Switching to 587 submission

classic Classic list List threaded Threaded
73 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Switching to 587 submission

Grant-4
I've been using smtps on port 465 for sending mail but I read it's
deprecated so I'm trying to switch to submission port 587.

With 465 I was using the "Connection security: SSL/TLS" setting in
Thunderbird, but after switching to 587 I can't send mail unless I
change it to STARTTLS.  Can anyone explain this?  Should I be using
STARTTLS instead of SSL/TLS for courier 993?

Whether using 465 or 587, I noticed I can't log in to send mail from
my mail clients unless the password is sent unencrypted.  Is that OK
since I'm using STARTTLS or should I also enable encryption of the
password?

Previously in master.cf I was running smtps like this:

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Should I enable all of this for submission:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

I don't think I need milter_macro_daemon_name since I'm not using a
mail filter.  I am running saslauthd but it looks like I didn't have
it enabled for smtps previously.  I'm surprised because I thought I
required authentication in order to use smtps.

Here is most of the non-default stuff from main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        permit

postscreen_greet_action = enforce
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes

Thanks to anyone who can help me out with this or point out any
deficiencies/stupidities in my config.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Reindl Harald-2


Am 08.12.2011 01:49, schrieb Grant:
> I've been using smtps on port 465 for sending mail but I read it's
> deprecated so I'm trying to switch to submission port 587.
>
> With 465 I was using the "Connection security: SSL/TLS" setting in
> Thunderbird, but after switching to 587 I can't send mail unless I
> change it to STARTTLS.  Can anyone explain this?  

yes because it is STARTTLS
465 is smtp over ssl and NOT STARTTLS

we provide both on smtp/imap/pop3 because all of them
having a dedicated "over ssl" port and STARTTLS over
the standard-port if configured

    SMTP unencrypted / TLS: 587
    SMTP over SSL: 465
    POP3 unencrypted / TLS: 110
    POP3 over SSL: 995
    IMAP unencrypted / TLS: 143
    IMAP over SSL: 993


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
>> I've been using smtps on port 465 for sending mail but I read it's
>> deprecated so I'm trying to switch to submission port 587.
>>
>> With 465 I was using the "Connection security: SSL/TLS" setting in
>> Thunderbird, but after switching to 587 I can't send mail unless I
>> change it to STARTTLS.  Can anyone explain this?
>
> yes because it is STARTTLS
> 465 is smtp over ssl and NOT STARTTLS
>
> we provide both on smtp/imap/pop3 because all of them
> having a dedicated "over ssl" port and STARTTLS over
> the standard-port if configured
>
>    SMTP unencrypted / TLS: 587
>    SMTP over SSL: 465
>    POP3 unencrypted / TLS: 110
>    POP3 over SSL: 995
>    IMAP unencrypted / TLS: 143
>    IMAP over SSL: 993

Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on 143?

I just read that Squirrelmail doesn't support STARTTLS, so I must
continue to use smtps 465 in order to use Squirrelmail?

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Reindl Harald-2


Am 08.12.2011 02:09, schrieb Grant:

>>> I've been using smtps on port 465 for sending mail but I read it's
>>> deprecated so I'm trying to switch to submission port 587.
>>>
>>> With 465 I was using the "Connection security: SSL/TLS" setting in
>>> Thunderbird, but after switching to 587 I can't send mail unless I
>>> change it to STARTTLS.  Can anyone explain this?
>>
>> yes because it is STARTTLS
>> 465 is smtp over ssl and NOT STARTTLS
>>
>> we provide both on smtp/imap/pop3 because all of them
>> having a dedicated "over ssl" port and STARTTLS over
>> the standard-port if configured
>>
>>    SMTP unencrypted / TLS: 587
>>    SMTP over SSL: 465
>>    POP3 unencrypted / TLS: 110
>>    POP3 over SSL: 995
>>    IMAP unencrypted / TLS: 143
>>    IMAP over SSL: 993
>
> Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on 143?
i do not know, but i see no reason to disable the dedicated ssl-ports

> I just read that Squirrelmail doesn't support STARTTLS, so I must
> continue to use smtps 465 in order to use Squirrelmail?

the main-question is why you need to encrypt sending messages from
a webmail which usually does not go over the WAN


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
>>>> I've been using smtps on port 465 for sending mail but I read it's
>>>> deprecated so I'm trying to switch to submission port 587.
>>>>
>>>> With 465 I was using the "Connection security: SSL/TLS" setting in
>>>> Thunderbird, but after switching to 587 I can't send mail unless I
>>>> change it to STARTTLS.  Can anyone explain this?
>>>
>>> yes because it is STARTTLS
>>> 465 is smtp over ssl and NOT STARTTLS
>>>
>>> we provide both on smtp/imap/pop3 because all of them
>>> having a dedicated "over ssl" port and STARTTLS over
>>> the standard-port if configured
>>>
>>>    SMTP unencrypted / TLS: 587
>>>    SMTP over SSL: 465
>>>    POP3 unencrypted / TLS: 110
>>>    POP3 over SSL: 995
>>>    IMAP unencrypted / TLS: 143
>>>    IMAP over SSL: 993
>>
>> Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on 143?
>
> i do not know, but i see no reason to disable the dedicated ssl-ports

Are you saying I should continue using smtps port 465 even though it's
deprecated?

>> I just read that Squirrelmail doesn't support STARTTLS, so I must
>> continue to use smtps 465 in order to use Squirrelmail?
>
> the main-question is why you need to encrypt sending messages from
> a webmail which usually does not go over the WAN

If I set "Secure SMTP (TLS) : false" in squirrelmail, I get:

Authentication required
530 5.7.0 Must issue a STARTTLS command first

If I change port 587 to 25 in squirrelmail I get:

Bad sequence of commands
503 5.5.1 Error: authentication not enabled

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Reindl Harald-2


Am 08.12.2011 02:40, schrieb Grant:

>>>> yes because it is STARTTLS
>>>> 465 is smtp over ssl and NOT STARTTLS
>>>>
>>>> we provide both on smtp/imap/pop3 because all of them
>>>> having a dedicated "over ssl" port and STARTTLS over
>>>> the standard-port if configured
>>>>
>>>>    SMTP unencrypted / TLS: 587
>>>>    SMTP over SSL: 465
>>>>    POP3 unencrypted / TLS: 110
>>>>    POP3 over SSL: 995
>>>>    IMAP unencrypted / TLS: 143
>>>>    IMAP over SSL: 993
>>>
>>> Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on 143?
>>
>> i do not know, but i see no reason to disable the dedicated ssl-ports
>
> Are you saying I should continue using smtps port 465 even though it's
> deprecated?
your decision

>>> I just read that Squirrelmail doesn't support STARTTLS, so I must
>>> continue to use smtps 465 in order to use Squirrelmail?
>>
>> the main-question is why you need to encrypt sending messages from
>> a webmail which usually does not go over the WAN
>
> If I set "Secure SMTP (TLS) : false" in squirrelmail, I get:
>
> Authentication required
> 530 5.7.0 Must issue a STARTTLS command first
>
> If I change port 587 to 25 in squirrelmail I get:
>
> Bad sequence of commands
> 503 5.5.1 Error: authentication not enabled
this sounds like a broken setup

smtp            inet  n       -       n       -      50       smtpd -o smtpd_client_connection_count_limit=15 -o
max_idle=1h -o max_use=500

submission      inet  n       -       n       -      50       smtpd -o smtpd_client_connection_count_limit=15 -o
smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o max_idle=1h -o max_use=500

smtps           inet  n       -       n       -      50       smtpd -o smtpd_client_connection_count_limit=15 -o
smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_wrappermode=yes -o max_idle=1h -o max_use=500






signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Michael Orlitzky-2
In reply to this post by Grant-4
On 12/07/2011 08:09 PM, Grant wrote:
>
> Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on 143?

Nope. I personally prefer the dedicated port for POP3/IMAP.


> I just read that Squirrelmail doesn't support STARTTLS, so I must
> continue to use smtps 465 in order to use Squirrelmail?

I think it should work. From
http://squirrelmail.org/docs/admin/admin-5.html,

   SquirrelMail is able to connect to IMAP and SMTP servers that use
   TLS. Since 1.5.1 version SquirrelMail is able to connect to IMAP and
   SMTP servers that use STARTTLS (which is different from TLS).


Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
>> Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on 143?
>
>
> Nope. I personally prefer the dedicated port for POP3/IMAP.

OK, I'll stick with it for IMAP.

>> I just read that Squirrelmail doesn't support STARTTLS, so I must
>> continue to use smtps 465 in order to use Squirrelmail?
>
>
> I think it should work. From
> http://squirrelmail.org/docs/admin/admin-5.html,

Sorry I had some bad info.

>  SquirrelMail is able to connect to IMAP and SMTP servers that use
>  TLS. Since 1.5.1 version SquirrelMail is able to connect to IMAP and
>  SMTP servers that use STARTTLS (which is different from TLS).

I'm trying to figure out why I can't connect to 587 in Squirrelmail.
I can in Thunderbird.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Michael Orlitzky-2
In reply to this post by Grant-4
On 12/07/2011 07:49 PM, Grant wrote:
> I've been using smtps on port 465 for sending mail but I read it's
> deprecated so I'm trying to switch to submission port 587.
>
> With 465 I was using the "Connection security: SSL/TLS" setting in
> Thunderbird, but after switching to 587 I can't send mail unless I
> change it to STARTTLS.  Can anyone explain this?  Should I be using
> STARTTLS instead of SSL/TLS for courier 993?

All of the "secure connection" types are rather loosely defined in mail
clients. The dovecot wiki has a decent, although still (necessarily)
confusing explanation:

   http://wiki2.dovecot.org/SSL

In Thunderbird's case, "STARTTLS" means "connect first, and then
negotiate TLS via the STARTTLS command," which is now the way to do
things even if you're going to require everyone to use TLS.


> Whether using 465 or 587, I noticed I can't log in to send mail from
> my mail clients unless the password is sent unencrypted.  Is that OK
> since I'm using STARTTLS or should I also enable encryption of the
> password?

That's fine, the entire connection is encrypted.


> Previously in master.cf I was running smtps like this:
>
> smtps     inet  n       -       n       -       -       smtpd
>    -o smtpd_tls_wrappermode=yes
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
>
> Should I enable all of this for submission:
>
> submission inet n       -       n       -       -       smtpd
>    -o smtpd_tls_security_level=encrypt
>    -o smtpd_sasl_auth_enable=yes
>    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>    -o milter_macro_daemon_name=ORIGINATING
>
> I don't think I need milter_macro_daemon_name since I'm not using a
> mail filter.  I am running saslauthd but it looks like I didn't have
> it enabled for smtps previously.  I'm surprised because I thought I
> required authentication in order to use smtps.
>

You've probably got permit_mynetworks near the top of your
smtpd_foo_restrictions, which are inherited by default. The "-o
smtpd_client_restrictions" line would have overridden that (if it was a
client restriction) and forced your users to authenticate.

The same thing would work for the submission port after the switch, but
you should first check that your SASL is really working since it wasn't
being exercised.
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Philip Prindeville
In reply to this post by Grant-4
Just a point of clarification... port 465 isn't "deprecated" because it was never formerly assigned by IANA.

It was highjacked by some mailer (I forget which) and when 587 was assigned, it was agreed to stop using the former port.

As for one of your questions, it's assumed that 465 comes up with SSL turned on by default, and that it doesn't come up in the clear with STARTTLS turning TLS on.

And "plain" sends the password in the clear, but "login" sends it hashed. I.e. you need:

pwcheck_method: saslauthd
mech_list: plain login

in your /etc/sasl2/smtp.conf file... or you can change "mech_list" to only "login", or even "digest-md5" and "cram-md5" (as we do here) with TB using "Encrypted password" as the authentication type.

-Philip


On 12/7/11 5:49 PM, Grant wrote:

> I've been using smtps on port 465 for sending mail but I read it's
> deprecated so I'm trying to switch to submission port 587.
>
> With 465 I was using the "Connection security: SSL/TLS" setting in
> Thunderbird, but after switching to 587 I can't send mail unless I
> change it to STARTTLS.  Can anyone explain this?  Should I be using
> STARTTLS instead of SSL/TLS for courier 993?
>
> Whether using 465 or 587, I noticed I can't log in to send mail from
> my mail clients unless the password is sent unencrypted.  Is that OK
> since I'm using STARTTLS or should I also enable encryption of the
> password?
>
> Previously in master.cf I was running smtps like this:
>
> smtps     inet  n       -       n       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
>
> Should I enable all of this for submission:
>
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o milter_macro_daemon_name=ORIGINATING
>
> I don't think I need milter_macro_daemon_name since I'm not using a
> mail filter.  I am running saslauthd but it looks like I didn't have
> it enabled for smtps previously.  I'm surprised because I thought I
> required authentication in order to use smtps.
>
> Here is most of the non-default stuff from main.cf:
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl2_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain =
>
> smtpd_recipient_restrictions =
>         permit_sasl_authenticated,
>         permit_mynetworks,
>         reject_unauth_destination,
>         permit
>
> postscreen_greet_action = enforce
> postscreen_pipelining_enable = yes
> postscreen_pipelining_action = enforce
> postscreen_non_smtp_command_enable = yes
> postscreen_non_smtp_command_action = enforce
> postscreen_bare_newline_enable = yes
> postscreen_bare_newline_action = enforce
>
> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
>
> Thanks to anyone who can help me out with this or point out any
> deficiencies/stupidities in my config.
>
> - Grant

Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
In reply to this post by Reindl Harald-2
>>> the main-question is why you need to encrypt sending messages from
>>> a webmail which usually does not go over the WAN
>>
>> If I set "Secure SMTP (TLS) : false" in squirrelmail, I get:
>>
>> Authentication required
>> 530 5.7.0 Must issue a STARTTLS command first
>>
>> If I change port 587 to 25 in squirrelmail I get:
>>
>> Bad sequence of commands
>> 503 5.5.1 Error: authentication not enabled
>
> this sounds like a broken setup
>
> smtp            inet  n       -       n       -      50       smtpd -o smtpd_client_connection_count_limit=15 -o
> max_idle=1h -o max_use=500
>
> submission      inet  n       -       n       -      50       smtpd -o smtpd_client_connection_count_limit=15 -o
> smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o max_idle=1h -o max_use=500
>
> smtps           inet  n       -       n       -      50       smtpd -o smtpd_client_connection_count_limit=15 -o
> smtpd_sasl_auth_enable=yes -o smtpd_delay_reject=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_tls_wrappermode=yes -o max_idle=1h -o max_use=500

I'm not sure where to begin.  Can you tell me what is wrong with my config?

master.cf:

smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        permit

postscreen_greet_action = enforce
postscreen_pipelining_enable = yes
postscreen_pipelining_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_non_smtp_command_action = enforce
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = enforce

virtual_alias_maps = hash:/etc/postfix/virtual

message_size_limit = 20480000

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/key.pem
smtpd_tls_cert_file = /etc/ssl/postfix/cert.pem
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
In reply to this post by Philip Prindeville
> Just a point of clarification... port 465 isn't "deprecated" because it was never formerly assigned by IANA.
>
> It was highjacked by some mailer (I forget which) and when 587 was assigned, it was agreed to stop using the former port.
>
> As for one of your questions, it's assumed that 465 comes up with SSL turned on by default, and that it doesn't come up in the clear with STARTTLS turning TLS on.
>
> And "plain" sends the password in the clear, but "login" sends it hashed. I.e. you need:

I'm OK to send the password "in the clear" since the entire connection
is encrypted from STARTTLS, correct?

> pwcheck_method: saslauthd
> mech_list: plain login
>
> in your /etc/sasl2/smtp.conf file... or you can change "mech_list" to only "login", or even "digest-md5" and "cram-md5" (as we do here) with TB using "Encrypted password" as the authentication type.

You found a typo in my /etc/sasl2/smtpd.conf which I've corrected and
I no longer get the "Bad sequence of commands 503 5.5.1 Error:
authentication not enabled" error from Squirrelmail when I specify
port 25, but Squirrelmail still won't send mail over 25 or 587.

- Grant


>> I've been using smtps on port 465 for sending mail but I read it's
>> deprecated so I'm trying to switch to submission port 587.
>>
>> With 465 I was using the "Connection security: SSL/TLS" setting in
>> Thunderbird, but after switching to 587 I can't send mail unless I
>> change it to STARTTLS.  Can anyone explain this?  Should I be using
>> STARTTLS instead of SSL/TLS for courier 993?
>>
>> Whether using 465 or 587, I noticed I can't log in to send mail from
>> my mail clients unless the password is sent unencrypted.  Is that OK
>> since I'm using STARTTLS or should I also enable encryption of the
>> password?
>>
>> Previously in master.cf I was running smtps like this:
>>
>> smtps     inet  n       -       n       -       -       smtpd
>>   -o smtpd_tls_wrappermode=yes
>> #  -o smtpd_sasl_auth_enable=yes
>> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> #  -o milter_macro_daemon_name=ORIGINATING
>>
>> Should I enable all of this for submission:
>>
>> submission inet n       -       n       -       -       smtpd
>>   -o smtpd_tls_security_level=encrypt
>>   -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>   -o milter_macro_daemon_name=ORIGINATING
>>
>> I don't think I need milter_macro_daemon_name since I'm not using a
>> mail filter.  I am running saslauthd but it looks like I didn't have
>> it enabled for smtps previously.  I'm surprised because I thought I
>> required authentication in order to use smtps.
>>
>> Here is most of the non-default stuff from main.cf:
>>
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl2_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_local_domain =
>>
>> smtpd_recipient_restrictions =
>>         permit_sasl_authenticated,
>>         permit_mynetworks,
>>         reject_unauth_destination,
>>         permit
>>
>> postscreen_greet_action = enforce
>> postscreen_pipelining_enable = yes
>> postscreen_pipelining_action = enforce
>> postscreen_non_smtp_command_enable = yes
>> postscreen_non_smtp_command_action = enforce
>> postscreen_bare_newline_enable = yes
>> postscreen_bare_newline_action = enforce
>>
>> smtpd_tls_security_level = may
>> smtpd_tls_auth_only = yes
>>
>> Thanks to anyone who can help me out with this or point out any
>> deficiencies/stupidities in my config.
>>
>> - Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

/dev/rob0
In reply to this post by Michael Orlitzky-2
On Wednesday 07 December 2011 19:58:18 Michael Orlitzky wrote:
> On 12/07/2011 08:09 PM, Grant wrote:
> > Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on
> > 143?
>
> Nope. I personally prefer the dedicated port for POP3/IMAP.

Preferences aside, the fact remains that SSL has been deprecated by
TLS. STARTTLS is the new standard.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Michael Orlitzky-2
On 12/07/2011 09:48 PM, /dev/rob0 wrote:
> On Wednesday 07 December 2011 19:58:18 Michael Orlitzky wrote:
>> On 12/07/2011 08:09 PM, Grant wrote:
>>> Is IMAP over SSL on 993 deprecated in favor of using STARTTLS on
>>> 143?
>>
>> Nope. I personally prefer the dedicated port for POP3/IMAP.
>
> Preferences aside, the fact remains that SSL has been deprecated by
> TLS. STARTTLS is the new standard.

For POP3 and IMAP? By whom?
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Michael Orlitzky-2
In reply to this post by Grant-4
On 12/07/2011 09:10 PM, Grant wrote:
>
> I'm trying to figure out why I can't connect to 587 in Squirrelmail.
> I can in Thunderbird.
>

You did select STARTTLS in the SquirrelMail config, right? The postfix
logs might give you an idea what it's trying to do.

The docs say that you need PHP with the stream_socket_enable_crypto()
function. If you're like me, you may have casually disabled some
critical PHP feature via USE flags =)

If you have that function, this page will complain that the function
expects 2 parameters and was given zero:

$ cat test.php
<?php stream_socket_enable_crypto(); ?>

$ php test.php
PHP Warning:  stream_socket_enable_crypto() expects at least 2
parameters, 0 given in /home/mjo/test.php on line 1

Warning: stream_socket_enable_crypto() expects at least 2 parameters, 0
given in /home/mjo/test.php on line 1
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
In reply to this post by Michael Orlitzky-2
> You've probably got permit_mynetworks near the top of your
> smtpd_foo_restrictions, which are inherited by default. The "-o

The only smtpd_foo_restrictions I have in main.cf are:

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        permit

> smtpd_client_restrictions" line would have overridden that (if it was a
> client restriction) and forced your users to authenticate.

I'm now running submission like this:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

> The same thing would work for the submission port after the switch, but you
> should first check that your SASL is really working since it wasn't being
> exercised.

SASL must be working since Thunderbird can send mail over 587,
correct?  I don't see why local Squirrelmail won't send mail over 587,
but remote Thunderbird will.  Squirrelmail also won't send mail over
port 25, but it will send mail over 465.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
In reply to this post by Michael Orlitzky-2
>> I'm trying to figure out why I can't connect to 587 in Squirrelmail.
>> I can in Thunderbird.
>>
>
> You did select STARTTLS in the SquirrelMail config, right? The postfix logs
> might give you an idea what it's trying to do.

If I try to send mail in Squirrelmail with "Secure SMTP (TLS) : true"
I get "0 Can't open SMTP stream.".  If I do the same with "Secure SMTP
(TLS) : false" I get "530 5.7.0 Must issue a STARTTLS command first".

The postfix log gives me these:

[postfix/smtpd] connect from localhost[127.0.0.1]
[postfix/smtpd] lost connection after UNKNOWN from localhost[127.0.0.1]
[postfix/smtpd] disconnect from localhost[127.0.0.1]
[postfix/smtpd] connect from localhost[127.0.0.1]
[postfix/smtpd] lost connection after EHLO from localhost[127.0.0.1]
[postfix/smtpd] disconnect from localhost[127.0.0.1]

> The docs say that you need PHP with the stream_socket_enable_crypto()
> function. If you're like me, you may have casually disabled some critical
> PHP feature via USE flags =)
>
> If you have that function, this page will complain that the function expects
> 2 parameters and was given zero:
>
> $ cat test.php
> <?php stream_socket_enable_crypto(); ?>
>
> $ php test.php
> PHP Warning:  stream_socket_enable_crypto() expects at least 2 parameters, 0
> given in /home/mjo/test.php on line 1
>
> Warning: stream_socket_enable_crypto() expects at least 2 parameters, 0
> given in /home/mjo/test.php on line 1

I get the same error.  Squirrelmail does send mail over SSL 465.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Michael Orlitzky-2
In reply to this post by Grant-4
On 12/07/2011 10:13 PM, Grant wrote:

>> You've probably got permit_mynetworks near the top of your
>> smtpd_foo_restrictions, which are inherited by default. The "-o
>
> The only smtpd_foo_restrictions I have in main.cf are:
>
> smtpd_recipient_restrictions =
>          permit_sasl_authenticated,
>          permit_mynetworks,
>          reject_unauth_destination,
>          permit

You don't really need the permit_sasl_authenticated, since you shouldn't
be trying to auth on port 25. It doesn't hurt, though.


>> smtpd_client_restrictions" line would have overridden that (if it was a
>> client restriction) and forced your users to authenticate.
>
> I'm now running submission like this:
>
> submission inet n       -       n       -       -       smtpd
>    -o smtpd_tls_security_level=encrypt
>    -o smtpd_sasl_auth_enable=yes
>    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Looks good.


>
> SASL must be working since Thunderbird can send mail over 587,
> correct?

Right.


> I don't see why local Squirrelmail won't send mail over 587,
> but remote Thunderbird will.  Squirrelmail also won't send mail over
> port 25, but it will send mail over 465.

Do you have a new-enough SquirrelMail? From the looks of it, the only
version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?)
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
>> I don't see why local Squirrelmail won't send mail over 587,
>> but remote Thunderbird will.  Squirrelmail also won't send mail over
>> port 25, but it will send mail over 465.
>
>
> Do you have a new-enough SquirrelMail? From the looks of it, the only
> version >= 1.5.1 is the development snapshot. (Do you know about Roundcube?)

OK, that must be why Squirrelmail can't send mail over 587.  I'm on
the latest version in Portage.  You spelled it out for me before but I
didn't pick up on it.  Since 587 uses STARTTLS, I would have thought I
could connect unencrypted but apparently encryption is required there?

Is Squirrelmail failing to send mail over port 25 because
authentication isn't allowed on port 25?  If so, do I need a dedicated
port for unencrypted local Squirrelmail mail?

Javascript gives me the creeps (yeah I use Gmail anyway) so I'm happy
to stick with Squirrelmail over Roundcube.

- Grant
Reply | Threaded
Open this post in threaded view
|

Re: Switching to 587 submission

Grant-4
In reply to this post by Michael Orlitzky-2
>>> You've probably got permit_mynetworks near the top of your
>>> smtpd_foo_restrictions, which are inherited by default. The "-o
>>
>>
>> The only smtpd_foo_restrictions I have in main.cf are:
>>
>> smtpd_recipient_restrictions =
>>         permit_sasl_authenticated,
>>         permit_mynetworks,
>>         reject_unauth_destination,
>>         permit
>
>
> You don't really need the permit_sasl_authenticated, since you shouldn't be
> trying to auth on port 25. It doesn't hurt, though.

I just noticed that I can't send mail from Thunderbird unless I
include permit_sasl_authenticated in the above
smtpd_recipient_restrictions block.  I get relay access denied
otherwise.

- Grant
1234