Investigating iPhone Compatibility

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Investigating iPhone Compatibility

asai
Greetings,

We're starting to incorporate iPhone users into our email system.  Sometimes we seem to be having trouble with mail being delayed for a long time before the phone will connect to the server and send the mail.  I don't really have any idea what this is.  I've looked through the logs, but I'm not seeing anything really telling.  I have recently turned on TLS debugging and hope to glean something useful from that.  We have SSL turned on on the iPhone, but do not have the so-called wrapper mode turned on, and it seems to be working fine in most cases.  Does anyone have any experience with managing iPhones and Postfix who can share with me something of value?

Thank you.

[root@triata ~]# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = no
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 600s
maximal_queue_lifetime = 1d
message_size_limit = 0
minimal_backoff_time = 300s
mydomain = globalchangemultimedia.net
myhostname = triata.globalchangemultimedia.net
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2    bl.spamcop.net*1 b.barracudecentral.org*1
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = no
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_sasl_mechanism_filter = plain, login
smtp_tls_loglevel = 2
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql_blacklist,     permit_sasl_authenticated,    permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,     check_helo_access mysql:/etc/postfix/mysql_helo_restrictions.cf,    permit_sasl_authenticated,        reject_invalid_hostname,    permit
smtpd_recipient_restrictions = permit_mynetworks,        permit_sasl_authenticated,        reject_invalid_hostname,        reject_non_fqdn_sender,        reject_non_fqdn_recipient,        reject_unknown_sender_domain,        reject_unauth_destination,        check_recipient_access mysql:/etc/postfix/mysql_restricted_recipients.cf,        permit
smtpd_restriction_classes = webdev_only, gcmm_only, local_only, unrestricted
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql_restricted_senders.cf,        permit_sasl_authenticated,    permit_mynetworks,            reject_non_fqdn_sender,     reject_unknown_sender_domain,    permit
smtpd_tls_cert_file = /etc/postfix/ssl/triata.globalchangemultimedia.net.pem
smtpd_tls_key_file = /etc/postfix/ssl/triata.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_transport = dovecot
virtual_uid_maps = static:1001

-- 
--Asai
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

Noel Jones-2
On 6/7/2013 3:28 PM, Asai wrote:

> Greetings,
>
> We're starting to incorporate iPhone users into our email system.
> Sometimes we seem to be having trouble with mail being delayed for a
> long time before the phone will connect to the server and send the
> mail.  I don't really have any idea what this is.  I've looked
> through the logs, but I'm not seeing anything really telling.  I
> have recently turned on TLS debugging and hope to glean something
> useful from that.  We have SSL turned on on the iPhone, but do not
> have the so-called wrapper mode turned on, and it seems to be
> working fine in most cases.  Does anyone have any experience with
> managing iPhones and Postfix who can share with me something of value?
>
> Thank you.

I only have a dozen or so iPhone users and don't use one myself, so
don't consider me an expert on this. It's also possible my users
have these problems and just haven't said anything. Anyway, here's
some random thoughts...

- don't use tls debug higher than level 1 unless you are willing to
dig into openssl source code.

- make sure your master.cf submission entry has
  -o syslog_name=postfix/submission
so you can tell what port they're connecting to.

- if they're connecting to port 25, postscreen will interfere,
causing significant delays or preventing it from working at all.

- enable the wrappermode/smtps port if you haven't already.  Seems
some of my iPhone users connect on that port despite instructions
that make no mention of it. I don't know why, and don't really care;
there is no difference in security/speed/whatever. I always enable
smtps because it reduces end-user frustration. The only downside is
"it's not a standard". Use the same settings as submission except
for the addition of
  -o smtpd_tls_wrappermode=yes
  -o syslog_name=postfix/smtps



HTH, and have a good weekend.



  -- Noel Jones


>
> [root@triata ~]# postconf -n
> alias_maps = hash:/etc/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> html_directory = no
> mail_owner = postfix
> mailbox_size_limit = 0
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> maximal_backoff_time = 600s
> maximal_queue_lifetime = 1d
> message_size_limit = 0
> minimal_backoff_time = 300s
> mydomain = globalchangemultimedia.net
> myhostname = triata.globalchangemultimedia.net
> newaliases_path = /usr/bin/newaliases
> postscreen_access_list = permit_mynetworks
> postscreen_bare_newline_action = enforce
> postscreen_bare_newline_enable = yes
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = zen.spamhaus.org*2    bl.spamcop.net*1
> b.barracudecentral.org*1
> postscreen_dnsbl_threshold = 2
> postscreen_greet_action = drop
> postscreen_non_smtp_command_action = enforce
> postscreen_non_smtp_command_enable = yes
> postscreen_pipelining_action = enforce
> postscreen_pipelining_enable = yes
> queue_directory = /var/spool/postfix
> queue_run_delay = 300s
> readme_directory = no
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> show_user_unknown_table_name = no
> smtp_sasl_mechanism_filter = plain, login
> smtp_tls_loglevel = 2
> smtpd_client_restrictions = check_client_access
> mysql:/etc/postfix/mysql_blacklist,    
> permit_sasl_authenticated,    permit
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,     check_helo_access
> mysql:/etc/postfix/mysql_helo_restrictions.cf,  
> permit_sasl_authenticated,        reject_invalid_hostname,    permit
> smtpd_recipient_restrictions = permit_mynetworks,      
> permit_sasl_authenticated,        reject_invalid_hostname,      
> reject_non_fqdn_sender,        reject_non_fqdn_recipient,      
> reject_unknown_sender_domain,      
> reject_unauth_destination,        check_recipient_access
> mysql:/etc/postfix/mysql_restricted_recipients.cf,        permit
> smtpd_restriction_classes = webdev_only, gcmm_only, local_only,
> unrestricted
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_exceptions_networks = $mynetworks
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = check_sender_access
> mysql:/etc/postfix/mysql_restricted_senders.cf,      
> permit_sasl_authenticated,    permit_mynetworks,          
> reject_non_fqdn_sender,     reject_unknown_sender_domain,    permit
> smtpd_tls_cert_file =
> /etc/postfix/ssl/triata.globalchangemultimedia.net.pem
> smtpd_tls_key_file = /etc/postfix/ssl/triata.key
> smtpd_tls_loglevel = 0
> smtpd_tls_received_header = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> btree:/var/spool/postfix/smtpd_tls_session_cache
> soft_bounce = yes
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> virtual_gid_maps = static:1001
> virtual_mailbox_base = /vmail
> virtual_mailbox_domains =
> mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_mailbox_limit = 0
> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
> virtual_minimum_uid = 1001
> virtual_transport = dovecot
> virtual_uid_maps = static:1001
>
> --
> --Asai
>

Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

DTNX Postmaster
On Jun 8, 2013, at 00:47, Noel Jones <[hidden email]> wrote:

> On 6/7/2013 3:28 PM, Asai wrote:
>> Greetings,
>>
>> We're starting to incorporate iPhone users into our email system.
>> Sometimes we seem to be having trouble with mail being delayed for a
>> long time before the phone will connect to the server and send the
>> mail.  I don't really have any idea what this is.  I've looked
>> through the logs, but I'm not seeing anything really telling.  I
>> have recently turned on TLS debugging and hope to glean something
>> useful from that.  We have SSL turned on on the iPhone, but do not
>> have the so-called wrapper mode turned on, and it seems to be
>> working fine in most cases.  Does anyone have any experience with
>> managing iPhones and Postfix who can share with me something of value?
>>
>> Thank you.
>
> I only have a dozen or so iPhone users and don't use one myself, so
> don't consider me an expert on this. It's also possible my users
> have these problems and just haven't said anything. Anyway, here's
> some random thoughts...
>
> - don't use tls debug higher than level 1 unless you are willing to
> dig into openssl source code.
>
> - make sure your master.cf submission entry has
>  -o syslog_name=postfix/submission
> so you can tell what port they're connecting to.
>
> - if they're connecting to port 25, postscreen will interfere,
> causing significant delays or preventing it from working at all.
>
> - enable the wrappermode/smtps port if you haven't already.  Seems
> some of my iPhone users connect on that port despite instructions
> that make no mention of it. I don't know why, and don't really care;
> there is no difference in security/speed/whatever. I always enable
> smtps because it reduces end-user frustration. The only downside is
> "it's not a standard". Use the same settings as submission except
> for the addition of
>  -o smtpd_tls_wrappermode=yes
>  -o syslog_name=postfix/smtps
>
>
>
> HTH, and have a good weekend.

The Mail.app applications on iOS (iPhones or iPads) or OS X will
attempt to autodetect the port to connect to; 25, 465, and 587. It
works just fine over the submission port (587) without enabling the
SMTPS port (465), and the autodetection can be overridden in the
settings if needs be;

Settings > Mail, Contacts, Calendars > [accountname] > Account >
Outgoing Mail Server (SMTP) > Primary Server > Server Port

That's the case on iOS 6; earlier versions might differ slightly in
option names, but offer a similar override. Make sure your own SMTP
server is in fact the primary server, by the way, and not one of the
'Other SMTP Servers'.

This is what the submission service definition on one of our servers
looks like;

==
# Submission service for use by our clients
submission inet n - n - 128 smtpd
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_data_restrictions=permit_sasl_authenticated,reject
        -o smtpd_proxy_filter=127.0.0.1:10025
==

It is important to note that we have seperate relay servers; the
mailbox servers clients connect to never open anything but the
submission port (587), and there is therefore never a problem with
clients trying to connect to postscreen on port 25. A similar setup can
be achieved by moving the submission service to a seperate IP address,
if possible.

Do however make sure that it is in fact your Postfix configuration, and
not a DNS issue of some sort. Test with an iPhone or iPad that has the
server port set manually, and see if the problem disappears. If it does
not, the problem might be elsewhere.

Other than that, there should not really be any compatibility issues
with iOS devices talking to Postfix, as long as your DNS and such is in
order.

HTH,
Jona

Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai

On 6/7/2013 4:26 PM, DTNX Postmaster wrote:

> On Jun 8, 2013, at 00:47, Noel Jones <[hidden email]> wrote:
>
>> On 6/7/2013 3:28 PM, Asai wrote:
>>> Greetings,
>>>
>>> We're starting to incorporate iPhone users into our email system.
>>> Sometimes we seem to be having trouble with mail being delayed for a
>>> long time before the phone will connect to the server and send the
>>> mail.  I don't really have any idea what this is.  I've looked
>>> through the logs, but I'm not seeing anything really telling.  I
>>> have recently turned on TLS debugging and hope to glean something
>>> useful from that.  We have SSL turned on on the iPhone, but do not
>>> have the so-called wrapper mode turned on, and it seems to be
>>> working fine in most cases.  Does anyone have any experience with
>>> managing iPhones and Postfix who can share with me something of value?
>>>
>>> Thank you.
>> I only have a dozen or so iPhone users and don't use one myself, so
>> don't consider me an expert on this. It's also possible my users
>> have these problems and just haven't said anything. Anyway, here's
>> some random thoughts...
>>
>> - don't use tls debug higher than level 1 unless you are willing to
>> dig into openssl source code.
>>
>> - make sure your master.cf submission entry has
>>   -o syslog_name=postfix/submission
>> so you can tell what port they're connecting to.
>>
>> - if they're connecting to port 25, postscreen will interfere,
>> causing significant delays or preventing it from working at all.
>>
>> - enable the wrappermode/smtps port if you haven't already.  Seems
>> some of my iPhone users connect on that port despite instructions
>> that make no mention of it. I don't know why, and don't really care;
>> there is no difference in security/speed/whatever. I always enable
>> smtps because it reduces end-user frustration. The only downside is
>> "it's not a standard". Use the same settings as submission except
>> for the addition of
>>   -o smtpd_tls_wrappermode=yes
>>   -o syslog_name=postfix/smtps
>>
>>
>>
>> HTH, and have a good weekend.
> The Mail.app applications on iOS (iPhones or iPads) or OS X will
> attempt to autodetect the port to connect to; 25, 465, and 587. It
> works just fine over the submission port (587) without enabling the
> SMTPS port (465), and the autodetection can be overridden in the
> settings if needs be;
>
> Settings > Mail, Contacts, Calendars > [accountname] > Account >
> Outgoing Mail Server (SMTP) > Primary Server > Server Port
>
> That's the case on iOS 6; earlier versions might differ slightly in
> option names, but offer a similar override. Make sure your own SMTP
> server is in fact the primary server, by the way, and not one of the
> 'Other SMTP Servers'.
>
> This is what the submission service definition on one of our servers
> looks like;
>
> ==
> # Submission service for use by our clients
> submission inet n - n - 128 smtpd
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
> -o smtpd_proxy_filter=127.0.0.1:10025
> ==
>
> It is important to note that we have seperate relay servers; the
> mailbox servers clients connect to never open anything but the
> submission port (587), and there is therefore never a problem with
> clients trying to connect to postscreen on port 25. A similar setup can
> be achieved by moving the submission service to a seperate IP address,
> if possible.
>
> Do however make sure that it is in fact your Postfix configuration, and
> not a DNS issue of some sort. Test with an iPhone or iPad that has the
> server port set manually, and see if the problem disappears. If it does
> not, the problem might be elsewhere.
>
> Other than that, there should not really be any compatibility issues
> with iOS devices talking to Postfix, as long as your DNS and such is in
> order.
>
> HTH,
> Jona
>
Thank you for your generous responses.

I do have the client's iPhone set to port 587, however, I'm still
wondering if the iPhone is trying to connect via SMTPS or port 25 (which
is not available).  I would like to try setting up SMTP wrapper mode,
but does that in any way disable or interfere with the submission port
and TLS?  From reading the Postfix docs I was not sure whether it would
override of TLS or not.

Also, I will check in to the DNS situation.

--Asai
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

DTNX Postmaster
On Jun 8, 2013, at 17:16, Asai <[hidden email]> wrote:

> On 6/7/2013 4:26 PM, DTNX Postmaster wrote:
>> The Mail.app applications on iOS (iPhones or iPads) or OS X will
>> attempt to autodetect the port to connect to; 25, 465, and 587. It
>> works just fine over the submission port (587) without enabling the
>> SMTPS port (465), and the autodetection can be overridden in the
>> settings if needs be;
>>
>> Settings > Mail, Contacts, Calendars > [accountname] > Account >
>> Outgoing Mail Server (SMTP) > Primary Server > Server Port
>>
>> That's the case on iOS 6; earlier versions might differ slightly in
>> option names, but offer a similar override. Make sure your own SMTP
>> server is in fact the primary server, by the way, and not one of the
>> 'Other SMTP Servers'.
>>
>> This is what the submission service definition on one of our servers
>> looks like;
>>
>> ==
>> # Submission service for use by our clients
>> submission inet n - n - 128 smtpd
>> -o smtpd_tls_security_level=encrypt
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
>> -o smtpd_proxy_filter=127.0.0.1:10025
>> ==
>>
>> It is important to note that we have seperate relay servers; the
>> mailbox servers clients connect to never open anything but the
>> submission port (587), and there is therefore never a problem with
>> clients trying to connect to postscreen on port 25. A similar setup can
>> be achieved by moving the submission service to a seperate IP address,
>> if possible.
>>
>> Do however make sure that it is in fact your Postfix configuration, and
>> not a DNS issue of some sort. Test with an iPhone or iPad that has the
>> server port set manually, and see if the problem disappears. If it does
>> not, the problem might be elsewhere.
>>
>> Other than that, there should not really be any compatibility issues
>> with iOS devices talking to Postfix, as long as your DNS and such is in
>> order.
>>
>> HTH,
>> Jona
>>
> Thank you for your generous responses.
>
> I do have the client's iPhone set to port 587, however, I'm still wondering if the iPhone is trying to connect via SMTPS or port 25 (which is not available).  I would like to try setting up SMTP wrapper mode, but does that in any way disable or interfere with the submission port and TLS?  From reading the Postfix docs I was not sure whether it would override of TLS or not.
>
> Also, I will check in to the DNS situation.

If the ports are not open, and nothing shows in the Postfix logs that
is out of the ordinary, look for the cause elsewhere. Start with DNS.

Also, if you have a working submission service there is no reason
whatsoever to set up a wrapper mode for SMTPS. It's not a standard, and
its use is deprecated. It should however not interfere with your
submission port setup, as they are seperate entries in your 'master.cf'
file.

But again, look closely at your logs. Verify your DNS settings. Test
with telnet, see if you get a prompt from the client location on port
587, and so on. See if the problem is in any way dependent on location,
a specific device, etcetera, etcetera.

Good luck :-)

Mvg,
Jona

Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai
On 6/8/13 9:09 AM, DTNX Postmaster wrote:

> On Jun 8, 2013, at 17:16, Asai <[hidden email]> wrote:
>
>> On 6/7/2013 4:26 PM, DTNX Postmaster wrote:
>>> The Mail.app applications on iOS (iPhones or iPads) or OS X will
>>> attempt to autodetect the port to connect to; 25, 465, and 587. It
>>> works just fine over the submission port (587) without enabling the
>>> SMTPS port (465), and the autodetection can be overridden in the
>>> settings if needs be;
>>>
>>> Settings > Mail, Contacts, Calendars > [accountname] > Account >
>>> Outgoing Mail Server (SMTP) > Primary Server > Server Port
>>>
>>> That's the case on iOS 6; earlier versions might differ slightly in
>>> option names, but offer a similar override. Make sure your own SMTP
>>> server is in fact the primary server, by the way, and not one of the
>>> 'Other SMTP Servers'.
>>>
>>> This is what the submission service definition on one of our servers
>>> looks like;
>>>
>>> ==
>>> # Submission service for use by our clients
>>> submission inet n - n - 128 smtpd
>>> -o smtpd_tls_security_level=encrypt
>>> -o smtpd_sasl_auth_enable=yes
>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
>>> -o smtpd_proxy_filter=127.0.0.1:10025
>>> ==
>>>
>>> It is important to note that we have seperate relay servers; the
>>> mailbox servers clients connect to never open anything but the
>>> submission port (587), and there is therefore never a problem with
>>> clients trying to connect to postscreen on port 25. A similar setup can
>>> be achieved by moving the submission service to a seperate IP address,
>>> if possible.
>>>
>>> Do however make sure that it is in fact your Postfix configuration, and
>>> not a DNS issue of some sort. Test with an iPhone or iPad that has the
>>> server port set manually, and see if the problem disappears. If it does
>>> not, the problem might be elsewhere.
>>>
>>> Other than that, there should not really be any compatibility issues
>>> with iOS devices talking to Postfix, as long as your DNS and such is in
>>> order.
>>>
>>> HTH,
>>> Jona
>>>
>> T
After investigating this issue further, it looks like there might be
something I'm missing regarding postscreen.  My reasoning for this is
yesterday a client said she couldn't send email.  I looked at her phone
and the postfix logs and could see that her IP address was being
rejected by postscreen:

Jun 16 16:39:41 triata postfix/postscreen[6187]: CONNECT from
[70.199.201.175]:11120
Jun 16 16:39:41 triata postfix/dnsblog[6241]: addr 70.199.201.175 listed
by domain zen.spamhaus.org as 127.0.0.11
Jun 16 16:39:47 triata postfix/postscreen[6187]: DNSBL rank 2 for
[70.199.201.175]:11120
Jun 16 16:39:48 triata postfix/tlsproxy[6276]: CONNECT from
[70.199.201.175]:11120
Jun 16 16:39:49 triata postfix/tlsproxy[6276]: DISCONNECT
[70.199.201.175]:11120
Jun 16 16:39:49 triata postfix/postscreen[6187]: HANGUP after 1.4 from
[70.199.201.175]:11120 in tests after SMTP handshake
Jun 16 16:39:49 triata postfix/postscreen[6187]: DISCONNECT
[70.199.201.175]:11120

I checked Spamhaus and this IP is listed as one which users must be
authenticated first.  This is our standard operating procedure, users
have to be authenticated before sending mail.  But it seems like
something is happening where the authentication process isn't allowed
to  happen.

Strangely enough, once we rebooted her phone, and she got a different IP
address, the emails started going through.

I'm sure this is a simple problem to some of you. I would appreciate
very much any assistance.

--Asai


Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

Wietse Venema
Asai:
> After investigating this issue further, it looks like there might be
> something I'm missing regarding postscreen.  My reasoning for this is
> yesterday a client said she couldn't send email.  I looked at her phone
> and the postfix logs and could see that her IP address was being
> rejected by postscreen:

As documented ***DO NOT*** run postscreen on the server port
that is used by mail client programs.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai
On 6/17/13 1:13 PM, Wietse Venema wrote:

> Asai:
>> After investigating this issue further, it looks like there might be
>> something I'm missing regarding postscreen.  My reasoning for this is
>> yesterday a client said she couldn't send email.  I looked at her phone
>> and the postfix logs and could see that her IP address was being
>> rejected by postscreen:
> As documented ***DO NOT*** run postscreen on the server port
> that is used by mail client programs.
>
> Wietse
Thank you, Wietse.  Please forgive my ignorance, but may I ask where I
might find the instructions to make sure it's not operating on 587?

--Asai
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai
In reply to this post by Wietse Venema
On 6/17/13 1:13 PM, Wietse Venema wrote:

> Asai:
>> After investigating this issue further, it looks like there might be
>> something I'm missing regarding postscreen.  My reasoning for this is
>> yesterday a client said she couldn't send email.  I looked at her phone
>> and the postfix logs and could see that her IP address was being
>> rejected by postscreen:
> As documented ***DO NOT*** run postscreen on the server port
> that is used by mail client programs.
>
> Wietse
I'm wondering if I have something wrong in master.cf:

587       inet  n       -       n       -       -       smtpd
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet  n       -       n       -       -       smtpd

Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

Wietse Venema
Asai:
> After investigating this issue further, it looks like there might be
> something I'm missing regarding postscreen.  My reasoning for this is
> yesterday a client said she couldn't send email.  I looked at her phone
> and the postfix logs and could see that her IP address was being
> rejected by postscreen:

Wietse:
> As documented ***DO NOT*** run postscreen on the server port
> that is used by mail client programs.

Asai:
> I'm wondering if I have something wrong in master.cf:
>
> 587       inet  n       -       n       -       -       smtpd
> smtp      inet  n       -       n       -       1       postscreen
> smtpd     pass  -       -       n       -       -       smtpd
> dnsblog   unix  -       -       n       -       0       dnsblog
> tlsproxy  unix  -       -       n       -       0       tlsproxy
> submission inet  n       -       n       -       -       smtpd

In that case one mistake is that the client connected to the wrong
service: they connected to service smtp(=port 25) instead of service
submission(=port 587). That's also why postscrfeen rejected the
client: the client came from a IP address dynamic pool.

Another mistake may be that you offer AUTH service on port 25.

An unrelated mistake is that you have two submission service entries
in master.cf: one called 587 and one called submission. Only the
last entry will be used, so it is a good idea to remove the first
one.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai
> Asai:
>> After investigating this issue further, it looks like there might be
>> something I'm missing regarding postscreen.  My reasoning for this is
>> yesterday a client said she couldn't send email.  I looked at her phone
>> and the postfix logs and could see that her IP address was being
>> rejected by postscreen:
> Wietse:
>> As documented ***DO NOT*** run postscreen on the server port
>> that is used by mail client programs.
> Asai:
>> I'm wondering if I have something wrong in master.cf:
>>
>> 587       inet  n       -       n       -       -       smtpd
>> smtp      inet  n       -       n       -       1       postscreen
>> smtpd     pass  -       -       n       -       -       smtpd
>> dnsblog   unix  -       -       n       -       0       dnsblog
>> tlsproxy  unix  -       -       n       -       0       tlsproxy
>> submission inet  n       -       n       -       -       smtpd
> In that case one mistake is that the client connected to the wrong
> service: they connected to service smtp(=port 25) instead of service
> submission(=port 587). That's also why postscrfeen rejected the
> client: the client came from a IP address dynamic pool.
>
> Another mistake may be that you offer AUTH service on port 25.
>
> An unrelated mistake is that you have two submission service entries
> in master.cf: one called 587 and one called submission. Only the
> last entry will be used, so it is a good idea to remove the first
> one.
>
> Wietse
Would it follow then that I should remove the smtp_sasl_mechanism_filter
from main.cf?  Would that be causing clients to try to connect via port
25 even though they're set to connect to 587?

[root@triata ~]# postconf -n | grep smtp_
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_tls_loglevel = 2


Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

Jeroen Geilman
On 06/18/2013 12:15 AM, Asai wrote:
> Would it follow then that I should remove the
> smtp_sasl_mechanism_filter from main.cf?  Would that be causing
> clients to try to connect via port 25 even though they're set to
> connect to 587?
>

...what makes you think these things are related in any way ?

It is the *client* that decides where to connect to.

--
J.

Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai
> On 06/18/2013 12:15 AM, Asai wrote:
>> Would it follow then that I should remove the
>> smtp_sasl_mechanism_filter from main.cf?  Would that be causing
>> clients to try to connect via port 25 even though they're set to
>> connect to 587?
>>
>
> ...what makes you think these things are related in any way ?
>
> It is the *client* that decides where to connect to.
>
So, it's the iPhone which is self-assertively trying to connect to port
25 regardless of what it's explicitly set to?
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai
In reply to this post by Wietse Venema
Asai:
After investigating this issue further, it looks like there might be
something I'm missing regarding postscreen.  My reasoning for this is
yesterday a client said she couldn't send email.  I looked at her phone
and the postfix logs and could see that her IP address was being
rejected by postscreen:
Wietse:
As documented ***DO NOT*** run postscreen on the server port
that is used by mail client programs.
Asai:
I'm wondering if I have something wrong in master.cf:

587       inet  n       -       n       -       -       smtpd
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet  n       -       n       -       -       smtpd
In that case one mistake is that the client connected to the wrong
service: they connected to service smtp(=port 25) instead of service
submission(=port 587). That's also why postscrfeen rejected the
client: the client came from a IP address dynamic pool.

Another mistake may be that you offer AUTH service on port 25.

An unrelated mistake is that you have two submission service entries
in master.cf: one called 587 and one called submission. Only the
last entry will be used, so it is a good idea to remove the first
one.

	Wietse
After doing a little more reading I enabled smtpd_tls_auth_only.  Hopefully that will help.
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

Wietse Venema
In reply to this post by asai
Asai:
> Would it follow then that I should remove the smtp_sasl_mechanism_filter
> from main.cf?  Would that be causing clients to try to connect via port

No. The CLIENT connects to the WRONG Postfix port.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

Larry Stone
In reply to this post by asai
On Jun 17, 2013, at 17:27, Asai <[hidden email]> wrote:

>> On 06/18/2013 12:15 AM, Asai wrote:
>>> Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf?  Would that be causing clients to try to connect via port 25 even though they're set to connect to 587?
>>
>> ...what makes you think these things are related in any way ?
>>
>> It is the *client* that decides where to connect to.
> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?

Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.

-- Larry Stone
   Sent from my iPhone
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

asai
>> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
> Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
>
> -- Larry Stone
>     Sent from my iPhone
OK, so perhaps just refusing AUTH on port 25 will solve the problem.  
I've set the Server Port in Outgoing mail settings on iPhone to 587, so
I don't really understand what's going on here...
Reply | Threaded
Open this post in threaded view
|

Re: Investigating iPhone Compatibility

Larry Stone
On Jun 17, 2013, at 19:03, Asai <[hidden email]> wrote:

>>> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
>> Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
>>
>> -- Larry Stone
>>    Sent from my iPhone
> OK, so perhaps just refusing AUTH on port 25 will solve the problem.  I've set the Server Port in Outgoing mail settings on iPhone to 587, so I don't really understand what's going on here...

I doubt it. Based on what you previously posted, Postscreen will reject it long before it gets to an smtpd process.

I'd suggest you double-check the iPhone configuration. In particular, make sure the outgoing settings you're looking at are the ones actually bring used. You can configure multiple outgoing servers on an iOS device.

-- Larry Stone
   Sent from my iPhone