problem connecting from Outlook Android

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

problem connecting from Outlook Android

DEPRÉ Gaëtan - NGServers.com

Hi !

 

I can’t send emails while using my android smartphone + outlook.

 

Using outlook on my windows 10 PC on the same wifi connection works.

 

Here is the debug log I can get :

 

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: 220 Bienvenue sur le serveur mail xxxxx.yyy !

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: 500 5.5.2 Error: bad UTF-8 syntax

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: 500 5.5.2 Error: bad UTF-8 syntax

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: smtp_get: EOF

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostname: smtpd_client_event_limit_exceptions: pop.92-184-97-113.mobile.abo.orange.fr ~? 127.0.0.0/8

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostaddr: smtpd_client_event_limit_exceptions: 92.184.97.113 ~? 127.0.0.0/8

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostname: smtpd_client_event_limit_exceptions: pop.92-184-97-113.mobile.abo.orange.fr ~? [::ffff:127.0.0.0]/104

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostaddr: smtpd_client_event_limit_exceptions: 92.184.97.113 ~? [::ffff:127.0.0.0]/104

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostname: smtpd_client_event_limit_exceptions: pop.92-184-97-113.mobile.abo.orange.fr ~? [::1]/128

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostaddr: smtpd_client_event_limit_exceptions: 92.184.97.113 ~? [::1]/128

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_list_match: pop.92-184-97-113.mobile.abo.orange.fr: no match

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_list_match: 92.184.97.113: no match

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: send attr request = disconnect

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: send attr ident = submission:92.184.97.113

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: private/anvil: wanted attribute: status

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: input attribute name: status

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: input attribute value: 0

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: private/anvil: wanted attribute: (list terminator)

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: input attribute name: (end)

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: lost connection after CONNECT from pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: disconnect event to all milters

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: milter8_disc_event: quit milter inet:localhost:11332

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: disconnect from pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113] commands=0/0

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: free all milters

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: free milter inet:localhost:11332

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: master_notify: status 1

Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: connection closed

 

This 500 5.5.2 Error: bad UTF-8 syntax error can be displayed 5 or 6 times.

 

Any clue ?

 

Regards,

 

gdepre

Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

Viktor Dukhovni
On Wed, Mar 31, 2021 at 11:29:04PM +0200, [hidden email] wrote:

> I can't send emails while using my android smartphone + outlook.

Perhaps your phone is sending SMTP commands with non-ASCII data, but
your Postfix server is not configured to support SMTPUTF8.  However,
more likely your phone is trying to use "implicit TLS" (rather
than STARTTLS), and the non-ASCII data in question is the binary
TLS client HELLO message.

> Here is the debug log I can get :

You have needlessly enabled debug logging, please turn it off,
it is just a distraction.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

This is more likely to be TLS than a non-ASCII command.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

Ditto.  A packet capture can confirm the hypothesis, but
probably not necessary. Make sure the client is configured
to do STARTTLS.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

RE: problem connecting from Outlook Android

DEPRÉ Gaëtan - NGServers.com
Thx again Viktor for your helpful answer.

I use Outlook on my phone & I don't find anything that allows me to conf the
connection negociation protocol.

I'll investigate on this.

Furthermore, I thought too that my server didn't support UTF8, but a telnet
revealed that it does, as we can see in the telnet log below :

root@server:~# telnet mailserver.blabla.com 587
Trying www.xxx.yyy.zzz...
Connected to mailserver.blabla.com.
Escape character is '^]'.
220 Bienvenue sur le serveur mail blabla.com !
ehlo its.me.com
250-mailserver.blabla.com
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

Regards,

Gaetan


-----Message d'origine-----
De : [hidden email] <[hidden email]> De la
part de Viktor Dukhovni
Envoyé : mercredi 31 mars 2021 23:53
À : [hidden email]
Objet : Re: problem connecting from Outlook Android

On Wed, Mar 31, 2021 at 11:29:04PM +0200, [hidden email] wrote:

> I can't send emails while using my android smartphone + outlook.

Perhaps your phone is sending SMTP commands with non-ASCII data, but your
Postfix server is not configured to support SMTPUTF8.  However, more likely
your phone is trying to use "implicit TLS" (rather than STARTTLS), and the
non-ASCII data in question is the binary TLS client HELLO message.

> Here is the debug log I can get :

You have needlessly enabled debug logging, please turn it off, it is just a
distraction.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

This is more likely to be TLS than a non-ASCII command.

> Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: <
> pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ????

Ditto.  A packet capture can confirm the hypothesis, but probably not
necessary. Make sure the client is configured to do STARTTLS.

--
    Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

@lbutlr
On 31 Mar 2021, at 23:26, [hidden email] wrote:
> root@server:~# telnet mailserver.blabla.com 587

Does your server support port 465? That should be configured to always use SSL without the need for STARTTLS. Perhaps outlook is simply not sending STARTTLS (which makes sense, as Outlook took over the 465 port ages ago).

I don't use android, so I'm just guessing here, but enabling port 465 is simple enough and there is no reason not to do it.

--
Turning and turning in the widening gyre
The falcon cannot hear the falconer;

Reply | Threaded
Open this post in threaded view
|

RE: problem connecting from Outlook Android

DEPRÉ Gaëtan - NGServers.com
Thx for reply.

I enabled port 465, but no chance. Still the same problem, only with
android/outlook...

Apr  1 19:11:16 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:16 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:16 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:18 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:18 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:18 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0
Apr  1 19:11:19 mail postfix/smtpd[14020]: connect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT
from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164]
Apr  1 19:11:19 mail postfix/smtpd[14020]: disconnect from
lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0

It's very annoying for sending emails... :/

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la
part de @lbutlr
Envoyé : jeudi 1 avril 2021 16:04
À : Postfix users <[hidden email]>
Objet : Re: problem connecting from Outlook Android

On 31 Mar 2021, at 23:26, [hidden email] wrote:
> root@server:~# telnet mailserver.blabla.com 587

Does your server support port 465? That should be configured to always use
SSL without the need for STARTTLS. Perhaps outlook is simply not sending
STARTTLS (which makes sense, as Outlook took over the 465 port ages ago).

I don't use android, so I'm just guessing here, but enabling port 465 is
simple enough and there is no reason not to do it.

--
Turning and turning in the widening gyre The falcon cannot hear the
falconer;


Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

Viktor Dukhovni


> On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

This would be far more productive if you also post configuration details.

        $ postconf -Mf
        $ postconf -nf

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: problem connecting from Outlook Android

DEPRÉ Gaëtan - NGServers.com
You're right, Viktor.

See below :

smtp       inet  n       -       y       -       1       postscreen
    -o smtpd_sasl_auth_enable=no
smtpd      pass  -       -       y       -       -       smtpd
dnsblog    unix  -       -       y       -       0       dnsblog
tlsproxy   unix  -       -       y       -       0       tlsproxy
smtps      inet  n       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=may
    -o smtpd_tls_auth_only=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_client_restrictions=$mua_client_restrictions
    -o smtpd_sender_login_maps=$mua_sender_login_maps
    -o smtpd_sender_restrictions=$mua_sender_restrictions
    -o smtpd_relay_restrictions=$mua_relay_restrictions
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_helo_required=no
    -o smtpd_helo_restrictions=
    -o cleanup_service_name=submission-header-cleanup
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
submission-header-cleanup unix n - n     -       0       cleanup
    -o header_checks=regexp:/etc/postfix/submission_header_cleanup




alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /etc/postfix/bounce.cf
compatibility_level = 2
inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 104857600
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions =
    reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf
mua_sender_restrictions =
    permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access
    mysql:/etc/postfix/sql/sender_checks.cf,reject
mydestination =
myhostname = mailserver.domain.dom
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3,
    bl.spameatingmonkey.net*2,
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
queue_run_delay = 5m
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_tls_ciphers = high
smtp_tls_loglevel = 2
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom !
smtpd_client_restrictions = permit_mynetworks check_client_access
    hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = check_recipient_access
    hash:/etc/postfix/custom_replies check_recipient_access
    mysql:/etc/postfix/sql/recipient-access.cf check_policy_service
    inet:127.0.0.1:12340
smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated
    reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.ngservers.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ngservers.com/cert.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live/mail.ngservers.com/privkey.pem
smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_high_cipherlist =
    EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps =
    mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni
Envoyé : jeudi 1 avril 2021 19:41
À : Postfix users <[hidden email]>
Objet : Re: problem connecting from Outlook Android



> On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

This would be far more productive if you also post configuration details.

        $ postconf -Mf
        $ postconf -nf

--
        Viktor.


Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

Jaroslaw Rafa
In reply to this post by DEPRÉ Gaëtan - NGServers.com
Dnia  1.04.2021 o godz. 19:38:30 DEPRÉ Gaëtan - NGServers.com pisze:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

Looks like you have to sniff network traffic to see what's actually going
on...
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

RE: problem connecting from Outlook Android

DEPRÉ Gaëtan - NGServers.com


-----Message d'origine-----
De : [hidden email] <[hidden email]> De la
part de Jaroslaw Rafa
Envoyé : jeudi 1 avril 2021 20:54
À : [hidden email]
Objet : Re: problem connecting from Outlook Android

Dnia  1.04.2021 o godz. 19:38:30 DEPRÉ Gaëtan - NGServers.com pisze:
>
> I enabled port 465, but no chance. Still the same problem, only with
> android/outlook...

Looks like you have to sniff network traffic to see what's actually going
on...
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

Viktor Dukhovni
In reply to this post by DEPRÉ Gaëtan - NGServers.com
On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote:

> You're right, Viktor.
>
> See below :
>
> smtp       inet  n       -       y       -       1       postscreen
>     -o smtpd_sasl_auth_enable=no
> smtpd      pass  -       -       y       -       -       smtpd
> dnsblog    unix  -       -       y       -       0       dnsblog
> tlsproxy   unix  -       -       y       -       0       tlsproxy
> smtps      inet  n       -       y       -       -       smtpd

Well there's your problem.  You have neglected to enable TLS wrapper
mode for the port 465 service, so it is still a STARTTLS service,
but this time without all the settings appropriate for submission...

The stock master.cf file from postfix.org has:

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Adjust as needed.

> submission inet  n       -       y       -       -       smtpd
>     -o syslog_name=postfix/submission
>     -o smtpd_tls_security_level=may
>     -o smtpd_tls_auth_only=yes
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_sasl_type=dovecot
>     -o smtpd_sasl_path=private/auth
>     -o smtpd_sasl_security_options=noanonymous
>     -o smtpd_client_restrictions=$mua_client_restrictions
>     -o smtpd_sender_login_maps=$mua_sender_login_maps
>     -o smtpd_sender_restrictions=$mua_sender_restrictions
>     -o smtpd_relay_restrictions=$mua_relay_restrictions
>     -o milter_macro_daemon_name=ORIGINATING
>     -o smtpd_helo_required=no
>     -o smtpd_helo_restrictions=
>     -o cleanup_service_name=submission-header-cleanup
> pickup     unix  n       -       y       60      1       pickup
> cleanup    unix  n       -       y       -       0       cleanup
> qmgr       unix  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
> rewrite    unix  -       -       y       -       -       trivial-rewrite
> bounce     unix  -       -       y       -       0       bounce
> defer      unix  -       -       y       -       0       bounce
> trace      unix  -       -       y       -       0       bounce
> verify     unix  -       -       y       -       1       verify
> flush      unix  n       -       y       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       y       -       -       smtp
> relay      unix  -       -       y       -       -       smtp
> showq      unix  n       -       y       -       -       showq
> error      unix  -       -       y       -       -       error
> retry      unix  -       -       y       -       -       error
> discard    unix  -       -       y       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       y       -       -       lmtp
> anvil      unix  -       -       y       -       1       anvil
> scache     unix  -       -       y       -       1       scache
> submission-header-cleanup unix n - n     -       0       cleanup
>     -o header_checks=regexp:/etc/postfix/submission_header_cleanup
>
>
>
>
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> bounce_queue_lifetime = 1h
> bounce_template_file = /etc/postfix/bounce.cf
> compatibility_level = 2
> inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz
> local_recipient_maps = $virtual_mailbox_maps
> mailbox_size_limit = 0
> maximal_backoff_time = 15m
> maximal_queue_lifetime = 1h
> message_size_limit = 104857600
> milter_default_action = accept
> milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
> milter_protocol = 6
> minimal_backoff_time = 5m
> mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
> mua_relay_restrictions =
>     reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
> mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf
> mua_sender_restrictions =
>     permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access
>     mysql:/etc/postfix/sql/sender_checks.cf,reject
> mydestination =
> myhostname = mailserver.domain.dom
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> non_smtpd_milters = inet:localhost:11332
> postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = drop
> postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3,
>     bl.spameatingmonkey.net*2,
> postscreen_dnsbl_threshold = 2
> postscreen_greet_action = drop
> queue_run_delay = 5m
> recipient_delimiter = +
> smtp_dns_support_level = dnssec
> smtp_tls_ciphers = high
> smtp_tls_loglevel = 2
> smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
> smtp_tls_security_level = dane
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom !
> smtpd_client_restrictions = permit_mynetworks check_client_access
>     hash:/etc/postfix/without_ptr reject_unknown_client_hostname
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
>     reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
> smtpd_milters = inet:localhost:11332
> smtpd_recipient_restrictions = check_recipient_access
>     hash:/etc/postfix/custom_replies check_recipient_access
>     mysql:/etc/postfix/sql/recipient-access.cf check_policy_service
>     inet:127.0.0.1:12340
> smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated
>     reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
> smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access
> smtpd_tls_CAfile = /etc/letsencrypt/live/mail.ngservers.com/chain.pem
> smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ngservers.com/cert.pem
> smtpd_tls_ciphers = high
> smtpd_tls_key_file = /etc/letsencrypt/live/mail.ngservers.com/privkey.pem
> smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> tls_high_cipherlist =
>     EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
> tls_preempt_cipherlist = yes
> tls_ssl_options = NO_COMPRESSION
> virtual_alias_maps =
>     mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.cf
> virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
> virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
> virtual_transport = lmtp:unix:private/dovecot-lmtp
>
> -----Message d'origine-----
> De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni
> Envoyé : jeudi 1 avril 2021 19:41
> À : Postfix users <[hidden email]>
> Objet : Re: problem connecting from Outlook Android
>
>
>
> > On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
> >
> > I enabled port 465, but no chance. Still the same problem, only with
> > android/outlook...
>
> This would be far more productive if you also post configuration details.
>
> $ postconf -Mf
> $ postconf -nf
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

RE: problem connecting from Outlook Android

DEPRÉ Gaëtan - NGServers.com
Done !

Default for tls_wrappermode is 'no'. I changed the values.

Bad to have to enable 465 port just for using outlook mobile. I could change, but customers won't, and they would complain...

Thx again for your daily help, Viktor and everyone in this ML 😊

-----Message d'origine-----
De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni
Envoyé : jeudi 1 avril 2021 21:25
À : [hidden email]
Objet : Re: problem connecting from Outlook Android

On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote:

> You're right, Viktor.
>
> See below :
>
> smtp       inet  n       -       y       -       1       postscreen
>     -o smtpd_sasl_auth_enable=no
> smtpd      pass  -       -       y       -       -       smtpd
> dnsblog    unix  -       -       y       -       0       dnsblog
> tlsproxy   unix  -       -       y       -       0       tlsproxy
> smtps      inet  n       -       y       -       -       smtpd

Well there's your problem.  You have neglected to enable TLS wrapper mode for the port 465 service, so it is still a STARTTLS service, but this time without all the settings appropriate for submission...

The stock master.cf file from postfix.org has:

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Adjust as needed.

> submission inet  n       -       y       -       -       smtpd
>     -o syslog_name=postfix/submission
>     -o smtpd_tls_security_level=may
>     -o smtpd_tls_auth_only=yes
>     -o smtpd_sasl_auth_enable=yes
>     -o smtpd_sasl_type=dovecot
>     -o smtpd_sasl_path=private/auth
>     -o smtpd_sasl_security_options=noanonymous
>     -o smtpd_client_restrictions=$mua_client_restrictions
>     -o smtpd_sender_login_maps=$mua_sender_login_maps
>     -o smtpd_sender_restrictions=$mua_sender_restrictions
>     -o smtpd_relay_restrictions=$mua_relay_restrictions
>     -o milter_macro_daemon_name=ORIGINATING
>     -o smtpd_helo_required=no
>     -o smtpd_helo_restrictions=
>     -o cleanup_service_name=submission-header-cleanup
> pickup     unix  n       -       y       60      1       pickup
> cleanup    unix  n       -       y       -       0       cleanup
> qmgr       unix  n       -       n       300     1       qmgr
> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
> rewrite    unix  -       -       y       -       -       trivial-rewrite
> bounce     unix  -       -       y       -       0       bounce
> defer      unix  -       -       y       -       0       bounce
> trace      unix  -       -       y       -       0       bounce
> verify     unix  -       -       y       -       1       verify
> flush      unix  n       -       y       1000?   0       flush
> proxymap   unix  -       -       n       -       -       proxymap
> proxywrite unix  -       -       n       -       1       proxymap
> smtp       unix  -       -       y       -       -       smtp
> relay      unix  -       -       y       -       -       smtp
> showq      unix  n       -       y       -       -       showq
> error      unix  -       -       y       -       -       error
> retry      unix  -       -       y       -       -       error
> discard    unix  -       -       y       -       -       discard
> local      unix  -       n       n       -       -       local
> virtual    unix  -       n       n       -       -       virtual
> lmtp       unix  -       -       y       -       -       lmtp
> anvil      unix  -       -       y       -       1       anvil
> scache     unix  -       -       y       -       1       scache
> submission-header-cleanup unix n - n     -       0       cleanup
>     -o header_checks=regexp:/etc/postfix/submission_header_cleanup
>
>
>
>
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> bounce_queue_lifetime = 1h
> bounce_template_file = /etc/postfix/bounce.cf compatibility_level = 2
> inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz local_recipient_maps =
> $virtual_mailbox_maps mailbox_size_limit = 0 maximal_backoff_time =
> 15m maximal_queue_lifetime = 1h message_size_limit = 104857600
> milter_default_action = accept milter_mail_macros = i {mail_addr}
> {client_addr} {client_name} {auth_authen} milter_protocol = 6
> minimal_backoff_time = 5m mua_client_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject
> mua_relay_restrictions =
>    
> reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynet
> works,permit_sasl_authenticated,reject
> mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf
> mua_sender_restrictions =
>     permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access
>     mysql:/etc/postfix/sql/sender_checks.cf,reject
> mydestination =
> myhostname = mailserver.domain.dom
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> non_smtpd_milters = inet:localhost:11332 postscreen_access_list =
> permit_mynetworks cidr:/etc/postfix/postscreen_access
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = drop
> postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3,
>     bl.spameatingmonkey.net*2,
> postscreen_dnsbl_threshold = 2
> postscreen_greet_action = drop
> queue_run_delay = 5m
> recipient_delimiter = +
> smtp_dns_support_level = dnssec
> smtp_tls_ciphers = high
> smtp_tls_loglevel = 2
> smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
> smtp_tls_security_level = dane
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom !
> smtpd_client_restrictions = permit_mynetworks check_client_access
>     hash:/etc/postfix/without_ptr reject_unknown_client_hostname
> smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required
> = yes smtpd_helo_restrictions = permit_mynetworks
> reject_invalid_helo_hostname
>     reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
> smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions =
> check_recipient_access
>     hash:/etc/postfix/custom_replies check_recipient_access
>     mysql:/etc/postfix/sql/recipient-access.cf check_policy_service
>     inet:127.0.0.1:12340
> smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated
>     reject_unknown_recipient_domain permit_mynetworks
> reject_unauth_destination smtpd_sender_restrictions =
> check_sender_access hash:/etc/postfix/sender_access smtpd_tls_CAfile =
> /etc/letsencrypt/live/mail.ngservers.com/chain.pem
> smtpd_tls_cert_file =
> /etc/letsencrypt/live/mail.ngservers.com/cert.pem
> smtpd_tls_ciphers = high
> smtpd_tls_key_file =
> /etc/letsencrypt/live/mail.ngservers.com/privkey.pem
> smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2
> smtpd_tls_security_level = may smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> tls_high_cipherlist =
>    
> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMEL
> LIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC
> 4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
> tls_preempt_cipherlist = yes
> tls_ssl_options = NO_COMPRESSION
> virtual_alias_maps =
>    
> mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.c
> f virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
> virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
> virtual_transport = lmtp:unix:private/dovecot-lmtp
>
> -----Message d'origine-----
> De : [hidden email] <[hidden email]>
> De la part de Viktor Dukhovni Envoyé : jeudi 1 avril 2021 19:41 À :
> Postfix users <[hidden email]> Objet : Re: problem
> connecting from Outlook Android
>
>
>
> > On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
> >
> > I enabled port 465, but no chance. Still the same problem, only with
> > android/outlook...
>
> This would be far more productive if you also post configuration details.
>
> $ postconf -Mf
> $ postconf -nf
>
> --
> Viktor.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

Matus UHLAR - fantomas
On 01.04.21 21:58, DEPRÉ Gaëtan - NGServers.com wrote:
>Default for tls_wrappermode is 'no'. I changed the values.

I hope you only changed value of tls_wrappermode for smtps/465.

...and I hope you learned to read docs anr proposed configs instead of blindly
configuring something to master.cf ;-)

>Bad to have to enable 465 port just for using outlook mobile. I could change, but customers won't, and they would complain...

I use to enable port 465 for years. It was longly supported by many MSPs,
e.g. google.

Outlook up to 2003 only supported STARTTLS on 25 and implicit TLS on other
ports. I haven't try mobile outlook.

even with submission/587 with STARTTLS available, some considered 465 better
choice, since it's impossible to go without SSL negotiation.

And since RFC 8314, port 465 is documented standard.

>Thx again for your daily help, Viktor and everyone in this ML 😊


>-----Message d'origine-----
>De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni
>Envoyé : jeudi 1 avril 2021 21:25
>À : [hidden email]
>Objet : Re: problem connecting from Outlook Android
>
>On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote:
>
>> You're right, Viktor.
>>
>> See below :
>>
>> smtp       inet  n       -       y       -       1       postscreen
>>     -o smtpd_sasl_auth_enable=no
>> smtpd      pass  -       -       y       -       -       smtpd
>> dnsblog    unix  -       -       y       -       0       dnsblog
>> tlsproxy   unix  -       -       y       -       0       tlsproxy
>> smtps      inet  n       -       y       -       -       smtpd
>
>Well there's your problem.  You have neglected to enable TLS wrapper mode for the port 465 service, so it is still a STARTTLS service, but this time without all the settings appropriate for submission...
>
>The stock master.cf file from postfix.org has:
>
>    #smtps     inet  n       -       n       -       -       smtpd
>    #  -o syslog_name=postfix/smtps
>    #  -o smtpd_tls_wrappermode=yes
>    #  -o smtpd_sasl_auth_enable=yes
>    #  -o smtpd_reject_unlisted_recipient=no
>    #  -o smtpd_client_restrictions=$mua_client_restrictions
>    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>    #  -o smtpd_recipient_restrictions=
>    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>    #  -o milter_macro_daemon_name=ORIGINATING

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

@lbutlr
In reply to this post by DEPRÉ Gaëtan - NGServers.com
On 01 Apr 2021, at 12:31, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
> mua_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
> mua_relay_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated,reject

I know your problem with smtps is solved, but I noticed that you are allowing unauthenticated my networks to submit mail.

This is not a good idea and opens you up to poorly written or malicious local scripts. You should require authentication for ANYONE sending mail out from your machine, even if they are a script on localhost.

I don't know why you are using mua_* but that's a different issue.

--
The cat turned and tried to find a place of safety in the suit's
        breastplate. He was beginning to doubt he'd make it through the
        knight.

Reply | Threaded
Open this post in threaded view
|

Re: problem connecting from Outlook Android

Rob McGee
On 2021-04-03 11:55, @lbutlr wrote:

> On 01 Apr 2021, at 12:31, DEPRÉ Gaëtan - NGServers.com
> <[hidden email]> wrote:
>> mua_client_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject
>> mua_relay_restrictions = reject_non_fqdn_recipient,
>> reject_unknown_recipient_domain, permit_mynetworks,
>> permit_sasl_authenticated,reject
>
> I know your problem with smtps is solved, but I noticed that you are
> allowing unauthenticated my networks to submit mail.
>
> This is not a good idea and opens you up to poorly written or

Agreed.

> malicious local scripts. You should require authentication for ANYONE
> sending mail out from your machine, even if they are a script on
> localhost.
>
> I don't know why you are using mua_* but that's a different issue.

mua_mumble_restrictions are the default for submission and smtps
(submissions) in recent master.cf examples.  The idea is, override
each smtpd_mumble_restrictions stage in master.cf, so if you add
some new restrictions for port 25, submission/submissions are not
affected.  Note that if mua_client_restrictions (or whatever) are
not set, you get " -o smtpd_client_restrictions=", empty, which is
probably what you want.

It also makes it easy to set whatever submission-only restrictions
you might want.

I do think these examples might be better documented, along with a
README to explain why it's a good idea to require AUTH for all
submission.  If someone nags me enough I might try to start a first
draft thereof. :)
--
   http://rob0.nodns4.us/