talking to.

Well, at least no AUTH was something to go on, thanks, I missed that detail.
Checked the socket path setting and the file permissions, all looked good
there.

I Found what I hope is the main issue and cure. Since I was able to send a
message to the server from an iPhone, I'm getting close.

Noob error but its something I haven't set in a while, didn't realize it was
there. An Outlook drop down for "Use the following type of encrypted
connection: None, SSL, TLS, or Auto. It was set to none. Fixed.

Now if I try to connect I get the AUTH

But the message is rejected with recipient address restrictions:

Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> START Recipient address
RESTRICTIONS <<<
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_invalid_hostname
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_invalid_hostname: HDPLEX2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_invalid_hostname status=0
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_non_fqdn_hostname
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: reject_non_fqdn_hostname: HDPLEX2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: NOQUEUE: reject: RCPT from
hh-hh-hh-hh.lightspeed.nsvltn.sbcglobal.net[hh.hh.hh.hh]: 504 5.5.2
<HDPLEX2>: Helo command rejected: need fully-qualified hostname;
from=<***@tn2.myserver.com> to=<***@tn2.myserver.com> proto=ESMTP
helo=<HDPLEX2>
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: generic_checks:
name=reject_non_fqdn_hostname status=2
Jul 24 15:35:28 tn2 postfix/smtpd[10358]: >>> END Recipient address
RESTRICTIONS <<<


The client PC's "name" is HDPLEX2. Is there a (safe) workaround to this
without changing all my Windows PC's to FQDN names?

I'm curious: what did you set it to? (or what *should* I set it to.)
Without a STARTTLS option, what is most likely to work?

Don't use reject_non_fqdn_xxx with the master.cf 'submission' and
'smtps' services.

Instead use this in master.cf:

submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

and specify mua_client_restrictions, mua_helo_restrictions, and
mua_sender_restrictions in master.cf.

Oh, and DON'T TURN ON VERBOSE LOGGING unless someone tells you
to turn it on. It is totally unnecessary to debug this case.

Wietse

The last "master.cf" should be "main.cf".

Check.
mua_sender_restrictions in master.cf.
Done.

And I finally got a message to pass via submission from Outlook. <happy
dance>

What are good/reasonable restrictions to add for the submission service? I
will only have typical consumer useers using Windows Outlook and iPhone's to
send mail through that port once authenticated. On my old box I only have

smtpd_recipient_restrictions=permit_sasl_authenticated,reject

And that was working fine. Anything else I need to add to the mua
restrictions while I'm at it.

I'm so relieved to get this past this Outlook-send hurdle.


=================================================================
postconf -n
=================================================================
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
# New
####################################
mua_client_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions =
mua_sender_restrictions =
###################################
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, x.x.x.x/32, y.y.y.y/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = xxx.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


=================================================================
Master.cf
=================================================================
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

smtp-amavis unix - - n - 3 smtp -o
disable_dns_lookups=yes -o smtp_send_xforward_command=yes
smtp inet n - n - - smtpd -v -o
cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup -o
cleanup_service_name=pre-cleanup
pre-cleanup unix n - n - 0 cleanup -o
virtual_alias_maps= -o canonical_maps= -o sender_canonical_maps= -o
recipient_canonical_maps= -o masquerade_domains=
cleanup unix n - n - 0 cleanup -o
mime_header_checks= -o nested_header_checks= -o body_checks=

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks

qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache

Outlook misnames STARTTLS as "TLS". TLS wrappermode is what outlook
calls "SSL".


Peter

Minor bit of pedantry:

Short form:
A MUA that supports any version of TLS or STARTTLS has no excuse for not
supporting both. A server offering port 465 "wrappermode" is
implementing a service not described in any formal spec except for
proprietary 1996 SSLv3 drafts, i.e. NEVER mentioned in any TLS
specification. So, if a MUA offers SSL and TLS as distinct encryption
choices, it should be clear how those map to the concrete technical
options: SSL=wrappermode, TLS=STARTTLS.

Longer form:
The only specification for SMTP wrapped in transport encryption of the
TLS/SSL heritage was in a series of 1996 Netscape SSLv3 drafts, the last
of which got published in abridged form 15 years after the fact as the
explicitly historical RFC6101, with all references to a reserved port
for "SMTPS" (wrappermode) removed. It is not unreasonable for "SSL" to
refer to wrappermode, since there's no spec for TLS wrapping SMTP in
that way and no description in any version SSL of any mechanism for a
STARTTLS-like upgrade from an initially unencrypted session. It's
trivial to support TLS in a "wrappermode" deployment and probably harder
to avoid than the principle could be worth, but what formal spec exists
for SMTP wrapped in encryption from the initial connect is only for
SSLv3 and NOT any version of TLS. Similarly, there's no formal reason
for a STARTTLS implementation to support any version of SSL, although
many unfortunately do. It pains me to say it, but Outlook is right in
this case.

Rant:
There are blatantly obvious "Best Practices" in this area now and have
been for at least a decade, but software including most MUAs and most
MTAs including Postfix haven't adopted them as default, well-documented
config & behavior yet. Port 25 for inbound and authenticated transit
(relay) SMTP with opportunistic encryption. Port 587 for submission
requiring encryption with authentication inside the encryption, nothing
less than TLSv1.0. Port 465 wrappermode only where absolutely necessary
on a temporary provisional basis for clients that can't do TLS (and
hence STARTTLS.) This model is not hard to deploy: it's documented for
and supported by most if not all major MTAs, it's just not generally the
model that documentation and default configs focus on. We need to adjust
our thinking in Postfix terms to the idea that smtpd and submission are
distinct services that incidentally share a similar set of options,
somewhat like smtp and lmtp. In 2016, a need to use "permit_mynetworks"
or deploy port 465 wrappermode or allow SSLv3 for STARTTLS clients
should be treated as technical debt that demands retirement. Sure, many
sites need such crutches now and will for many years, but we should
recognize that reliance on authentication by IP and obsolete and/or
weakly-specified security mechanisms are bad things that we should work
to eliminate, rather than norms we should be cargo-culting into eternity
because some antique docs describe them.