Hi ! I can’t send emails while using my android smartphone + outlook. Using outlook on my windows 10 PC on the same wifi connection works. Here is the debug log I can get : Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: 220 Bienvenue sur le serveur mail xxxxx.yyy ! Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ???? Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: 500 5.5.2 Error: bad UTF-8 syntax Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ???? Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: 500 5.5.2 Error: bad UTF-8 syntax Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: smtp_get: EOF Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostname: smtpd_client_event_limit_exceptions: pop.92-184-97-113.mobile.abo.orange.fr ~? 127.0.0.0/8 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostaddr: smtpd_client_event_limit_exceptions: 92.184.97.113 ~? 127.0.0.0/8 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostname: smtpd_client_event_limit_exceptions: pop.92-184-97-113.mobile.abo.orange.fr ~? [::ffff:127.0.0.0]/104 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostaddr: smtpd_client_event_limit_exceptions: 92.184.97.113 ~? [::ffff:127.0.0.0]/104 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostname: smtpd_client_event_limit_exceptions: pop.92-184-97-113.mobile.abo.orange.fr ~? [::1]/128 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_hostaddr: smtpd_client_event_limit_exceptions: 92.184.97.113 ~? [::1]/128 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_list_match: pop.92-184-97-113.mobile.abo.orange.fr: no match Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: match_list_match: 92.184.97.113: no match Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: send attr request = disconnect Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: send attr ident = submission:92.184.97.113 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: private/anvil: wanted attribute: status Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: input attribute name: status Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: input attribute value: 0 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: private/anvil: wanted attribute: (list terminator) Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: input attribute name: (end) Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: lost connection after CONNECT from pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113] Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: disconnect event to all milters Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: milter8_disc_event: quit milter inet:localhost:11332 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: disconnect from pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113] commands=0/0 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: free all milters Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: free milter inet:localhost:11332 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: master_notify: status 1 Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: connection closed This 500 5.5.2 Error: bad UTF-8 syntax error can be displayed 5 or 6 times. Any clue ? Regards, gdepre |
On Wed, Mar 31, 2021 at 11:29:04PM +0200, [hidden email] wrote:
> I can't send emails while using my android smartphone + outlook. Perhaps your phone is sending SMTP commands with non-ASCII data, but your Postfix server is not configured to support SMTPUTF8. However, more likely your phone is trying to use "implicit TLS" (rather than STARTTLS), and the non-ASCII data in question is the binary TLS client HELLO message. > Here is the debug log I can get : You have needlessly enabled debug logging, please turn it off, it is just a distraction. > Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ???? This is more likely to be TLS than a non-ASCII command. > Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ???? Ditto. A packet capture can confirm the hypothesis, but probably not necessary. Make sure the client is configured to do STARTTLS. -- Viktor. |
Thx again Viktor for your helpful answer.
I use Outlook on my phone & I don't find anything that allows me to conf the connection negociation protocol. I'll investigate on this. Furthermore, I thought too that my server didn't support UTF8, but a telnet revealed that it does, as we can see in the telnet log below : root@server:~# telnet mailserver.blabla.com 587 Trying www.xxx.yyy.zzz... Connected to mailserver.blabla.com. Escape character is '^]'. 220 Bienvenue sur le serveur mail blabla.com ! ehlo its.me.com 250-mailserver.blabla.com 250-PIPELINING 250-SIZE 104857600 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING Regards, Gaetan -----Message d'origine----- De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni Envoyé : mercredi 31 mars 2021 23:53 À : [hidden email] Objet : Re: problem connecting from Outlook Android On Wed, Mar 31, 2021 at 11:29:04PM +0200, [hidden email] wrote: > I can't send emails while using my android smartphone + outlook. Perhaps your phone is sending SMTP commands with non-ASCII data, but your Postfix server is not configured to support SMTPUTF8. However, more likely your phone is trying to use "implicit TLS" (rather than STARTTLS), and the non-ASCII data in question is the binary TLS client HELLO message. > Here is the debug log I can get : You have needlessly enabled debug logging, please turn it off, it is just a distraction. > Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ???? This is more likely to be TLS than a non-ASCII command. > Mar 31 23:23:00 mail postfix/submission/smtpd[23279]: < > pop.92-184-97-113.mobile.abo.orange.fr[92.184.97.113]: ???? Ditto. A packet capture can confirm the hypothesis, but probably not necessary. Make sure the client is configured to do STARTTLS. -- Viktor. |
On 31 Mar 2021, at 23:26, [hidden email] wrote:
> root@server:~# telnet mailserver.blabla.com 587 Does your server support port 465? That should be configured to always use SSL without the need for STARTTLS. Perhaps outlook is simply not sending STARTTLS (which makes sense, as Outlook took over the 465 port ages ago). I don't use android, so I'm just guessing here, but enabling port 465 is simple enough and there is no reason not to do it. -- Turning and turning in the widening gyre The falcon cannot hear the falconer; |
Thx for reply.
I enabled port 465, but no chance. Still the same problem, only with android/outlook... Apr 1 19:11:16 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:16 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:16 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:18 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:18 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:18 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:18 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:18 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:18 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:19 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:19 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:19 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:19 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:19 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 Apr 1 19:11:19 mail postfix/smtpd[14020]: connect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: lost connection after CONNECT from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] Apr 1 19:11:19 mail postfix/smtpd[14020]: disconnect from lfbn-nan-1-1-164.w90-49.abo.wanadoo.fr[90.49.0.164] commands=0/0 It's very annoying for sending emails... :/ -----Message d'origine----- De : [hidden email] <[hidden email]> De la part de @lbutlr Envoyé : jeudi 1 avril 2021 16:04 À : Postfix users <[hidden email]> Objet : Re: problem connecting from Outlook Android On 31 Mar 2021, at 23:26, [hidden email] wrote: > root@server:~# telnet mailserver.blabla.com 587 Does your server support port 465? That should be configured to always use SSL without the need for STARTTLS. Perhaps outlook is simply not sending STARTTLS (which makes sense, as Outlook took over the 465 port ages ago). I don't use android, so I'm just guessing here, but enabling port 465 is simple enough and there is no reason not to do it. -- Turning and turning in the widening gyre The falcon cannot hear the falconer; |
> On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote: > > I enabled port 465, but no chance. Still the same problem, only with > android/outlook... This would be far more productive if you also post configuration details. $ postconf -Mf $ postconf -nf -- Viktor. |
You're right, Viktor.
See below : smtp inet n - y - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy smtps inet n - y - - smtpd submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_sender_login_maps=$mua_sender_login_maps -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_relay_restrictions=$mua_relay_restrictions -o milter_macro_daemon_name=ORIGINATING -o smtpd_helo_required=no -o smtpd_helo_restrictions= -o cleanup_service_name=submission-header-cleanup pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache submission-header-cleanup unix n - n - 0 cleanup -o header_checks=regexp:/etc/postfix/submission_header_cleanup alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no bounce_queue_lifetime = 1h bounce_template_file = /etc/postfix/bounce.cf compatibility_level = 2 inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz local_recipient_maps = $virtual_mailbox_maps mailbox_size_limit = 0 maximal_backoff_time = 15m maximal_queue_lifetime = 1h message_size_limit = 104857600 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 minimal_backoff_time = 5m mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access mysql:/etc/postfix/sql/sender_checks.cf,reject mydestination = myhostname = mailserver.domain.dom mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 non_smtpd_milters = inet:localhost:11332 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3, bl.spameatingmonkey.net*2, postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop queue_run_delay = 5m recipient_delimiter = + smtp_dns_support_level = dnssec smtp_tls_ciphers = high smtp_tls_loglevel = 2 smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom ! smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/custom_replies check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf check_policy_service inet:127.0.0.1:12340 smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access smtpd_tls_CAfile = /etc/letsencrypt/live/mail.ngservers.com/chain.pem smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ngservers.com/cert.pem smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/letsencrypt/live/mail.ngservers.com/privkey.pem smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.cf virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp -----Message d'origine----- De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni Envoyé : jeudi 1 avril 2021 19:41 À : Postfix users <[hidden email]> Objet : Re: problem connecting from Outlook Android > On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote: > > I enabled port 465, but no chance. Still the same problem, only with > android/outlook... This would be far more productive if you also post configuration details. $ postconf -Mf $ postconf -nf -- Viktor. |
In reply to this post by DEPRÉ Gaëtan - NGServers.com
Dnia 1.04.2021 o godz. 19:38:30 DEPRÉ Gaëtan - NGServers.com pisze:
> > I enabled port 465, but no chance. Still the same problem, only with > android/outlook... Looks like you have to sniff network traffic to see what's actually going on... -- Regards, Jaroslaw Rafa [hidden email] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." |
-----Message d'origine----- De : [hidden email] <[hidden email]> De la part de Jaroslaw Rafa Envoyé : jeudi 1 avril 2021 20:54 À : [hidden email] Objet : Re: problem connecting from Outlook Android Dnia 1.04.2021 o godz. 19:38:30 DEPRÉ Gaëtan - NGServers.com pisze: > > I enabled port 465, but no chance. Still the same problem, only with > android/outlook... Looks like you have to sniff network traffic to see what's actually going on... -- Regards, Jaroslaw Rafa [hidden email] -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." |
In reply to this post by DEPRÉ Gaëtan - NGServers.com
On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote:
> You're right, Viktor. > > See below : > > smtp inet n - y - 1 postscreen > -o smtpd_sasl_auth_enable=no > smtpd pass - - y - - smtpd > dnsblog unix - - y - 0 dnsblog > tlsproxy unix - - y - 0 tlsproxy > smtps inet n - y - - smtpd Well there's your problem. You have neglected to enable TLS wrapper mode for the port 465 service, so it is still a STARTTLS service, but this time without all the settings appropriate for submission... The stock master.cf file from postfix.org has: #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Adjust as needed. > submission inet n - y - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=may > -o smtpd_tls_auth_only=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_client_restrictions=$mua_client_restrictions > -o smtpd_sender_login_maps=$mua_sender_login_maps > -o smtpd_sender_restrictions=$mua_sender_restrictions > -o smtpd_relay_restrictions=$mua_relay_restrictions > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_helo_required=no > -o smtpd_helo_restrictions= > -o cleanup_service_name=submission-header-cleanup > pickup unix n - y 60 1 pickup > cleanup unix n - y - 0 cleanup > qmgr unix n - n 300 1 qmgr > tlsmgr unix - - y 1000? 1 tlsmgr > rewrite unix - - y - - trivial-rewrite > bounce unix - - y - 0 bounce > defer unix - - y - 0 bounce > trace unix - - y - 0 bounce > verify unix - - y - 1 verify > flush unix n - y 1000? 0 flush > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap > smtp unix - - y - - smtp > relay unix - - y - - smtp > showq unix n - y - - showq > error unix - - y - - error > retry unix - - y - - error > discard unix - - y - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - y - - lmtp > anvil unix - - y - 1 anvil > scache unix - - y - 1 scache > submission-header-cleanup unix n - n - 0 cleanup > -o header_checks=regexp:/etc/postfix/submission_header_cleanup > > > > > alias_maps = hash:/etc/aliases > append_dot_mydomain = no > biff = no > bounce_queue_lifetime = 1h > bounce_template_file = /etc/postfix/bounce.cf > compatibility_level = 2 > inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz > local_recipient_maps = $virtual_mailbox_maps > mailbox_size_limit = 0 > maximal_backoff_time = 15m > maximal_queue_lifetime = 1h > message_size_limit = 104857600 > milter_default_action = accept > milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} > milter_protocol = 6 > minimal_backoff_time = 5m > mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject > mua_relay_restrictions = > reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject > mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf > mua_sender_restrictions = > permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access > mysql:/etc/postfix/sql/sender_checks.cf,reject > mydestination = > myhostname = mailserver.domain.dom > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 > non_smtpd_milters = inet:localhost:11332 > postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access > postscreen_blacklist_action = drop > postscreen_dnsbl_action = drop > postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3, > bl.spameatingmonkey.net*2, > postscreen_dnsbl_threshold = 2 > postscreen_greet_action = drop > queue_run_delay = 5m > recipient_delimiter = + > smtp_dns_support_level = dnssec > smtp_tls_ciphers = high > smtp_tls_loglevel = 2 > smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf > smtp_tls_security_level = dane > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom ! > smtpd_client_restrictions = permit_mynetworks check_client_access > hash:/etc/postfix/without_ptr reject_unknown_client_hostname > smtpd_data_restrictions = reject_unauth_pipelining > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname reject_unknown_helo_hostname > smtpd_milters = inet:localhost:11332 > smtpd_recipient_restrictions = check_recipient_access > hash:/etc/postfix/custom_replies check_recipient_access > mysql:/etc/postfix/sql/recipient-access.cf check_policy_service > inet:127.0.0.1:12340 > smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated > reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination > smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access > smtpd_tls_CAfile = /etc/letsencrypt/live/mail.ngservers.com/chain.pem > smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ngservers.com/cert.pem > smtpd_tls_ciphers = high > smtpd_tls_key_file = /etc/letsencrypt/live/mail.ngservers.com/privkey.pem > smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2 > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > tls_high_cipherlist = > EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA > tls_preempt_cipherlist = yes > tls_ssl_options = NO_COMPRESSION > virtual_alias_maps = > mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.cf > virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf > virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf > virtual_transport = lmtp:unix:private/dovecot-lmtp > > -----Message d'origine----- > De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni > Envoyé : jeudi 1 avril 2021 19:41 > À : Postfix users <[hidden email]> > Objet : Re: problem connecting from Outlook Android > > > > > On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote: > > > > I enabled port 465, but no chance. Still the same problem, only with > > android/outlook... > > This would be far more productive if you also post configuration details. > > $ postconf -Mf > $ postconf -nf > > -- > Viktor. > > |
Done !
Default for tls_wrappermode is 'no'. I changed the values. Bad to have to enable 465 port just for using outlook mobile. I could change, but customers won't, and they would complain... Thx again for your daily help, Viktor and everyone in this ML 😊 -----Message d'origine----- De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni Envoyé : jeudi 1 avril 2021 21:25 À : [hidden email] Objet : Re: problem connecting from Outlook Android On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote: > You're right, Viktor. > > See below : > > smtp inet n - y - 1 postscreen > -o smtpd_sasl_auth_enable=no > smtpd pass - - y - - smtpd > dnsblog unix - - y - 0 dnsblog > tlsproxy unix - - y - 0 tlsproxy > smtps inet n - y - - smtpd Well there's your problem. You have neglected to enable TLS wrapper mode for the port 465 service, so it is still a STARTTLS service, but this time without all the settings appropriate for submission... The stock master.cf file from postfix.org has: #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Adjust as needed. > submission inet n - y - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=may > -o smtpd_tls_auth_only=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o smtpd_sasl_security_options=noanonymous > -o smtpd_client_restrictions=$mua_client_restrictions > -o smtpd_sender_login_maps=$mua_sender_login_maps > -o smtpd_sender_restrictions=$mua_sender_restrictions > -o smtpd_relay_restrictions=$mua_relay_restrictions > -o milter_macro_daemon_name=ORIGINATING > -o smtpd_helo_required=no > -o smtpd_helo_restrictions= > -o cleanup_service_name=submission-header-cleanup > pickup unix n - y 60 1 pickup > cleanup unix n - y - 0 cleanup > qmgr unix n - n 300 1 qmgr > tlsmgr unix - - y 1000? 1 tlsmgr > rewrite unix - - y - - trivial-rewrite > bounce unix - - y - 0 bounce > defer unix - - y - 0 bounce > trace unix - - y - 0 bounce > verify unix - - y - 1 verify > flush unix n - y 1000? 0 flush > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap > smtp unix - - y - - smtp > relay unix - - y - - smtp > showq unix n - y - - showq > error unix - - y - - error > retry unix - - y - - error > discard unix - - y - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - y - - lmtp > anvil unix - - y - 1 anvil > scache unix - - y - 1 scache > submission-header-cleanup unix n - n - 0 cleanup > -o header_checks=regexp:/etc/postfix/submission_header_cleanup > > > > > alias_maps = hash:/etc/aliases > append_dot_mydomain = no > biff = no > bounce_queue_lifetime = 1h > bounce_template_file = /etc/postfix/bounce.cf compatibility_level = 2 > inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz local_recipient_maps = > $virtual_mailbox_maps mailbox_size_limit = 0 maximal_backoff_time = > 15m maximal_queue_lifetime = 1h message_size_limit = 104857600 > milter_default_action = accept milter_mail_macros = i {mail_addr} > {client_addr} {client_name} {auth_authen} milter_protocol = 6 > minimal_backoff_time = 5m mua_client_restrictions = > permit_mynetworks,permit_sasl_authenticated,reject > mua_relay_restrictions = > > reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynet > works,permit_sasl_authenticated,reject > mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf > mua_sender_restrictions = > permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access > mysql:/etc/postfix/sql/sender_checks.cf,reject > mydestination = > myhostname = mailserver.domain.dom > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 > non_smtpd_milters = inet:localhost:11332 postscreen_access_list = > permit_mynetworks cidr:/etc/postfix/postscreen_access > postscreen_blacklist_action = drop > postscreen_dnsbl_action = drop > postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3, > bl.spameatingmonkey.net*2, > postscreen_dnsbl_threshold = 2 > postscreen_greet_action = drop > queue_run_delay = 5m > recipient_delimiter = + > smtp_dns_support_level = dnssec > smtp_tls_ciphers = high > smtp_tls_loglevel = 2 > smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf > smtp_tls_security_level = dane > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom ! > smtpd_client_restrictions = permit_mynetworks check_client_access > hash:/etc/postfix/without_ptr reject_unknown_client_hostname > smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required > = yes smtpd_helo_restrictions = permit_mynetworks > reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname reject_unknown_helo_hostname > smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = > check_recipient_access > hash:/etc/postfix/custom_replies check_recipient_access > mysql:/etc/postfix/sql/recipient-access.cf check_policy_service > inet:127.0.0.1:12340 > smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated > reject_unknown_recipient_domain permit_mynetworks > reject_unauth_destination smtpd_sender_restrictions = > check_sender_access hash:/etc/postfix/sender_access smtpd_tls_CAfile = > /etc/letsencrypt/live/mail.ngservers.com/chain.pem > smtpd_tls_cert_file = > /etc/letsencrypt/live/mail.ngservers.com/cert.pem > smtpd_tls_ciphers = high > smtpd_tls_key_file = > /etc/letsencrypt/live/mail.ngservers.com/privkey.pem > smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2 > smtpd_tls_security_level = may smtpd_tls_session_cache_database = > btree:${data_directory}/smtpd_scache > tls_high_cipherlist = > > EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMEL > LIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC > 4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA > tls_preempt_cipherlist = yes > tls_ssl_options = NO_COMPRESSION > virtual_alias_maps = > > mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.c > f virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf > virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf > virtual_transport = lmtp:unix:private/dovecot-lmtp > > -----Message d'origine----- > De : [hidden email] <[hidden email]> > De la part de Viktor Dukhovni Envoyé : jeudi 1 avril 2021 19:41 À : > Postfix users <[hidden email]> Objet : Re: problem > connecting from Outlook Android > > > > > On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote: > > > > I enabled port 465, but no chance. Still the same problem, only with > > android/outlook... > > This would be far more productive if you also post configuration details. > > $ postconf -Mf > $ postconf -nf > > -- > Viktor. > > |
On 01.04.21 21:58, DEPRÉ Gaëtan - NGServers.com wrote:
>Default for tls_wrappermode is 'no'. I changed the values. I hope you only changed value of tls_wrappermode for smtps/465. ...and I hope you learned to read docs anr proposed configs instead of blindly configuring something to master.cf ;-) >Bad to have to enable 465 port just for using outlook mobile. I could change, but customers won't, and they would complain... I use to enable port 465 for years. It was longly supported by many MSPs, e.g. google. Outlook up to 2003 only supported STARTTLS on 25 and implicit TLS on other ports. I haven't try mobile outlook. even with submission/587 with STARTTLS available, some considered 465 better choice, since it's impossible to go without SSL negotiation. And since RFC 8314, port 465 is documented standard. >Thx again for your daily help, Viktor and everyone in this ML 😊 >-----Message d'origine----- >De : [hidden email] <[hidden email]> De la part de Viktor Dukhovni >Envoyé : jeudi 1 avril 2021 21:25 >À : [hidden email] >Objet : Re: problem connecting from Outlook Android > >On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote: > >> You're right, Viktor. >> >> See below : >> >> smtp inet n - y - 1 postscreen >> -o smtpd_sasl_auth_enable=no >> smtpd pass - - y - - smtpd >> dnsblog unix - - y - 0 dnsblog >> tlsproxy unix - - y - 0 tlsproxy >> smtps inet n - y - - smtpd > >Well there's your problem. You have neglected to enable TLS wrapper mode for the port 465 service, so it is still a STARTTLS service, but this time without all the settings appropriate for submission... > >The stock master.cf file from postfix.org has: > > #smtps inet n - n - - smtpd > # -o syslog_name=postfix/smtps > # -o smtpd_tls_wrappermode=yes > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_reject_unlisted_recipient=no > # -o smtpd_client_restrictions=$mua_client_restrictions > # -o smtpd_helo_restrictions=$mua_helo_restrictions > # -o smtpd_sender_restrictions=$mua_sender_restrictions > # -o smtpd_recipient_restrictions= > # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING -- Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) |
In reply to this post by DEPRÉ Gaëtan - NGServers.com
On 01 Apr 2021, at 12:31, DEPRÉ Gaëtan - NGServers.com <[hidden email]> wrote:
> mua_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject > mua_relay_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated,reject I know your problem with smtps is solved, but I noticed that you are allowing unauthenticated my networks to submit mail. This is not a good idea and opens you up to poorly written or malicious local scripts. You should require authentication for ANYONE sending mail out from your machine, even if they are a script on localhost. I don't know why you are using mua_* but that's a different issue. -- The cat turned and tried to find a place of safety in the suit's breastplate. He was beginning to doubt he'd make it through the knight. |
On 2021-04-03 11:55, @lbutlr wrote:
> On 01 Apr 2021, at 12:31, DEPRÉ Gaëtan - NGServers.com > <[hidden email]> wrote: >> mua_client_restrictions = permit_mynetworks, >> permit_sasl_authenticated, reject >> mua_relay_restrictions = reject_non_fqdn_recipient, >> reject_unknown_recipient_domain, permit_mynetworks, >> permit_sasl_authenticated,reject > > I know your problem with smtps is solved, but I noticed that you are > allowing unauthenticated my networks to submit mail. > > This is not a good idea and opens you up to poorly written or Agreed. > malicious local scripts. You should require authentication for ANYONE > sending mail out from your machine, even if they are a script on > localhost. > > I don't know why you are using mua_* but that's a different issue. mua_mumble_restrictions are the default for submission and smtps (submissions) in recent master.cf examples. The idea is, override each smtpd_mumble_restrictions stage in master.cf, so if you add some new restrictions for port 25, submission/submissions are not affected. Note that if mua_client_restrictions (or whatever) are not set, you get " -o smtpd_client_restrictions=", empty, which is probably what you want. It also makes it easy to set whatever submission-only restrictions you might want. I do think these examples might be better documented, along with a README to explain why it's a good idea to require AUTH for all submission. If someone nags me enough I might try to start a first draft thereof. :) -- http://rob0.nodns4.us/ |
Free forum by Nabble | Edit this page |