TLS on 587

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS on 587

Mohammed Khalid Ansari

Dear All,

 

I have configured my postfix to run on 587. When I choose connection type as ‘STARTTLS’ everything is fine but when I choose ‘SSL/TLS’, the client throws error.

I can configure ‘STARTTLS’ in outlook and proceed but on my cell phone I don’t have don’t option and hence not able to connect.

Will anyone help me???

 

Thanks & Regards,

 

Reply | Threaded
Open this post in threaded view
|

Re: TLS on 587

Paul Menzel
Dear Mohammed,


On 08/14/17 12:53, Mohammed Khalid Ansari wrote:

> I have configured my postfix to run on 587. When I choose connection type as
> 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the client throws
> error.

Normally, but deprecated, port 465 is used for “direct” SSL/TLS (without
STARTTLS) [1]

> 465 – This port has been deprecated since RFC 2487, after being briefly assigned for secure SMTP in the 1990s. Despite this, it is commonly used by mail providers[20][21]

> I can configure 'STARTTLS' in outlook and proceed but on my cell phone I
> don't have don't option and hence not able to connect.

That’s client dependent. Which client do you use. You should contact them.


Kind regards,

Paul


[1] https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
Reply | Threaded
Open this post in threaded view
|

Re: TLS on 587

Viktor Dukhovni
In reply to this post by Mohammed Khalid Ansari
On Mon, Aug 14, 2017 at 02:53:23PM +0400, Mohammed Khalid Ansari wrote:

> I have configured my postfix to run on 587. When I choose connection type as
> 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the client throws
> error.

That's expected, since port 587 is SMTP with STARTTLS negotiation.
SMTP inside TLS is typically on port 465.

    http://www.postfix.org/TLS_README.html#server_enable

    TLS is sometimes used in the non-standard "wrapper" mode where
    a server always uses TLS, instead of announcing STARTTLS support
    and waiting for remote SMTP clients to request TLS service.
    Some clients, namely Outlook [Express] prefer the "wrapper"
    mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when
    run on a port<>25 and OE (5.01 Mac on all ports).

    It is strictly discouraged to use this mode from main.cf. If
    you want to support this service, enable a special port in
    master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no
    space around the "=") as an smtpd(8) command line option. Port
    465 (smtps) was once chosen for this feature.

The sample master.cf file distributed with Postfix source code
contains:

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Just remove the "#" comment characters, and if necessary add
appropriate settings for the "mua_..." parameters to main.cf.

Note that there are some in the IETF who are trying to promote and
standardize port 465 for email submission:

    https://tools.ietf.org/html/draft-ietf-uta-email-deep-08#section-3

While this may end up in a final published RFC, it probably won't
have much of an impact on the deployed base of submission servers
for quite some time.

> I can configure 'STARTTLS' in outlook and proceed but on my cell phone I
> don't have don't option and hence not able to connect.

IIRC mobile phones that do email and the like do support STARTTLS, your
problem may be with the phone not accepting the server certificate.

Post the logs from your server associated with connections from
your phone.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

RE: TLS on 587

Mohammed Khalid Ansari
Dear Mr. Victor,

Sorry for the late response on your request of log.

Following is the log when I ran postfix on submission (587) port with
connection type in the client as SSL/TLS (and not STARTTLS)...

Sep 13 21:07:54 mx02 postfix/smtpd[19896]: connect from
unknown[192.168.10.38]
Sep 13 21:07:54 mx02 postfix/smtpd[19896]: lost connection after UNKNOWN
from unknown[192.168.10.38]
Sep 13 21:07:54 mx02 postfix/smtpd[19896]: disconnect from
unknown[192.168.10.38]


And the client (Outlook) shows the following error...

Send test email message: Your server does not support the connection
encryption type you have specified. Try changing the encryption method.
Contact your mail server administrator or Internet service provider (ISP)
for additional assistance.



When I changed the connection type to STARTTLS in the client it succeeded
and generated the following log...

Sep 13 21:12:58 mx02 postfix/smtpd[19972]: connect from
unknown[192.168.10.38]
Sep 13 21:12:59 mx02 postfix/smtpd[19972]: Anonymous TLS connection
established from unknown[192.168.10.38]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Sep 13 21:12:59 mx02 postfix/smtpd[19972]: 4235945E2424:
client=unknown[192.168.10.38], sasl_method=LOGIN, sasl_username=khalidansari
Sep 13 21:12:59 mx02 postfix/cleanup[19981]: 4235945E2424: message-id=<>
Sep 13 21:12:59 mx02 postfix/qmgr[19890]: 4235945E2424:
from=<[hidden email]>, size=1177, nrcpt=1 (queue active)
Sep 13 21:12:59 mx02 postfix/local[19982]: 4235945E2424:
to=<[hidden email]>, relay=local, delay=0.13,
delays=0.11/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Sep 13 21:12:59 mx02 postfix/qmgr[19890]: 4235945E2424: removed
Sep 13 21:12:59 mx02 postfix/smtpd[19972]: disconnect from
unknown[192.168.10.38]


Thanks



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: Monday, August 14, 2017 5:19 PM
To: [hidden email]
Subject: Re: TLS on 587

On Mon, Aug 14, 2017 at 02:53:23PM +0400, Mohammed Khalid Ansari wrote:

> I have configured my postfix to run on 587. When I choose connection
> type as 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the
> client throws error.

That's expected, since port 587 is SMTP with STARTTLS negotiation.
SMTP inside TLS is typically on port 465.

    http://www.postfix.org/TLS_README.html#server_enable

    TLS is sometimes used in the non-standard "wrapper" mode where
    a server always uses TLS, instead of announcing STARTTLS support
    and waiting for remote SMTP clients to request TLS service.
    Some clients, namely Outlook [Express] prefer the "wrapper"
    mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when
    run on a port<>25 and OE (5.01 Mac on all ports).

    It is strictly discouraged to use this mode from main.cf. If
    you want to support this service, enable a special port in
    master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no
    space around the "=") as an smtpd(8) command line option. Port
    465 (smtps) was once chosen for this feature.

The sample master.cf file distributed with Postfix source code
contains:

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Just remove the "#" comment characters, and if necessary add appropriate
settings for the "mua_..." parameters to main.cf.

Note that there are some in the IETF who are trying to promote and
standardize port 465 for email submission:

    https://tools.ietf.org/html/draft-ietf-uta-email-deep-08#section-3

While this may end up in a final published RFC, it probably won't have much
of an impact on the deployed base of submission servers for quite some time.

> I can configure 'STARTTLS' in outlook and proceed but on my cell phone
> I don't have don't option and hence not able to connect.

IIRC mobile phones that do email and the like do support STARTTLS, your
problem may be with the phone not accepting the server certificate.

Post the logs from your server associated with connections from your phone.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS on 587

Benny Pedersen-2
Mohammed Khalid Ansari skrev den 2017-09-13 19:19:

> delays=0.11/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
> Sep 13 21:12:59 mx02 postfix/qmgr[19890]: 4235945E2424: removed
> Sep 13 21:12:59 mx02 postfix/smtpd[19972]: disconnect from
> unknown[192.168.10.38]

and this is possible port 25, or 465, or 587 ?

for old outlook, use ssl on port 465 gives succes for me

>     smtps     inet  n       -       n       -       -       smtpd
>       -o syslog_name=postfix/smtps

if you had this in master.cf it was more simple to see fails where