Outlook 2010 smtp auth probs ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Outlook 2010 smtp auth probs ?

Voytek
this might be off topic, I'm not sure if I have an issue with Postfix
setup - or just end user email client setup:

I have old postfix 2.1 server, migrating to new 3.x, copied over 2.1
/etc/postfix, all seemed OK till now trying to setup an Outlook 2010
client

as I don't have Outlook 2010 to hand, I've installed 2016, tested account
setup, all worked, both IMAP and 587/SMTP auth

the end user in question is remote to me, 2010 seems to have different
options than 2016 I have tested

the Outlook system is remote to me, it's possible end user screwed
something up

on Outlook, the setup for old 2.1 server and new 3.x server is supposedly
identical: SMTP 587 TLS - but I'm not there.

is there some simple Outlook option that I have overlooked ?
or is there something wrong with my server config ??

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
check_helo_access pcre:/etc/postfix/helo_access.pcre

smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated,
reject_unauth_destination, check_policy_service inet:127.0.0.1:10040,
check_recipient_access hash:/etc/postfix/recipient_no_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net,

tried with 'port 587 TLS' as well as 'port 587 SSL'

the user can use old 2.1 server, no issues, BUT, when trying to send with
2010, it fails, on the server, I see this:

(Outlook account setup test message)
Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
<d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]>: Client host
rejected: Access denied; from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<UserPC>

on the old 2.1 server works fine, I see this:
 14:34:08 emu postfix/qmgr[5951]: 30762185383: from=<[hidden email]>,
size=638, nrcpt=1 (queue active)
Dec 29 14:34:08 emu postfix/pipe[8733]: 30762185383:
to=<[hidden email]>, relay=dovecot, delay=0.32, delays=0.22/0.01/0/0.1,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 14:34:17 emu postfix/smtpd[8727]: 482B6185383:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=[hidden email]
Dec 29 14:34:17 emu postfix/qmgr[5951]: 482B6185383:
from=<[hidden email]>, size=638, nrcpt=1 (queue active)
Dec 29 14:34:17 emu postfix/pipe[8733]: 482B6185383:
to=<[hidden email]>, relay=dovecot, delay=0.23, delays=0.19/0/0/0.05,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 14:40:04 emu postfix/smtpd[10332]: 83EAC185383:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=[hidden email]
Dec 29 14:40:05 emu postfix/qmgr[5951]: 83EAC185383:
from=<[hidden email]>, size=25709, nrcpt=1 (queue active)



Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2010 smtp auth probs ?

Matus UHLAR - fantomas
On 29.12.17 15:32, Voytek wrote:

> smtpd_recipient_restrictions = reject_unknown_sender_domain,
> reject_unknown_recipient_domain, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks,
> check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated,
> reject_unauth_destination, check_policy_service inet:127.0.0.1:10040,
> check_recipient_access hash:/etc/postfix/recipient_no_checks,
> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
> check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
> hash:/etc/postfix/sender_checks, check_client_access
> hash:/etc/postfix/client_checks, check_client_access
> pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
> reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
> dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
> ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net,

>tried with 'port 587 TLS' as well as 'port 587 SSL'

ssl usually means port 465 with implicit SSL, while 587 requires explicit
ssl (aka starttls).

However, with default postfix/master configuration, those should report
postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf
options for those services that should contain "-o syslog_name=..."

the line below contains postfix/smtpd which indicates port 25 was used,
unless don't set syslog_name in master.cf.

>(Outlook account setup test message)
>Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
>d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
><d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]>: Client host
>rejected: Access denied; from=<[hidden email]> to=<[hidden email]>
>proto=ESMTP helo=<UserPC>

"Client host rejected: Access denied" indicates failed "check_client_access"
directive. That also means that none of former directives succeeded,
including permit_sasl_authenticated. sasl is not enabled on port 25 by
default (iirc)

587 and 465 usually only allow and require authentication, since they only
have "permit_sasl_authenticated,reject" options.

This also indicates that the client did not connect to port 587/465 - are
those ports open and accessible from client?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2010 smtp auth probs ?

Voytek
On Fri, December 29, 2017 8:18 pm, Matus UHLAR - fantomas wrote:

> ssl usually means port 465 with implicit SSL, while 587 requires explicit
>  ssl (aka starttls).

with Outlook 2010, it has: none/tls/ssl/auto

so, I've tried tls as well as ssl, just in case

> However, with default postfix/master configuration, those should report
> postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf
>  options for those services that should contain "-o syslog_name=..."
>
> the line below contains postfix/smtpd which indicates port 25 was used,
> unless don't set syslog_name in master.cf.
>
>> (Outlook account setup test message)
>> Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
>> d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
>> <d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]>: Client host
>> rejected: Access denied; from=<[hidden email]> to=<[hidden email]>
>> proto=ESMTP helo=<UserPC>
>
> "Client host rejected: Access denied" indicates failed
> "check_client_access"
> directive. That also means that none of former directives succeeded,
> including permit_sasl_authenticated. sasl is not enabled on port 25 by
> default (iirc)
>
> 587 and 465 usually only allow and require authentication, since they
> only have "permit_sasl_authenticated,reject" options.
>
> This also indicates that the client did not connect to port 587/465 - are
>  those ports open and accessible from client?

it's 587
yes, definitely, I've setupup 4 or 5 TBird mail clients no issues, I have
K9 mail client, no issues
also, tested with Outlook 2016

and, the Outlook in question does work with 'old' 2.1 server

maybe port 587 that was entered didn't stick ?

so, it connects on port 25...?

Starting Nmap 5.51
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s



Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2010 smtp auth probs ?

Matus UHLAR - fantomas
On 29.12.17 20:47, Voytek wrote:
>On Fri, December 29, 2017 8:18 pm, Matus UHLAR - fantomas wrote:
>
>> ssl usually means port 465 with implicit SSL, while 587 requires explicit
>>  ssl (aka starttls).
>
>with Outlook 2010, it has: none/tls/ssl/auto

so it's the same as 2007. TLS means starttls and runt on port 587.
(versions prior to 2007 supported only starttls on prt 25 and implicit ssl
on any other port, needing 465).

>> However, with default postfix/master configuration, those should report
>> postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf
>>  options for those services that should contain "-o syslog_name=..."
>>
>> the line below contains postfix/smtpd which indicates port 25 was used,
>> unless don't set syslog_name in master.cf.
>>
>>> (Outlook account setup test message)
>>> Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
>>> d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
>>> <d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]>: Client host
>>> rejected: Access denied; from=<[hidden email]> to=<[hidden email]>
>>> proto=ESMTP helo=<UserPC>
>>
>> "Client host rejected: Access denied" indicates failed
>> "check_client_access"
>> directive. That also means that none of former directives succeeded,
>> including permit_sasl_authenticated. sasl is not enabled on port 25 by
>> default (iirc)
>>
>> 587 and 465 usually only allow and require authentication, since they
>> only have "permit_sasl_authenticated,reject" options.
>>
>> This also indicates that the client did not connect to port 587/465 - are
>>  those ports open and accessible from client?
>
>it's 587
>yes, definitely, I've setupup 4 or 5 TBird mail clients no issues, I have
>K9 mail client, no issues
>also, tested with Outlook 2016
>
>and, the Outlook in question does work with 'old' 2.1 server
>
>maybe port 587 that was entered didn't stick ?
>
>so, it connects on port 25...?

apparently - did you look to master.cf if there's "-o syslog_name" option in
the submission service?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2010 smtp auth probs ?

Voytek
>> so, it connects on port 25...?
>
> apparently - did you look to master.cf if there's "-o syslog_name" option
> in the submission service?

Matus,

thanks for your help

no, no syslog:
# grep syslog  master.cf
#

BUT, I got the user to EDIT her existing account and, alter server host
names from old.server to new.server, bingo, she's in:

Dec 29 20:54:13 geko postfix/pipe[23598]: C6EED61DA696:
to=<[hidden email]>, relay=dovecot, delay=0.56, delays=0.18/0/0/0.37,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 20:54:24 geko postfix/smtpd[23584]: 5448D61DA696:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=[hidden email]
Dec 29 20:54:24 geko postfix/qmgr[18784]: 5448D61DA696:
from=<[hidden email]>, size=640, nrcpt=1 (queue active)
Dec 29 20:54:24 geko postfix/pipe[23598]: 5448D61DA696:
to=<[hidden email]>, relay=dovecot, delay=0.57, delays=0.19/0/0/0.38,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 20:55:28 geko postfix/smtpd[23584]: ECFB361DA6AB:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=[hidden email]
Dec 29 20:55:29 geko postfix/qmgr[18784]: ECFB361DA6AB:
from=<[hidden email]>, size=2705, nrcpt=1 (queue active)

so, I think, either something is screwed up in that Outlook2010 - or, the
user screwed something ...

anyhow, I'm thinking of rsyncing Maildir to new server, and,  get user to
EDIT existing account ? (somthing I was trying to avoid)
can you any gotchas in doing that ?

thanks again,

V

Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2010 smtp auth probs ?

@lbutlr
In reply to this post by Matus UHLAR - fantomas
On 29 Dec 2017, at 02:18, Matus UHLAR - fantomas <[hidden email]> wrote:
> ssl usually means port 465 with implicit SSL, while 587 requires explicit
> ssl (aka starttls).

As I understand it port 465 was deprecated 20 years ago.

It holds on in some servers because old versions (like pre 2010) of Microsoft software do not support STARTTLS and some people refuse to upgrade for security reasons.

(My solution was to only allow mail submission on port 587. People with old clients have to use webmail or update).

--
No Sigs. Blame Apple.

Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2010 smtp auth probs ?

Viktor Dukhovni


> On Dec 29, 2017, at 9:43 AM, @lbutlr <[hidden email]> wrote:
>
> As I understand it port 465 was deprecated 20 years ago.

Strangely enough, it may get a second life:

   https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-3
   https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-3.3
   https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-7.3

This will soon be an RFC, it is presently in the RFC Editor queue.

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2010 smtp auth probs ?

Matus UHLAR - fantomas
In reply to this post by @lbutlr
>On 29 Dec 2017, at 02:18, Matus UHLAR - fantomas <[hidden email]> wrote:
>> ssl usually means port 465 with implicit SSL, while 587 requires explicit
>> ssl (aka starttls).

On 29.12.17 07:43, @lbutlr wrote:
>As I understand it port 465 was deprecated 20 years ago.
>
>It holds on in some servers because old versions (like pre 2010) of
> Microsoft software do not support STARTTLS and some people refuse to
> upgrade for security reasons.

pre-2007, as I mentioned in my mail you repled to :-)
also applies for outlook express which is also ld and deprecated.

>(My solution was to only allow mail submission on port 587. People with old clients have to use webmail or update).

2 reasons:
1. I've had problem with smtp/starttsl on port 587, caused by AV software,
    using 465 with implicit SSL helped.
2. it's not possible to reject plaintext connections on 465, and if somebody
    disabled plaintext, users would notice immediately

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!