Question getting Mail.app working with PostFix SMTP

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Question getting Mail.app working with PostFix SMTP

John Dale
Greetings;

I have Thunderbird working with PostFix/Dovecot for sending and receiving.

STARTTLS

Normal Password

I don't see these options in Mail.app for OSX.

I've tried updating ports and different combinations of available
authentication in Mail.app, but no luck.  It either times-out or has
connection denied.

Any recommendations?

Sincerely,

John


Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Larry Stone
>
> On Aug 6, 2019, at 8:32 AM, John Dale <[hidden email]> wrote:
>
> Greetings;
>
> I have Thunderbird working with PostFix/Dovecot for sending and receiving.
>
> STARTTLS
>
> Normal Password
>
> I don't see these options in Mail.app for OSX.
>
> I've tried updating ports and different combinations of available authentication in Mail.app, but no luck.  It either times-out or has connection denied.
>
> Any recommendations?

I use MacOS Mail and for receiving, I just have “Automatically manage connection settings” checked and it just works (but that’s really a Dovecot question, not Postfix).

For sending, I do not have “Automatically manage connection settings” checked. Port is 587, Use TLS/SSL is checked, and Authentication is Password. But the correct settings for your server may be different.

It may seem silly to ask but make sure you didn’t make a typo in the server name.


--
Larry Stone
[hidden email]





Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

John Dale
Greetings;

Thanks for the info.

I have Dovecot talking well (popping in).

SMTP via postfix is giving me some issues.  I'll double check my ports
and typing. :)

I'm wondering if I need to change authentication settings on postfix to
make things more straightforward.

I also didn't see a spot in Mail.app to accept the postfix tls cert.

John


On 8/6/19 8:02 AM, Larry Stone wrote:

>> On Aug 6, 2019, at 8:32 AM, John Dale <[hidden email]> wrote:
>>
>> Greetings;
>>
>> I have Thunderbird working with PostFix/Dovecot for sending and receiving.
>>
>> STARTTLS
>>
>> Normal Password
>>
>> I don't see these options in Mail.app for OSX.
>>
>> I've tried updating ports and different combinations of available authentication in Mail.app, but no luck.  It either times-out or has connection denied.
>>
>> Any recommendations?
> I use MacOS Mail and for receiving, I just have “Automatically manage connection settings” checked and it just works (but that’s really a Dovecot question, not Postfix).
>
> For sending, I do not have “Automatically manage connection settings” checked. Port is 587, Use TLS/SSL is checked, and Authentication is Password. But the correct settings for your server may be different.
>
> It may seem silly to ask but make sure you didn’t make a typo in the server name.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Ben Greenfield
The password type has to match md5, plain, kerberos,….
I find that the automatic settings assume virtual domains and always uses the full email address [hidden email] vs. just name.
The correct password never works because the username is wrong.



> On Aug 6, 2019, at 10:14 AM, John Dale <[hidden email]> wrote:
>
> Greetings;
>
> Thanks for the info.
>
> I have Dovecot talking well (popping in).
>
> SMTP via postfix is giving me some issues.  I'll double check my ports and typing. :)
>
> I'm wondering if I need to change authentication settings on postfix to make things more straightforward.
>
> I also didn't see a spot in Mail.app to accept the postfix tls cert.
>
> John
>
>
> On 8/6/19 8:02 AM, Larry Stone wrote:
>>> On Aug 6, 2019, at 8:32 AM, John Dale <[hidden email]> wrote:
>>>
>>> Greetings;
>>>
>>> I have Thunderbird working with PostFix/Dovecot for sending and receiving.
>>>
>>> STARTTLS
>>>
>>> Normal Password
>>>
>>> I don't see these options in Mail.app for OSX.
>>>
>>> I've tried updating ports and different combinations of available authentication in Mail.app, but no luck.  It either times-out or has connection denied.
>>>
>>> Any recommendations?
>> I use MacOS Mail and for receiving, I just have “Automatically manage connection settings” checked and it just works (but that’s really a Dovecot question, not Postfix).
>>
>> For sending, I do not have “Automatically manage connection settings” checked. Port is 587, Use TLS/SSL is checked, and Authentication is Password. But the correct settings for your server may be different.
>>
>> It may seem silly to ask but make sure you didn’t make a typo in the server name.
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

John Dale
Tried updating smtp user to fully qualified .. no luck.

This is what shows in the logs:

connect from unknown[my.ip.address]
Aug  6 14:35:04 mx postfix/smtpd[2098]: disconnect from
unknown[my.ip.address] ehlo=2 starttls=1 quit=1 commands=4

Works fine in Thunderbird.  Strange ..

On 8/6/19 8:18 AM, Ben Greenfield wrote:

> The password type has to match md5, plain, kerberos,….
> I find that the automatic settings assume virtual domains and always uses the full email address [hidden email] vs. just name.
> The correct password never works because the username is wrong.
>
>
>
>> On Aug 6, 2019, at 10:14 AM, John Dale <[hidden email]> wrote:
>>
>> Greetings;
>>
>> Thanks for the info.
>>
>> I have Dovecot talking well (popping in).
>>
>> SMTP via postfix is giving me some issues.  I'll double check my ports and typing. :)
>>
>> I'm wondering if I need to change authentication settings on postfix to make things more straightforward.
>>
>> I also didn't see a spot in Mail.app to accept the postfix tls cert.
>>
>> John
>>
>>
>> On 8/6/19 8:02 AM, Larry Stone wrote:
>>>> On Aug 6, 2019, at 8:32 AM, John Dale <[hidden email]> wrote:
>>>>
>>>> Greetings;
>>>>
>>>> I have Thunderbird working with PostFix/Dovecot for sending and receiving.
>>>>
>>>> STARTTLS
>>>>
>>>> Normal Password
>>>>
>>>> I don't see these options in Mail.app for OSX.
>>>>
>>>> I've tried updating ports and different combinations of available authentication in Mail.app, but no luck.  It either times-out or has connection denied.
>>>>
>>>> Any recommendations?
>>> I use MacOS Mail and for receiving, I just have “Automatically manage connection settings” checked and it just works (but that’s really a Dovecot question, not Postfix).
>>>
>>> For sending, I do not have “Automatically manage connection settings” checked. Port is 587, Use TLS/SSL is checked, and Authentication is Password. But the correct settings for your server may be different.
>>>
>>> It may seem silly to ask but make sure you didn’t make a typo in the server name.
>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Wietse Venema
John Dale:
> Tried updating smtp user to fully qualified .. no luck.
>
> This is what shows in the logs:
>
> connect from unknown[my.ip.address]
> Aug? 6 14:35:04 mx postfix/smtpd[2098]: disconnect from
> unknown[my.ip.address] ehlo=2 starttls=1 quit=1 commands=4
>
> Works fine in Thunderbird.? Strange ..

After sending STARTTLS, the client sends EHLO. The server's response
contains the names of supported SASL authentication mechanisms,
among other things.

The client then sends QUIT instead of an AUTH command. That should
be a clue.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Peter Ajamian
In reply to this post by Larry Stone
On 7/08/19 2:02 AM, Larry Stone wrote:
> I use MacOS Mail and for receiving, I just have “Automatically manage connection settings” checked and it just works (but that’s really a Dovecot question, not Postfix).
>
> For sending, I do not have “Automatically manage connection settings” checked. Port is 587, Use TLS/SSL is checked, and Authentication is Password. But the correct settings for your server may be different.

Just a bit of a possible "heads up" on this, but if your MUA has a
setting to automatically detect and use STARTTLS (and you use that
setting) then you're setting yourself up for a MITM attack vector where
the MITM can downgrade your connection to plain text and the MUA will
not let you know.

Years ago Thunderbird used to have a similar setting (Use Encryption if
available or something like that) but for years now they no longer offer
it, probably due to similar security concerns.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Larry Stone
Thanks for the tip. All updated to explicit settings: Port 993, Use TLS/SSL, Authentication: Password.

In looking at them (I have multiple email accounts), when I unchecked “automatically detect”, some said Port 993 and others said Port 143 even though all said Use TLS/SSL. While port 143 is the unencrypted IMAP port, I’m hoping it was still doing encrypted but yet another case of where Apple’s “it just works” can get in the way of making sure things are set the way you want them. Now to check my iOS devices.

And now back to Postfix as IMAP is really off-topic for this list.

--
Larry Stone
[hidden email]





> On Aug 6, 2019, at 2:17 PM, Peter <[hidden email]> wrote:
>
> On 7/08/19 2:02 AM, Larry Stone wrote:
>> I use MacOS Mail and for receiving, I just have “Automatically manage connection settings” checked and it just works (but that’s really a Dovecot question, not Postfix).
>> For sending, I do not have “Automatically manage connection settings” checked. Port is 587, Use TLS/SSL is checked, and Authentication is Password. But the correct settings for your server may be different.
>
> Just a bit of a possible "heads up" on this, but if your MUA has a setting to automatically detect and use STARTTLS (and you use that setting) then you're setting yourself up for a MITM attack vector where the MITM can downgrade your connection to plain text and the MUA will not let you know.
>
> Years ago Thunderbird used to have a similar setting (Use Encryption if available or something like that) but for years now they no longer offer it, probably due to similar security concerns.
>
>
> Peter

Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Viktor Dukhovni
In reply to this post by John Dale
On Tue, Aug 06, 2019 at 07:32:27AM -0600, John Dale wrote:

> STARTTLS
> Normal Password
>
> I don't see these options in Mail.app for OSX.
>
> I've tried updating ports and different combinations of available
> authentication in Mail.app, but no luck. It either times-out or has
> connection denied.
>
> Any recommendations?

Try the "Connection Doctor" menu in MacOS to see the Mac's view of
the SMTP transaction (somewhere among all the noisy IMAP chatter).
You were likely prompted to accept the server certificate during
the first connection.

Mail.app supports PLAIN, GSSAPI and OAUTH.  When you double-click
on the SMTP "row" in the "Connection Doctor" view, you get a more
advanced configuration dialogue for the SMTP server settings, in
which under the "Advanced" tab, you can enable "allow insecure
authentication", which may be needed to get "PLAIN" to work.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

John Dale
In reply to this post by Larry Stone
Ugh .. still having trouble getting apple's mail client to work with
postfix SMTP settings.

I'm not seeing anything in the logs that I can make sense of:

Sep 22 04:12:50 mx postfix/smtpd[30354]: connect from
unknown[the.ip.address.ofmynetwork]
Sep 22 04:12:51 mx postfix/smtpd[30354]: disconnect from
unknown[the.ip.address.ofmynetwork] ehlo=2 starttls=1 quit=1 commands=4

I have this working in Thunderbird, but I'm not really happy with the
performance of Thunderbird at the current time so I want to try Mail
(I've found mac clients to be memory thrifty if not a bit slow .. but at
least they're usually reliable and predictably a little slower).

The username and password are verified, as is the port that Thunderbird
is connecting to.  But the settings are just so confusing to me,
unfortunately.  TLS, MD5, STLS, etc .. I don't even really know if I'm
encrypting my traffic/authentication information from Thunderbird!  :D

Explain it to me like I'm five, please .. what are the SMTP settings
that I need to be most concerned with for this authentication portion. 
FWIW, I did get DKIM working with the opendkim milter config, so I have
that going for me which is nice.

Now, if I could just get my head around authentication configuration for
SMTP .. while we're at it, I would like a better understanding of how I
could safely get/send email from another network (I only check from my
home network at the moment). Relaying is a strange concept .. if I'm
authenticated to my SMTP server, why would I need to do anything at all
with relaying?  My mail client is not another mail server.  If there is
a nice write up about these issues that doesn't have me wading through
documentation from multiple versions of postgres for a week, I would
love to read it. :)  Seems most documentation is written for folks who
already have a good understanding of the state of SMTP.

My goals are to stand up a reasonably secure mail server as quickly as
possible so I can get back to designing databases and writing middleware
code.

I'm running 3.3.0 - I would sure appreciate your help.  I've had some
success so far and I look forward to continuing to build my competency
in smtp admin with postfix.

Sincerely,

John


On 8/6/19 1:31 PM, Larry Stone wrote:
> Thanks for the tip. All updated to explicit settings: Port 993, Use TLS/SSL, Authentication: Password.
>
> In looking at them (I have multiple email accounts), when I unchecked “automatically detect”, some said Port 993 and others said Port 143 even though all said Use TLS/SSL. While port 143 is the unencrypted IMAP port, I’m hoping it was still doing encrypted but yet another case of where Apple’s “it just works” can get in the way of making sure things are set the way you want them. Now to check my iOS devices.
>
> And now back to Postfix as IMAP is really off-topic for this list.
>
Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Viktor Dukhovni
> On Sep 22, 2019, at 12:23 AM, John Dale <[hidden email]> wrote:
>
> I'm not seeing anything in the logs that I can make sense of:
>
> Sep 22 04:12:50 mx postfix/smtpd[30354]: connect from unknown[the.ip.address.ofmynetwork]
> Sep 22 04:12:51 mx postfix/smtpd[30354]: disconnect from unknown[the.ip.address.ofmynetwork] ehlo=2 starttls=1 quit=1 commands=4

The client connects, establishes a TLS connection, and then sends "QUIT" without any
further interaction.

Most likely because it sees no SASL support announced.  Perhaps it is connecting
to port 25 and not 587.  You should consider (if not the case already) adding:

        -o syslog_name=postfix/submission

to the the submission entry in master.cf, so you can see whether the client is
connecting to the right port.  [Sadly, the above is likely a bit advanced for
most five-year-olds, but I hope it will nonetheless help you make progress]

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

@lbutlr
On Sep 21, 2019, at 10:32 PM, Viktor Dukhovni <[hidden email]> wrote:
> Most likely because it sees no SASL support announced.  Perhaps it is connecting
> to port 25 and not 587.  You should consider (if not the case already) adding:
>
> -o syslog_name=postfix/submission

This is what I have own master.cf and it works perfectly with iOS, iPadOS, and macOS Mail.

submission inet  n       -       n       -       -       smtpd
    -o smtpd_tls_security_level =encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_path=private/auth
    -o smtpd_milters=
    -o milter_connect_macros=
    -o milter_macro_daemon_name=ORIGINATING
    -o syslog_name=postfix/submit
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_data_restrictions=
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
smtps      inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode =yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_milters=
    -o milter_connect_macros=
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_path=private/auth
    -o smtpd_data_restrictions=
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_helo_restrictions=
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes

I leave mail settings at “Automatically manage connection settings” and Robert is your father’s simian brother.

The keys are that submission uses smtpd_tls_security_level and smpts uses smtpd_tls_wrappermode

Also, as Viktor eluded to, you should not be using port 25 for accepting mail from MUAs.

Though I enabled smtps a while back, I am not sure the anyone is actually using it. I certainly haven’t seen it in the logs, but I do not keep mail/log for very long and I don’t check for smtps in it often enough to be sure. Still, it dodoesn’t hurt having it, and it may help at some point.


--
She'd always tried to face towards the light. But the harder you stared into
the brightness the harsher it burned into you until, at last, the temptation
picked you up and bid you turn around to see how long, rich, strong and dark,
streaming away behind you, your shadow had become- --Carpe Jugulum

Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

Daniel L. Miller
In reply to this post by John Dale
On 9/21/2019 9:23 PM, John Dale wrote:
> Ugh .. still having trouble getting apple's mail client to work with
> postfix SMTP settings.
>
> I'm not seeing anything in the logs that I can make sense of:
>
> [...]
>
> Explain it to me like I'm five, please .. what are the SMTP settings
> that I need to be most concerned with for this authentication portion.

In the mail server world I'm going on six myself but I'll give it a shot.

To begin with you need to start small - get things working with a test
server with a minimum of restrictions and then tweak one item at a time
until you have at least some comfort level of what that does.

First, some terms as I understand them. Hopefully someone will correct
me if I'm providing too much misinformation.

MUA - Mail User Agent - Client. Thunderbird, Mail.app, and others. These
programs talk to MTA's and expect the MTA to transport mail to a
destination. Local, remote, virtual, or whatever the next concept might be.

MTA - Mail Transfer Agent - Server. MTA's like Postfix *transfer*
messages between...various sources & destinations. A source can be a
MUA. It can also be another MTA - local or remote. The destination can
be another MTA - or there may be a delivery.

MDA - Mail Delivery Agent - Storage Interface. The MDA (like Postfix's
local or Dovecot's LMTP) accept messages from a MTA and store them -
which typically means saving to disk in some fashion.

Host System - the running O/S that is running the MTA (Postfix).

Local Users - known to the host system. Users configured in your
/etc/passwd as an example.

Virtual Users - valid users that are not necessarily known to the host
system. Basically any user database that is not used by the host system.

With those defined - consider the interaction of MUA-MTA-MDA. Using your
workstation mail client (for convenience let's say Thunderbird) you send
a mail...to yourself. Whether your mail account is local or virtual is
irrelevant. Thunderbird connects to the configured Outgoing Server -
let's say at mail.mydomain.com on port 587. The Postfix listener (which
is smtpd, as in SMTP Daemon) takes that message and via the black magic
- I mean exceptional coding of the various processes (and there is no
sarcasm whatsoever in that statement) - determines that it belongs to
this same server. The message is then passed to the MDA and is saved for
later retrieval.

Now consider the next level - someone from outside your system, on the
nasty InfectedNet, sends you a message. This is MTA-MTA-MDA. Just like a
MUA, the remote MTA connects to your MTA except this time using port 25
- which is handled by another instance of smtpd. A near-identical
process occurs, the message is determined to be handled locally, and is
passed to the MDA.

The above two interactions are basically the only "local" possibilities.
If the MTA passes the message to anything other than a MDA - that's a
relay operation. Which means when *your* MUA connects to *your* MTA and
asks it to send your birthday congratulations to [hidden email] - that's
a relay operation.

Hopefully the above makes sense and my subjective version isn't too far
off from objective reality.

If you made it to this point - go back to the top where I said start
small. Do so. Attempting to introduce encryption to a server that is not
both fully-functional with plaintext and whose configuration is not
understood is an excursion into extreme masochism.

> [...]
> Seems most documentation is written for folks who
> already have a good understanding of the state of SMTP.

You are correct.
>
> My goals are to stand up a reasonably secure mail server as quickly as
> possible so I can get back to designing databases and writing middleware
> code.

Generally such an attitude, while understandable and often shared, is
generally going to be met with a response that administering a mail
server is not a part-time job and if you're not "qualified" then you
should hire someone who is. I've been lucky enough to have received some
hand-holding myself so I'm trying to pay it forward.

>
> I'm running 3.3.0 - I would sure appreciate your help.  I've had some
> success so far and I look forward to continuing to build my competency
> in smtp admin with postfix.
>
There's no better place to do so!

--
Daniel

Reply | Threaded
Open this post in threaded view
|

Re: Question getting Mail.app working with PostFix SMTP

@lbutlr
On Sep 22, 2019, at 12:41 AM, Daniel Miller <[hidden email]> wrote:
> Generally such an attitude, while understandable and often shared, is generally going to be met with a response that administering a mail server is not a part-time job and if you're not "qualified" then you should hire someone who is. I've been lucky enough to have received some hand-holding myself so I'm trying to pay it forward.

It takes a lot of time and quite a bit of fiddly specialized knowledge and for most people it is really not worth the investment of time unless you really are doing it as a paying job. I mean, I would be far better off paying someone for mail service, I’m just used to doing it my way and having full control, so I persist. I never recommend that path to others.


--
The new Death raised his cowl. There was no face there. There was not
even a skull. Smoke curled formlessly between the robe and a golden
crown. Bill Door raised himself on his elbows. A CROWN? His voice
shook with rage. I NEVER WORE A CROWN!  You never wanted to rule.

Reply | Threaded
Open this post in threaded view
|

Barriers to running your own mail server?

Viktor Dukhovni
In reply to this post by Daniel L. Miller
> On Sep 22, 2019, at 2:41 AM, Daniel Miller <[hidden email]> wrote:
>
> administering a mail server is not a part-time job and if you're not "qualified" then you should hire someone who is.

I am curious whether administrators os "mailinabox" systems feel
the same way?  Or has

        https://mailinabox.email/

achieved making running your own mail server accessible to a broader
audience?

--
        Viktor.