RE: Can postfix send encrypted but not authenticated emails ? -- FIXED

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Can postfix send encrypted but not authenticated emails ? -- FIXED

Fazzina, Angelo
Hi, I only needed to add one setting and all the deferred test emails on O365 started flowing into my inbox

RAN     vi /etc/postfix/main.cf
        added
        # -ALF 2018-06-28
        smtpd_tls_security_level = may
RAN     service postfix reload

Case closed, thanks.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075


-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Fazzina, Angelo
Sent: Thursday, June 28, 2018 3:26 PM
To: Postfix users <[hidden email]>
Subject: RE: Can postfix send encrypted but not authenticated emails ?

Hi, thank you Viktor.

I was able to replicate the error [ a deferral] from O365

450 4.4.317 cannot connect to remote server message= 451 5.7.3 STARTTLS is required to send mail

My server 137.99.25.233 on port 25 is not accepting the mail.

I can not control what O365 does, they send on port 25, and I can't find my settings that are blocking it?

Even stranger my identical servers in Azure will accept the mail ?  just trying to understand the differences to ID the problem.

Confused why this works :
[root@mta2 postfix]# telnet azuresmtp.uconn.edu 25
Trying 104.45.142.253...
Connected to azuresmtp.uconn.edu.
Escape character is '^]'.
220 uconnmta6.cloudapp.net ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-uconnmta6.cloudapp.net
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye

And why this does not ?
[root@uconnMTA5 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
telnet: connect to address 137.99.25.233: Connection timed out


Am I on the right track noticing there is no 250-STARTTLS ?
[root@mta2 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
Connected to 137.99.25.233.
Escape character is '^]'.
220 mta3.uits.uconn.edu ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-mta3.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: Thursday, June 28, 2018 1:05 PM
To: Postfix users <[hidden email]>
Subject: Re: Can postfix send encrypted but not authenticated emails ?



> On Jun 28, 2018, at 12:41 PM, Fazzina, Angelo <[hidden email]> wrote:
>
> Hi, I have been reading the online docs for  TLS_README.html and SASL_README.html but still having trouble deducing if I can get Postfix 2.6 to accept email over port 587 without giving Postfix a username and password?

The submission service on ports 587 and 465 is for sending email outbound,
possibly to remote domains, from the end-user's MUA.  While some MTAs on
laptops and SOHO environments send outbound mail via their provider's
submission service, they're essentially just proxies for the user's MUA,
and the mail is still on the "outbound" leg of its journey.
So 587 and 465 are not MTA-to-MTA relay services.

Outbound email requires authentication, due to the potential of open-relay
abuse by spammers.

> I would like to change it so postfix will accept email without a username and password, specifically from Office 365, and with encryption [TLS].

If the email is addressed to your domain (inbound email), Postfix will accept
it from all senders, without SASL authentication.

  https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FBASIC_CONFIGURATION_README.html%23mydestination&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844&amp;sdata=pRznQ7f3nztX9VLEkNcu0otSkqdVKNKTAfkAPqmBO3Y%3D&amp;reserved=0
  https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FVIRTUAL_README.html%23canonical&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844&amp;sdata=VfZDH5y%2BaHj1Qhtdt87n3ato8oPDixD%2BbEFUuogter0%3D&amp;reserved=0

> I would add that I am not looking to change the current config, but just add this new ability.
>  
> Is it as simple as adding
>
>                   smtpd_tls_security_level = may
>
> into main.cf ?

To enable inbound opportunistic TLS you'll need that and a suitable
(self-signed is sufficient) certificate, if you already have one for
port 587, you can use that one.

        https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FTLS_README.html%23quick-start&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504757098&amp;sdata=wowhYgr5ogYqjpQx%2Fwf6d1E8yoOVInQLGH78OJOixMY%3D&amp;reserved=0
 
> I also heard Postfix can use maybe Kerberos tickets

Cross-organizational Kerberos is not common.  And not needed in your
use case of relaying between MTAs.  Kerberos can be used as a SASL
mechanism on port 587 between the MUA and the submission service.
This message's first hop is GSSAPI (specifically Kerberos) authenticated.
 
> Example :  email to [hidden email] goes to O365 and then O365 will forward to smtp.uconn.edu [which relays back to O365] due to my mailbox being [hidden email] . If you send directly to [hidden email] O365 delivers to mailbox without having to forward the email.

This is multi-hop relaying on the inbound phase of message delivery, and
requires nothing fancy, just some address rewriting and routing.

--
        Viktor.