problem connecting from Outlook Android

On Wed, Mar 31, 2021 at 11:29:04PM +0200, [hidden email] wrote:

> I can't send emails while using my android smartphone + outlook.

Perhaps your phone is sending SMTP commands with non-ASCII data, but
your Postfix server is not configured to support SMTPUTF8.  However,
more likely your phone is trying to use "implicit TLS" (rather
than STARTTLS), and the non-ASCII data in question is the binary
TLS client HELLO message.

> Here is the debug log I can get :

You have needlessly enabled debug logging, please turn it off,
it is just a distraction.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

This is more likely to be TLS than a non-ASCII command.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

Ditto.  A packet capture can confirm the hypothesis, but
probably not necessary. Make sure the client is configured
to do STARTTLS.

--
    Viktor.

Thx again Viktor for your helpful answer.

I use Outlook on my phone & I don't find anything that allows me to conf the
connection negociation protocol.

I'll investigate on this.

Furthermore, I thought too that my server didn't support UTF8, but a telnet
revealed that it does, as we can see in the telnet log below :

root@server:~# telnet mailserver.blabla.com 587
Trying www.xxx.yyy.zzz...
Connected to mailserver.blabla.com.
Escape character is '^]'.
220 Bienvenue sur le serveur mail blabla.com !
ehlo its.me.com
250-mailserver.blabla.com
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

Regards,

Gaetan


-----Message d'origine-----
De : [hidden email] <[hidden email]> De la
part de Viktor Dukhovni
Envoyé : mercredi 31 mars 2021 23:53
À : [hidden email]
Objet : Re: problem connecting from Outlook Android

On Wed, Mar 31, 2021 at 11:29:04PM +0200, [hidden email] wrote:

> I can't send emails while using my android smartphone + outlook.

Perhaps your phone is sending SMTP commands with non-ASCII data, but your
Postfix server is not configured to support SMTPUTF8.  However, more likely
your phone is trying to use "implicit TLS" (rather than STARTTLS), and the
non-ASCII data in question is the binary TLS client HELLO message.

> Here is the debug log I can get :

You have needlessly enabled debug logging, please turn it off, it is just a
distraction.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

This is more likely to be TLS than a non-ASCII command.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

Ditto.  A packet capture can confirm the hypothesis, but probably not
necessary. Make sure the client is configured to do STARTTLS.

--
    Viktor.

On 31 Mar 2021, at 23:26, [hidden email] wrote:
> root@server:~# telnet mailserver.blabla.com 587

Does your server support port 465? That should be configured to always use SSL without the need for STARTTLS. Perhaps outlook is simply not sending STARTTLS (which makes sense, as Outlook took over the 465 port ages ago).

I don't use android, so I'm just guessing here, but enabling port 465 is simple enough and there is no reason not to do it.

--
Turning and turning in the widening gyre
The falcon cannot hear the falconer;

Thx for reply.

I enabled port 465, but no chance. Still the same problem, only with
android/outlook...

Apr  1 19:11:16 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:16 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:16 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:18 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:18 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0

It's very annoying for sending emails... :/

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la
part de @lbutlr
Envoyé : jeudi 1 avril 2021 16:04
À : Postfix users <[hidden email]>
Objet : Re: problem connecting from Outlook Android

On 31 Mar 2021, at 23:26, [hidden email] wrote:
> root@server:~# telnet mailserver.blabla.com 587

Does your server support port 465? That should be configured to always use
SSL without the need for STARTTLS. Perhaps outlook is simply not sending
STARTTLS (which makes sense, as Outlook took over the 465 port ages ago).

I don't use android, so I'm just guessing here, but enabling port 465 is
simple enough and there is no reason not to do it.

--
Turning and turning in the widening gyre The falcon cannot hear the
falconer;

> On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

This would be far more productive if you also post configuration details.

        $ postconf -Mf
        $ postconf -nf

--
        Viktor.

You're right, Viktor.

See below :

smtp       inet  n       -       y       -       1       postscreen
    -o smtpd_sasl_auth_enable=no
smtpd      pass  -       -       y       -       -       smtpd
dnsblog    unix  -       -       y       -       0       dnsblog
tlsproxy   unix  -       -       y       -       0       tlsproxy
smtps      inet  n       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=may
    -o smtpd_tls_auth_only=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_sender_login_maps=$mua_sender_login_maps
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o cleanup_service_name=submission-header-cleanup
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
submission-header-cleanup unix n - n     -       0       cleanup
    -o header_checks=regexp:/etc/postfix/submission_header_cleanup




alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /etc/postfix/bounce.cf
compatibility_level = 2
inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 104857600
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions =
    reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf
mua_sender_restrictions =
    permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access
    mysql:/etc/postfix/sql/sender_checks.cf,reject
mydestination =
myhostname = mailserver.domain.dom
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3,
    bl.spameatingmonkey.net*2,
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_tls_ciphers = high
smtp_tls_loglevel = 2
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom !
smtpd_client_restrictions = permit_mynetworks check_client_access
    hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = check_recipient_access
    hash:/etc/postfix/custom_replies check_recipient_access
    mysql:/etc/postfix/sql/recipient-access.cf check_policy_service
    inet:127.0.0.1:12340
smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated
    reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.ngservers.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ngservers.com/cert.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live/mail.ngservers.com/privkey.pem
smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist =
    EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps =
    mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni
Envoyé : jeudi 1 avril 2021 19:41
À : Postfix users <[hidden email]>
Objet : Re: problem connecting from Outlook Android



> On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

This would be far more productive if you also post configuration details.

        $ postconf -Mf
        $ postconf -nf

--
        Viktor.

Dnia  1.04.2021 o godz. 19:38:30 DEPRÉ Gaëtan - NGServers.com pisze:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

Looks like you have to sniff network traffic to see what's actually going
on...
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la
part de Jaroslaw Rafa
Envoyé : jeudi 1 avril 2021 20:54
À : [hidden email]
Objet : Re: problem connecting from Outlook Android

Dnia  1.04.2021 o godz. 19:38:30 DEPRÉ Gaëtan - NGServers.com pisze:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

Looks like you have to sniff network traffic to see what's actually going
on...
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote:

Well there's your problem.  You have neglected to enable TLS wrapper
mode for the port 465 service, so it is still a STARTTLS service,
but this time without all the settings appropriate for submission...

The stock master.cf file from postfix.org has:

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Adjust as needed.

Done !

Default for tls_wrappermode is 'no'. I changed the values.

Bad to have to enable 465 port just for using outlook mobile. I could change, but customers won't, and they would complain...

Thx again for your daily help, Viktor and everyone in this ML 😊

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni
Envoyé : jeudi 1 avril 2021 21:25
À : [hidden email]
Objet : Re: problem connecting from Outlook Android

On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote:

Well there's your problem.  You have neglected to enable TLS wrapper mode for the port 465 service, so it is still a STARTTLS service, but this time without all the settings appropriate for submission...

The stock master.cf file from postfix.org has:

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Adjust as needed.

On 01.04.21 21:58, DEPRÉ Gaëtan - NGServers.com wrote:
>Default for tls_wrappermode is 'no'. I changed the values.

I hope you only changed value of tls_wrappermode for smtps/465.

...and I hope you learned to read docs anr proposed configs instead of blindly
configuring something to master.cf ;-)

>Bad to have to enable 465 port just for using outlook mobile. I could change, but customers won't, and they would complain...

I use to enable port 465 for years. It was longly supported by many MSPs,
e.g. google.

Outlook up to 2003 only supported STARTTLS on 25 and implicit TLS on other
ports. I haven't try mobile outlook.

even with submission/587 with STARTTLS available, some considered 465 better
choice, since it's impossible to go without SSL negotiation.

And since RFC 8314, port 465 is documented standard.

>Thx again for your daily help, Viktor and everyone in this ML 😊


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)

On 01 Apr 2021, at 12:31, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
> mua_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
> mua_relay_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated,reject

I know your problem with smtps is solved, but I noticed that you are allowing unauthenticated my networks to submit mail.

This is not a good idea and opens you up to poorly written or malicious local scripts. You should require authentication for ANYONE sending mail out from your machine, even if they are a script on localhost.

I don't know why you are using mua_* but that's a different issue.

--
The cat turned and tried to find a place of safety in the suit's
        breastplate. He was beginning to doubt he'd make it through the
        knight.

On 2021-04-03 11:55, @lbutlr wrote:
Agreed.

> malicious local scripts. You should require authentication for ANYONE
> sending mail out from your machine, even if they are a script on
> localhost.
>
> I don't know why you are using mua_* but that's a different issue.

mua_mumble_restrictions are the default for submission and smtps
(submissions) in recent master.cf examples.  The idea is, override
each smtpd_mumble_restrictions stage in master.cf, so if you add
some new restrictions for port 25, submission/submissions are not
affected.  Note that if mua_client_restrictions (or whatever) are
not set, you get " -o smtpd_client_restrictions=", empty, which is
probably what you want.

It also makes it easy to set whatever submission-only restrictions
you might want.

I do think these examples might be better documented, along with a
README to explain why it's a good idea to require AUTH for all
submission.  If someone nags me enough I might try to start a first
draft thereof. :)
--
   http://rob0.nodns4.us/