automatic email account configuration, postfix pipelining restriction

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

automatic email account configuration, postfix pipelining restriction

David Mehler
Hello,

I'm atempting to configure email autoconfig and autodiscover services
for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I
thought I was dealing with either an Apache or Dovecot issue, now I'm
thinking it's an error with my Postfix configuration.

Whenever I atempt a connection I'm getting this in my postfix error log file:

Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper
command pipelining after EHLO from Connecting-Machine-Hostname-And-IP:
QUIT\r\n

Suggestions welcome.
Thanks.
Dave.

If it helps here's my postfix master.cf and main.cf files:
#cat master.cf
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
 #-o smtpd_sasl_auth_enable=no
#smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
# Submission port 587 for client connection / sending mails from
authenticated users
submission inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/submission
 # for opportunistic smtpd
  #-o smtpd_tls_security_level=may
 # Encrypt by default
  -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
 -o smtpd_sasl_security_options=noanonymous
 -o smtpd_client_restrictions=$mua_client_restrictions
 -o smtpd_sender_restrictions=$mua_sender_restrictions
 -o smtpd_relay_restrictions=$mua_relay_restrictions
 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
 -o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
 -o tls_preempt_cipherlist=yes
#smtps     inet  n       -       n       -       -       smtpd
  #-o syslog_name=postfix/smtps
  #-o smtpd_tls_wrappermode=yes
  #-o smtpd_sasl_auth_enable=yes
  #-o smtpd_reject_unlisted_recipient=no
  #-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
  #-o tls_preempt_cipherlist=yes
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

# for SPF support
spf-policy unix -       n       n       -       0       spawn
          user=vmail argv=/usr/local/bin/perl
/usr/local/libexec/postfix-policyd-spf-perl

dfilt     unix    -       n       n       -       -       pipe
    flags=Rq user=filter argv=/usr/local/etc/postfix/disclaimer -f
${sender} -r ${recipient}

# scan service for clamsmtpd
scan unix -       -       n       -       16       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

127.0.0.1:10026 inet n       -       n       -       16       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

#cat main.cf
soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = mail.domain.com
mydomain = domain.com
myorigin = $mydomain
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
mydestination = localhost
local_recipient_maps = $virtual_mailbox_maps
unknown_local_recipient_reject_code = 550
mynetworks = $config_directory/mynetworks
in_flow_delay = 1s
# Delimiter for "Address Tagging"
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix

# Misc options
delay_warning_time = 4h
# Do not notify system users on new e-mail
biff = no
bounce_template_file = /usr/local/etc/postfix/bounce.cf
smtp_helo_timeout = 60s
smtpd_soft_error_limit = 3
header_checks = pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks

# Virtual mailbox domains
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/db/domains.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/db/accounts.cf
virtual_mailbox_base = /home/vmail
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/db/aliases.cf
virtual_minimum_uid = 999
virtual_uid_maps = static:999
virtual_gid_maps = static:999
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Dovecot sasl authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
# Shows to everyone the sasl authenticated username
smtpd_sasl_authenticated_header = yes

# uce
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_reject_unlisted_sender = yes
show_user_unknown_table_name = no
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

# Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 permit_mynetworks
 reject_unauth_destination

smtpd_recipient_restrictions =
  permit_mynetworks
 permit_sasl_authenticated
  reject_unauth_destination
        check_helo_access hash:/usr/local/etc/postfix/helo_access,
        ,check_helo_access pcre:/usr/local/etc/postfix/helo_checks
        ,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
 check_sender_access hash:/usr/local/etc/postfix/safe_addresses
 check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
 check_client_access cidr:/usr/local/etc/postfix/spamfarms
 check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
 check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
     permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
        check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
 reject_unknown_reverse_client_hostname
  reject_non_fqdn_sender
 #reject_non_fqdn_helo_hostname
 #reject_invalid_helo_hostname
 #reject_unknown_helo_hostname
 reject_unlisted_recipient
 reject_rhsbl_client dbl.spamhaus.org
 reject_rhsbl_sender dbl.spamhaus.org
 reject_rhsbl_helo dbl.spamhaus.org
  check_policy_service unix:private/spf-policy
# Postfix Quota status service
 check_policy_service unix:private/dovecot-quota

# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
 permit_mynetworks
 #check_client_access hash:/usr/local/etc/postfix/without_ptr
 reject_unknown_client_hostname

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining

# Restrictions for MUAs
mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject

# TLS parameters
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /usr/local/etc/ssl/acme/domain.com/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/ssl/acme/private/domain.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = strong
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
smtpd_tls_security_level = may
# for smtpd pfs
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
tls_preempt_cipherlist = yes
tls_high_cipherlist =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_ciphers = high
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# For SPF
spf-policy_time_limit = 3600s

# Spam filter and DKIM signatures via Rspamd
smtpd_milters = unix:/var/run/rspamd/milter.sock,inet:127.0.0.1:8472
non_smtpd_milters = $smtpd_milters
milter_protocol = 6
milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"
milter_default_action = accept

# postscreen(8) settings
### Before-220 tests
#postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
#postscreen_blacklist_action = drop
#postscreen_dnsbl_action = drop
#postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
#postscreen_dnsbl_sites = zen.spamhaus.org*3
 #b.barracudacentral.org*2
 #bl.spameatingmonkey.net*2
   #bl.spamcop.net
 #dnsbl.sorbs.net
 #psbl.surriel.com
 #bl.mailspike.net
 #swl.spamhaus.org*-4
 #list.dnswl.org=127.[0..255].[0..255].0*-2
        #list.dnswl.org=127.[0..255].[0..255].1*-3
        #list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
#postscreen_dnsbl_threshold = 2
# Drop connections if other server is sending too quickly
#postscreen_greet_action = drop
#postscreen_dnsbl_whitelist_threshold = -1
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
#postscreen_bare_newline_action = drop
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_action = drop
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = drop
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.
# For sharing a tempoary whitelist of addresses
#postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
#postscreen_cache_cleanup_interval = 0

#
inet_protocols = ipv4
smtputf8_enable = yes
# require addresses of the form "[hidden email]"
allow_percent_hack = no
swap_bangpath = no
compatibility_level = 2
#autoresponder_destination_recipient_limit = 1
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
# Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
# Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
tls_ssl_options = no_ticket, no_compression

# Mail queue settings
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m

# Users always have to provide full e-mail addresses
append_dot_mydomain = no

#recipient_bcc_maps =
proxy:mysql:/usr/local/etc/postfix/recipient_bcc_maps_user.cf,
proxy:mysql:/usr/local/etc/postfix/recipient_bcc_maps_domain.cf
#relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql-relay-domains-maps.cf
#sender_bcc_maps =
proxy:mysql:/usr/local/etc/postfix/sender_bcc_maps_user.cf,
proxy:mysql:/usr/local/etc/postfix/sender_bcc_maps_domain.cf
#sender_dependent_default_transport_maps =
hash:/usr/local/etc/postfix/sender_transport
#transport_maps = hash:/usr/local/etc/postfix/transport
Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

Viktor Dukhovni


> On Apr 20, 2018, at 4:52 PM, David Mehler <[hidden email]> wrote:
>
> I'm atempting to configure email autoconfig and autodiscover services
> for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I
> thought I was dealing with either an Apache or Dovecot issue, now I'm
> thinking it's an error with my Postfix configuration.
>
> Whenever I atempt a connection I'm getting this in my postfix error log file:
>
> Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper
> command pipelining after EHLO from Connecting-Machine-Hostname-And-IP:
> QUIT\r\n

This client does not implement SMTP correctly.  There's nothing wrong
with the Postfix configuration.  The client MUST wait for the EHLO
response *before* sending QUIT.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

David Mehler
Hi,

It's Thunderbird 52.7. Is there a workaround to make this work?

Thanks.
Dave.


On 4/20/18, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 20, 2018, at 4:52 PM, David Mehler <[hidden email]> wrote:
>>
>> I'm atempting to configure email autoconfig and autodiscover services
>> for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I
>> thought I was dealing with either an Apache or Dovecot issue, now I'm
>> thinking it's an error with my Postfix configuration.
>>
>> Whenever I atempt a connection I'm getting this in my postfix error log
>> file:
>>
>> Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper
>> command pipelining after EHLO from Connecting-Machine-Hostname-And-IP:
>> QUIT\r\n
>
> This client does not implement SMTP correctly.  There's nothing wrong
> with the Postfix configuration.  The client MUST wait for the EHLO
> response *before* sending QUIT.
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

Wietse Venema
David Mehler:
> Hi,
>
> It's Thunderbird 52.7. Is there a workaround to make this work?

Yes, do nothing. In particular, do not use the Postfix
reject_unauth_pipelining feature, because that would trigger
a REJECT response.

        Wietse
 

> On 4/20/18, Viktor Dukhovni <[hidden email]> wrote:
> >
> >
> >> On Apr 20, 2018, at 4:52 PM, David Mehler <[hidden email]> wrote:
> >>
> >> I'm atempting to configure email autoconfig and autodiscover services
> >> for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I
> >> thought I was dealing with either an Apache or Dovecot issue, now I'm
> >> thinking it's an error with my Postfix configuration.
> >>
> >> Whenever I atempt a connection I'm getting this in my postfix error log
> >> file:
> >>
> >> Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper
> >> command pipelining after EHLO from Connecting-Machine-Hostname-And-IP:
> >> QUIT\r\n
> >
> > This client does not implement SMTP correctly.  There's nothing wrong
> > with the Postfix configuration.  The client MUST wait for the EHLO
> > response *before* sending QUIT.
> >
> > --
> > Viktor.
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

David Mehler
Hello,

I am still trying to get this email sending with autodiscover working.
I've temporarily put Thunderbird aside as it looks like it has a long
standing compatibility issue with sending commands to early, and have
switched to outlook 2010. With it I am getting the following which I
do not know what unknown is.

Apr 21 04:22:38 hostname postfix/submission/smtpd[44179]: connect from
Connecting-Host-and-IP
Apr 21 04:22:39 hostname postfix/submission/smtpd[44179]: lost
connection after UNKNOWN from Connection-hostname-ip

I've tried adjusting broken_sasl_auth_clients no by default, set it to
yes, didn't change anything.

My current smtpd_restrictions:
main.cf:
# Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 permit_mynetworks
 reject_unauth_destination

smtpd_recipient_restrictions =
  permit_mynetworks
 permit_sasl_authenticated
  reject_unauth_destination
        check_helo_access hash:/usr/local/etc/postfix/helo_access,
        ,check_helo_access pcre:/usr/local/etc/postfix/helo_checks
        ,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
 check_sender_access hash:/usr/local/etc/postfix/safe_addresses
 check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
 check_client_access cidr:/usr/local/etc/postfix/spamfarms
 check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
 check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
     permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
        check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
 reject_unknown_reverse_client_hostname
  reject_non_fqdn_sender
 #reject_non_fqdn_helo_hostname
 #reject_invalid_helo_hostname
 #reject_unknown_helo_hostname
 reject_unlisted_recipient
 reject_rhsbl_client dbl.spamhaus.org
 reject_rhsbl_sender dbl.spamhaus.org
 reject_rhsbl_helo dbl.spamhaus.org
  check_policy_service unix:private/spf-policy
# Postfix Quota status service
 #check_policy_service inet:127.0.0.1:12345
 check_policy_service unix:private/dovecot-quota

# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
 permit_mynetworks
 #check_client_access hash:/usr/local/etc/postfix/without_ptr
 #reject_unknown_client_hostname

smtpd_helo_required = yes
smtpd_helo_restrictions =
 #permit_mynetworks
 #reject_invalid_helo_hostname
 #reject_non_fqdn_helo_hostname
 #reject_unknown_helo_hostname

# Block clients, which start sending too early
#smtpd_data_restrictions = reject_unauth_pipelining

# Restrictions for MUAs
#mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
#mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject

and in master.cf:
submission inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/submission
 # for opportunistic smtpd
  #-o smtpd_tls_security_level=may
 # Encrypt by default
  -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
 -o smtpd_sasl_security_options=noanonymous
 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
 #-o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
 -o tls_preempt_cipherlist=yes
 #-o cleanup_service_name=submission-header-cleanup

Are these restrictions right in main.cf and master.cf?
Thanks.
Dave.


On 4/20/18, Wietse Venema <[hidden email]> wrote:

> David Mehler:
>> Hi,
>>
>> It's Thunderbird 52.7. Is there a workaround to make this work?
>
> Yes, do nothing. In particular, do not use the Postfix
> reject_unauth_pipelining feature, because that would trigger
> a REJECT response.
>
> Wietse
>
>> On 4/20/18, Viktor Dukhovni <[hidden email]> wrote:
>> >
>> >
>> >> On Apr 20, 2018, at 4:52 PM, David Mehler <[hidden email]>
>> >> wrote:
>> >>
>> >> I'm atempting to configure email autoconfig and autodiscover services
>> >> for Mozilla and Microsoft clients. I'm using Postfix 3.3. At first I
>> >> thought I was dealing with either an Apache or Dovecot issue, now I'm
>> >> thinking it's an error with my Postfix configuration.
>> >>
>> >> Whenever I atempt a connection I'm getting this in my postfix error
>> >> log
>> >> file:
>> >>
>> >> Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]: improper
>> >> command pipelining after EHLO from Connecting-Machine-Hostname-And-IP:
>> >> QUIT\r\n
>> >
>> > This client does not implement SMTP correctly.  There's nothing wrong
>> > with the Postfix configuration.  The client MUST wait for the EHLO
>> > response *before* sending QUIT.
>> >
>> > --
>> > Viktor.
>> >
>> >
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

Wietse Venema
David Mehler:

> Hello,
>
> I am still trying to get this email sending with autodiscover working.
> I've temporarily put Thunderbird aside as it looks like it has a long
> standing compatibility issue with sending commands to early, and have
> switched to outlook 2010. With it I am getting the following which I
> do not know what unknown is.
>
> Apr 21 04:22:38 hostname postfix/submission/smtpd[44179]: connect from
> Connecting-Host-and-IP
> Apr 21 04:22:39 hostname postfix/submission/smtpd[44179]: lost
> connection after UNKNOWN from Connection-hostname-ip

Please do not remove crucial evidence.

I suppose that you still have

    Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]:
    improper command pipelining after EHLO from
    Connecting-Machine-Hostname-And-IP: QUIT\r\n.

If you don't have this, what did you do to change the client's
behavior?

I suppose that you also have:

    disconnect from hostname[address] ehlo=1...

What is the complete set of logfile records?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

David Mehler
Hello,

Thanks. I'm sorry I should probably have more completely clarified
that. Different client entirely, the previous message I was attempting
autoconfig with Thunderbird and getting those errors.

This time I'm trying outlook 2010 with autodiscover and getting the
errors in my last message. I thought to keep it under the same thread.

For completeness and because I probably confused everyone, here's an
outlook 2010 attempted connection and my current main.cf and master.cf
files.

Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: connect from
Connecting-Host-And-IP
Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: lost
connection after UNKNOWN from Connecting-Host-And-IP
Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: disconnect
from Connecting-Host-And-IP unknown=0/1 commands=0/1

#cat master.cf
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
 #-o smtpd_sasl_auth_enable=no
#smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
# Submission port 587 for client connection / sending mails from
authenticated users
submission inet n       -       n       -       -       smtpd -v
 -o syslog_name=postfix/submission
 # Encrypt by default
  -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
 -o smtpd_sasl_security_options=noanonymous
 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
 -o tls_preempt_cipherlist=yes
#smtps     inet  n       -       n       -       -       smtpd
  #-o syslog_name=postfix/smtps
  #-o smtpd_tls_wrappermode=yes
  #-o smtpd_sasl_auth_enable=yes
  #-o smtpd_reject_unlisted_recipient=no
  #-o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
  #-o tls_preempt_cipherlist=yes
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

# for SPF support
spf-policy unix -       n       n       -       0       spawn
          user=vmail argv=/usr/local/bin/perl
/usr/local/libexec/postfix-policyd-spf-perl

dfilt     unix    -       n       n       -       -       pipe
    flags=Rq user=filter argv=/usr/local/etc/postfix/disclaimer -f
${sender} -r ${recipient}

# scan service for clamsmtpd
scan unix -       -       n       -       16       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

127.0.0.1:10026 inet n       -       n       -       16       smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks_style=host
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

#cat main.cf
soft_bounce = no
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
myhostname = mail.domain.com
mydomain = domain.com
myorigin = $mydomain
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
mydestination = localhost
local_recipient_maps = $virtual_mailbox_maps
unknown_local_recipient_reject_code = 550
mynetworks = $config_directory/mynetworks
in_flow_delay = 1s
# Delimiter for "Address Tagging"
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = /usr/local/share/doc/postfix
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = /usr/local/share/doc/postfix

# Misc options
delay_warning_time = 4h
# Do not notify system users on new e-mail
biff = no
bounce_template_file = /usr/local/etc/postfix/bounce.cf
smtp_helo_timeout = 60s
smtpd_soft_error_limit = 3
header_checks = pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks

# Virtual mailbox domains
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/db/domains.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/db/accounts.cf
virtual_mailbox_base = /home/vmail
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/db/aliases.cf
virtual_minimum_uid = 999
virtual_uid_maps = static:999
virtual_gid_maps = static:999
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Dovecot sasl authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes

# uce
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_reject_unlisted_sender = yes
show_user_unknown_table_name = no
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

# Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 permit_mynetworks
 reject_unauth_destination

smtpd_recipient_restrictions =
  permit_mynetworks
 permit_sasl_authenticated
  reject_unauth_destination
        check_helo_access hash:/usr/local/etc/postfix/helo_access,
        ,check_helo_access pcre:/usr/local/etc/postfix/helo_checks
        ,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
 check_sender_access hash:/usr/local/etc/postfix/safe_addresses
 check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
 check_client_access cidr:/usr/local/etc/postfix/spamfarms
 check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
 check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
     permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
        check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
 reject_unknown_reverse_client_hostname
  reject_non_fqdn_sender
 #reject_non_fqdn_helo_hostname
 #reject_invalid_helo_hostname
 #reject_unknown_helo_hostname
 reject_unlisted_recipient
 reject_rhsbl_client dbl.spamhaus.org
 reject_rhsbl_sender dbl.spamhaus.org
 reject_rhsbl_helo dbl.spamhaus.org
  check_policy_service unix:private/spf-policy
# Postfix Quota status service
 check_policy_service unix:private/dovecot-quota

# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
 permit_mynetworks
 #check_client_access hash:/usr/local/etc/postfix/without_ptr
 #reject_unknown_client_hostname

smtpd_helo_required = yes
smtpd_helo_restrictions =
 #permit_mynetworks
 #reject_invalid_helo_hostname
 #reject_non_fqdn_helo_hostname
 #reject_unknown_helo_hostname

# Block clients, which start sending too early
#smtpd_data_restrictions = reject_unauth_pipelining

# Restrictions for MUAs
#mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
#mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject

# TLS parameters
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /usr/local/etc/ssl/acme/domain.com/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/ssl/acme/private/domain.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = strong
smtpd_tls_security_level = may
# for smtpd pfs
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
tls_preempt_cipherlist = yes
tls_high_cipherlist =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_ciphers = high
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# For SPF
spf-policy_time_limit = 3600s

# Spam filter and DKIM signatures via Rspamd
smtpd_milters = unix:/var/run/rspamd/milter.sock
#smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893,inet:127.0.0.1:8472
non_smtpd_milters = $smtpd_milters
milter_protocol = 6
milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_authen}"
milter_default_action = accept

# postscreen(8) settings
### Before-220 tests
#postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
#postscreen_blacklist_action = drop
#postscreen_dnsbl_action = drop
#postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
#postscreen_dnsbl_sites = zen.spamhaus.org*3
 #b.barracudacentral.org*2
 #bl.spameatingmonkey.net*2
   #bl.spamcop.net
 #dnsbl.sorbs.net
 #psbl.surriel.com
 #bl.mailspike.net
 #swl.spamhaus.org*-4
 #list.dnswl.org=127.[0..255].[0..255].0*-2
        #list.dnswl.org=127.[0..255].[0..255].1*-3
        #list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
#postscreen_dnsbl_threshold = 2
# Drop connections if other server is sending too quickly
#postscreen_greet_action = drop
#postscreen_dnsbl_whitelist_threshold = -1
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
#postscreen_bare_newline_action = drop
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_action = drop
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
#postscreen_pipelining_action = drop
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.
# For sharing a tempoary whitelist of addresses
#postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache
#postscreen_cache_cleanup_interval = 0

#
inet_protocols = ipv4
smtputf8_enable = yes
# require addresses of the form "[hidden email]"
allow_percent_hack = no
swap_bangpath = no
compatibility_level = 2
#autoresponder_destination_recipient_limit = 1
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
# Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
# Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
tls_ssl_options = no_ticket, no_compression

# Mail queue settings
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m

# Users always have to provide full e-mail addresses
append_dot_mydomain = no

Thanks.
Dave.


On 4/21/18, Wietse Venema <[hidden email]> wrote:

> David Mehler:
>> Hello,
>>
>> I am still trying to get this email sending with autodiscover working.
>> I've temporarily put Thunderbird aside as it looks like it has a long
>> standing compatibility issue with sending commands to early, and have
>> switched to outlook 2010. With it I am getting the following which I
>> do not know what unknown is.
>>
>> Apr 21 04:22:38 hostname postfix/submission/smtpd[44179]: connect from
>> Connecting-Host-and-IP
>> Apr 21 04:22:39 hostname postfix/submission/smtpd[44179]: lost
>> connection after UNKNOWN from Connection-hostname-ip
>
> Please do not remove crucial evidence.
>
> I suppose that you still have
>
>     Apr 20 14:37:00 hostname postfix/submission/smtpd[92360]:
>     improper command pipelining after EHLO from
>     Connecting-Machine-Hostname-And-IP: QUIT\r\n.
>
> If you don't have this, what did you do to change the client's
> behavior?
>
> I suppose that you also have:
>
>     disconnect from hostname[address] ehlo=1...
>
> What is the complete set of logfile records?
>
> Wietse
>
Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

Viktor Dukhovni


> On Apr 21, 2018, at 2:06 PM, David Mehler <[hidden email]> wrote:
>
> Thanks. I'm sorry I should probably have more completely clarified
> that. Different client entirely, the previous message I was attempting
> autoconfig with Thunderbird and getting those errors.
>
> This time I'm trying outlook 2010 with autodiscover and getting the
> errors in my last message. I thought to keep it under the same thread.
>
> For completeness and because I probably confused everyone, here's an
> outlook 2010 attempted connection and my current main.cf and master.cf
> files.
>
> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: connect from
> Connecting-Host-And-IP
> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: lost
> connection after UNKNOWN from Connecting-Host-And-IP
> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: disconnect
> from Connecting-Host-And-IP unknown=0/1 commands=0/1

You've probably configured Outlook to do (implicit) SSL on port 587,
rather than STARTTLS.  You should either direct its connections to
port 465 with "wrapper mode TLS", or configure it to do STARTTLS on
587.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

David Mehler
Hello Viktor,

Bingo! That did it. In the .xml file I changed ssl to encryption tls
and it well got further than it did. I had some issues with smtpd*
restrictions specifically helo restrictions, I commented them out. So
outlook autodiscover is working, thunderbird autoconfig still is not.

Going to start another thread about my smtpd* restrictions, but any
other suggestions on thunderbird appreciated.

Thanks for helping with outlook.
Dave.


On 4/21/18, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 21, 2018, at 2:06 PM, David Mehler <[hidden email]> wrote:
>>
>> Thanks. I'm sorry I should probably have more completely clarified
>> that. Different client entirely, the previous message I was attempting
>> autoconfig with Thunderbird and getting those errors.
>>
>> This time I'm trying outlook 2010 with autodiscover and getting the
>> errors in my last message. I thought to keep it under the same thread.
>>
>> For completeness and because I probably confused everyone, here's an
>> outlook 2010 attempted connection and my current main.cf and master.cf
>> files.
>>
>> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: connect from
>> Connecting-Host-And-IP
>> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: lost
>> connection after UNKNOWN from Connecting-Host-And-IP
>> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: disconnect
>> from Connecting-Host-And-IP unknown=0/1 commands=0/1
>
> You've probably configured Outlook to do (implicit) SSL on port 587,
> rather than STARTTLS.  You should either direct its connections to
> port 465 with "wrapper mode TLS", or configure it to do STARTTLS on
> 587.
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: automatic email account configuration, postfix pipelining restriction

Brendan Kearney
On 04/21/2018 07:59 PM, David Mehler wrote:

> Hello Viktor,
>
> Bingo! That did it. In the .xml file I changed ssl to encryption tls
> and it well got further than it did. I had some issues with smtpd*
> restrictions specifically helo restrictions, I commented them out. So
> outlook autodiscover is working, thunderbird autoconfig still is not.
>
> Going to start another thread about my smtpd* restrictions, but any
> other suggestions on thunderbird appreciated.
>
> Thanks for helping with outlook.
> Dave.
>
>
> On 4/21/18, Viktor Dukhovni <[hidden email]> wrote:
>>
>>> On Apr 21, 2018, at 2:06 PM, David Mehler <[hidden email]> wrote:
>>>
>>> Thanks. I'm sorry I should probably have more completely clarified
>>> that. Different client entirely, the previous message I was attempting
>>> autoconfig with Thunderbird and getting those errors.
>>>
>>> This time I'm trying outlook 2010 with autodiscover and getting the
>>> errors in my last message. I thought to keep it under the same thread.
>>>
>>> For completeness and because I probably confused everyone, here's an
>>> outlook 2010 attempted connection and my current main.cf and master.cf
>>> files.
>>>
>>> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: connect from
>>> Connecting-Host-And-IP
>>> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: lost
>>> connection after UNKNOWN from Connecting-Host-And-IP
>>> Apr 21 13:52:54 hostname postfix/submission/smtpd[74637]: disconnect
>>> from Connecting-Host-And-IP unknown=0/1 commands=0/1
>> You've probably configured Outlook to do (implicit) SSL on port 587,
>> rather than STARTTLS.  You should either direct its connections to
>> port 465 with "wrapper mode TLS", or configure it to do STARTTLS on
>> 587.
>>
>> --
>> Viktor.
>>
>>
look into

https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration

and

https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat

note, using MX records in DNS supersedes the config file, so choose your
poison wisely.

in your web server docroot, create a dir called mail, in mail, edit
config-v1.1.xml.  mine is cited below for convenience:

<?xml version="1.0" encoding="UTF-8"?>

<clientConfig version="1.1">
   <emailProvider id="bpk2.com">
     <domain>bpk2.com</domain>
     <displayName>bpk2.com</displayName>
     <displayShortName>bpk2</displayShortName>
     <incomingServer type="imap">
       <hostname>imap.bpk2.com</hostname>
       <port>143</port>
       <socketType>STARTTLS</socketType>
       <authentication>GSSAPI</authentication>
       <username>%EMAILLOCALPART%</username>
     </incomingServer>
     <outgoingServer type="smtp">
       <hostname>submission.bpk2.com</hostname>
       <port>587</port>
       <!-- SOCKETTYPE SHOULD BE CHANGED TO STARTTLS -->
       <socketType>plain</socketType>
       <authentication>GSSAPI</authentication>
       <username>%EMAILLOCALPART%</username>
     </outgoingServer>
     <documentation url="http://www.bpk2.com/imap.html">
       <descr lang="en">IMAP General Settings</descr>
     </documentation>
     <documentation url="http://www.bpk2.com/smtp.html">
       <descr lang="en">SMTP General Settings</descr>
     </documentation>
   </emailProvider>
   <webmail>
     <loginPage url="https://www.bpk2.com/roundcube/" />
     <loginPageInfo url="https://www.bpk2.com/roundcube/">
       <username>%EMAILLOCALPART%</username>
     </loginPageInfo>
   </webmail>
</clientConfig>