Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Chris Green-11
I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6
on a Raspberry Pi running Debian.

They seem to act very differently as regards the use of ports 465 and
587 and I'd like things clarified so I can understand better.

I use both postfix installations to send outgoing E-Mail (i.e. mail
which is leaving my home LAN) to my hosting company's servers.  Their
documentation says that I should use port 465 and TLS to connect to
the SMTP server.

On the postfix 3.1 system this works, I specify port 465 in main.cf
and everything is as it should be.  The local additions and changes to
main.cf are as follows:-

    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = esprimo.zbmc.eu
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = zbmc.eu
    mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
    relayhost = [mail3.gridhost.co.uk]:465
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4
    smtp_sasl_auth_enable = yes
    smtp_tls_wrappermode = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    message_size_limit = 120480000
    compatibility_level = 2


However on the postfix 2.9 installation on the raspberry pi using port
465 fails.  What I see in /var/log/mail.log when sending a mail is as
follows:-

    Feb 17 15:07:06 pi postfix/pickup[20154]: 1C9A322C52: uid=1000 from=<chris>
    Feb 17 15:07:06 pi postfix/cleanup[20187]: 1C9A322C52: message-id=<[hidden email]>
    Feb 17 15:07:06 pi postfix/qmgr[20153]: 1C9A322C52: from=<[hidden email]>, size=293, nrcpt=1 (queue active)
    Feb 17 15:07:06 pi postfix/smtp[20189]: CLIENT wrappermode (port smtps/465) is unimplemented
    Feb 17 15:07:06 pi postfix/smtp[20189]: instead, send to (port submission/587) with STARTTLS
    Feb 17 15:08:06 pi postfix/smtp[20189]: 1C9A322C52: to=<[hidden email]>, relay=mail3.gridhost.co.uk[95.142.156.18]:465, delay=60, delays=0.16/0.21/60/0, dsn=4.4.2, status=deferred (lost connection with mail3.gridhost.co.uk[95.142.156.18] while receiving the initial server greeting)

If (as the above suggests) I change to port 587 then everything works
OK.

The relevant parts of main.cf on the Raspberry Pi are:-

    # smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = zbmc.eu
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = zbmc.eu
    mydestination = pi.zbmc.eu, localhost.zbmc.eu, localhost
    relayhost = [mail3.gridhost.co.uk]:587
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4
    smtp_sasl_auth_enable = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    message_size_limit = 120480000
    # smtp_generic_maps = hash:/etc/postfix/generic

As you can see it's basically the same as the other one, except that
it needs port 587 instead of 465.

Can anyone explain this please?  I assume it's due to some change
between postfix 2.9 and postfix 3.1 but I may be entirely wrong, I'm
hardly a postfix expert.  Alternatively could there be some difference
in the default installation set-up between the Debian on the Pi and
Xubuntu on the other machine?

Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
postfix 3, is that what makes the difference?  I'd still like a simple
explanation though!  :-)


--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Chris Green-11
[snip long message]

Sorry about the duplicate, you can see I really am having trouble with
my E-Mail!  :-)

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

RE: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Fazzina, Angelo
In reply to this post by Chris Green-11
Hi,
I thought the master.cf file is where you config what protocol to listen for ?

Submission  or SMTPS

I'm no expert either, just curious what your setup is.
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Chris Green
Sent: Friday, February 17, 2017 10:43 AM
To: [hidden email]
Subject: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6
on a Raspberry Pi running Debian.

They seem to act very differently as regards the use of ports 465 and
587 and I'd like things clarified so I can understand better.

I use both postfix installations to send outgoing E-Mail (i.e. mail
which is leaving my home LAN) to my hosting company's servers.  Their
documentation says that I should use port 465 and TLS to connect to
the SMTP server.

On the postfix 3.1 system this works, I specify port 465 in main.cf
and everything is as it should be.  The local additions and changes to
main.cf are as follows:-

    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = esprimo.zbmc.eu
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = zbmc.eu
    mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
    relayhost = [mail3.gridhost.co.uk]:465
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4
    smtp_sasl_auth_enable = yes
    smtp_tls_wrappermode = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    message_size_limit = 120480000
    compatibility_level = 2


However on the postfix 2.9 installation on the raspberry pi using port
465 fails.  What I see in /var/log/mail.log when sending a mail is as
follows:-

    Feb 17 15:07:06 pi postfix/pickup[20154]: 1C9A322C52: uid=1000 from=<chris>
    Feb 17 15:07:06 pi postfix/cleanup[20187]: 1C9A322C52: message-id=<[hidden email]>
    Feb 17 15:07:06 pi postfix/qmgr[20153]: 1C9A322C52: from=<[hidden email]>, size=293, nrcpt=1 (queue active)
    Feb 17 15:07:06 pi postfix/smtp[20189]: CLIENT wrappermode (port smtps/465) is unimplemented
    Feb 17 15:07:06 pi postfix/smtp[20189]: instead, send to (port submission/587) with STARTTLS
    Feb 17 15:08:06 pi postfix/smtp[20189]: 1C9A322C52: to=<[hidden email]>, relay=mail3.gridhost.co.uk[95.142.156.18]:465, delay=60, delays=0.16/0.21/60/0, dsn=4.4.2, status=deferred (lost connection with mail3.gridhost.co.uk[95.142.156.18] while receiving the initial server greeting)

If (as the above suggests) I change to port 587 then everything works
OK.

The relevant parts of main.cf on the Raspberry Pi are:-

    # smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = zbmc.eu
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = zbmc.eu
    mydestination = pi.zbmc.eu, localhost.zbmc.eu, localhost
    relayhost = [mail3.gridhost.co.uk]:587
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4
    smtp_sasl_auth_enable = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    message_size_limit = 120480000
    # smtp_generic_maps = hash:/etc/postfix/generic

As you can see it's basically the same as the other one, except that
it needs port 587 instead of 465.

Can anyone explain this please?  I assume it's due to some change
between postfix 2.9 and postfix 3.1 but I may be entirely wrong, I'm
hardly a postfix expert.  Alternatively could there be some difference
in the default installation set-up between the Debian on the Pi and
Xubuntu on the other machine?

Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
postfix 3, is that what makes the difference?  I'd still like a simple
explanation though!  :-)


--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Dominic Raferd
On 17 February 2017 at 19:38, Fazzina, Angelo <[hidden email]> wrote:

> Hi,
> I thought the master.cf file is where you config what protocol to listen for ?
>
> Submission  or SMTPS
>
> I'm no expert either, just curious what your setup is.
> -ALF
>
> -Angelo Fazzina
> Operating Systems Programmer / Analyst
> University of Connecticut,  UITS, SSG, Server Systems
> 860-486-9075
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Chris Green
> Sent: Friday, February 17, 2017 10:43 AM
> To: [hidden email]
> Subject: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
>
> I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6
> on a Raspberry Pi running Debian.
>
> They seem to act very differently as regards the use of ports 465 and
> 587 and I'd like things clarified so I can understand better.
>
> I use both postfix installations to send outgoing E-Mail (i.e. mail
> which is leaving my home LAN) to my hosting company's servers.  Their
> documentation says that I should use port 465 and TLS to connect to
> the SMTP server.
>
> ...
> Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
> postfix 3, is that what makes the difference?  I'd still like a simple
> explanation though!  :-)

see http://www.postfix.org/TLS_README.html#client_smtps
- use stunnel for postfix <3.0 (it still works for postfix >=3.0)
Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Chris Green-11
In reply to this post by Chris Green-11
On Fri, Feb 17, 2017 at 07:35:42PM +0000, Chris Green wrote:
> [snip long message]
>
> Sorry about the duplicate, you can see I really am having trouble with
> my E-Mail!  :-)
>
... and I'm talking rubbish anyway, I've got two subscriptions! Aarrgghh!!

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

@lbutlr
In reply to this post by Fazzina, Angelo
On 2017-02-17 (12:38 MST), "Fazzina, Angelo" <[hidden email]> wrote:
>
> I thought the master.cf file is where you config what protocol to listen for ?

He is SENDING outbound mail to his upstream, not listening for incoming mail.

As for the original post, 587 is the right port to use anyway, so ignore your ISPs instructions to use the wrong port?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.


Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Viktor Dukhovni
In reply to this post by Chris Green-11

> On Feb 17, 2017, at 10:43 AM, Chris Green <[hidden email]> wrote:
>
> Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
> postfix 3, is that what makes the difference?

Yes.

> I'd still like a simple explanation though!  :-)

That's the simple explanation.  SMTP directly over TLS requires the new
feature.  TLS via the SMTP STARTTLS command dates back to Postfix 2.2
(and unofficial patches in even older Postfix versions).

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Chris Green-11
On Fri, Feb 17, 2017 at 05:24:54PM -0500, Viktor Dukhovni wrote:

>
> > On Feb 17, 2017, at 10:43 AM, Chris Green <[hidden email]> wrote:
> >
> > Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
> > postfix 3, is that what makes the difference?
>
> Yes.
>
> > I'd still like a simple explanation though!  :-)
>
> That's the simple explanation.  SMTP directly over TLS requires the new
> feature.  TLS via the SMTP STARTTLS command dates back to Postfix 2.2
> (and unofficial patches in even older Postfix versions).
>
OK, so the older version is using SMTP STARTTLS which runs on port 587
and the newer (>=3) version is using TLS directly on port 465.

Should it still be possible to use SMTP STARTTLS on port 587 with
newer postfix versions?  I couldn't make this work, or at least I
don't think I could.  I'd be happier using as far as possible the same
configuration on all my installations.

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Viktor Dukhovni

> On Feb 17, 2017, at 5:33 PM, Chris Green <[hidden email]> wrote:
>
> OK, so the older version is using SMTP STARTTLS which runs on port 587

This is how TLS has worked in MTA-to-MTA SMTP for the last > 15 years.

        https://tools.ietf.org/html/rfc3207

> and the newer (>=3) version is using TLS directly on port 465.

No, Postfix 3.0 and later *also* support SMTP over TLS as used
by some systems on port 465.  The submission service on 587 and
the relay service on port 25 continue to support STARTTLS.

To use submission on port 587 the server needs to provide that
service.  If a server only supports "smtps" on 465, then that's
what you need to use.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Chris Green-11
On Fri, Feb 17, 2017 at 06:11:44PM -0500, Viktor Dukhovni wrote:

>
> > On Feb 17, 2017, at 5:33 PM, Chris Green <[hidden email]> wrote:
> >
> > OK, so the older version is using SMTP STARTTLS which runs on port 587
>
> This is how TLS has worked in MTA-to-MTA SMTP for the last > 15 years.
>
> https://tools.ietf.org/html/rfc3207
>
> > and the newer (>=3) version is using TLS directly on port 465.
>
> No, Postfix 3.0 and later *also* support SMTP over TLS as used
> by some systems on port 465.  The submission service on 587 and
> the relay service on port 25 continue to support STARTTLS.
>
> To use submission on port 587 the server needs to provide that
> service.  If a server only supports "smtps" on 465, then that's
> what you need to use.
>
The older (2.9.6) and newer (3.1.0) postfix versions that I'm using
are connecting to the same smarthost.  I don't seem to be able to
connect from the 3.1.0 version to the submission service on 587 for
some reason.  Do I have to explicitly say I want to use STARTTLS as
well as connecting to port 587?

The 3.1.0 configuration is currently:-

    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
    defer_unauth_destination
    myhostname = esprimo.zbmc.eu
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = zbmc.eu
    mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
    relayhost = [mail3.gridhost.co.uk]:465
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4
    smtp_sasl_auth_enable = yes
    smtp_tls_wrappermode = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    message_size_limit = 120480000
    compatibility_level = 2

What do I need to change to connect successfully to 587?  The 2.9.6
ones already connect successfully to [mail3.gridhost.co.uk]:587 so it
is possible.

Is it that 'smtp_tls_wrappermode = yes' that I need to remove?  I can
see little other difference between the configurations.

Thanks for all the help/explanations so far, I'm really not very good
at all this!

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Peter Ajamian
On 18/02/17 22:56, Chris Green wrote:
> The older (2.9.6) and newer (3.1.0) postfix versions that I'm using
> are connecting to the same smarthost.  I don't seem to be able to
> connect from the 3.1.0 version to the submission service on 587 for
> some reason.

At a WAG you have smtp_tls_wrappermode set to yes.  Wrappermode is for
SMTPS only and does not work for STARTTLS so you need to remove that
setting.

At a guess you probably also set it to yes in your postfix 2.9 but that
setting is not supported in 2.9 so it is simply ignored and wrappermode
is not set.

> Is it that 'smtp_tls_wrappermode = yes' that I need to remove?  I can
> see little other difference between the configurations.

Correct.

Note that SMTPS (port 465) requires wrappermode (not supported in 2.9)
or tunnelling through stunnel.  STARTTLS (587) requires that wrappermode
not be set.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

Chris Green-11
On Sat, Feb 18, 2017 at 11:30:08PM +1300, Peter wrote:

> On 18/02/17 22:56, Chris Green wrote:
> > The older (2.9.6) and newer (3.1.0) postfix versions that I'm using
> > are connecting to the same smarthost.  I don't seem to be able to
> > connect from the 3.1.0 version to the submission service on 587 for
> > some reason.
>
> At a WAG you have smtp_tls_wrappermode set to yes.  Wrappermode is for
> SMTPS only and does not work for STARTTLS so you need to remove that
> setting.
>
> At a guess you probably also set it to yes in your postfix 2.9 but that
> setting is not supported in 2.9 so it is simply ignored and wrappermode
> is not set.
>
> > Is it that 'smtp_tls_wrappermode = yes' that I need to remove?  I can
> > see little other difference between the configurations.
>
> Correct.
>
> Note that SMTPS (port 465) requires wrappermode (not supported in 2.9)
> or tunnelling through stunnel.  STARTTLS (587) requires that wrappermode
> not be set.
>
>
Thanks.  I think I'll disappear now, for a while at least.  :-)

--
Chris Green