On 6/7/2013 4:26 PM, DTNX Postmaster wrote:
On Jun 8, 2013, at 00:47, Noel Jones <njo...@megan.vbhcs.org> wrote:
On 6/7/2013 3:28 PM, Asai wrote:
Greetings,
We're starting to incorporate iPhone users into our email system.
Sometimes we seem to be having trouble with mail being delayed for a
long time before the phone will connect to the server and send the
mail. I don't really have any idea what this is. I've looked
through the logs, but I'm not seeing anything really telling. I
have recently turned on TLS debugging and hope to glean something
useful from that. We have SSL turned on on the iPhone, but do not
have the so-called wrapper mode turned on, and it seems to be
working fine in most cases. Does anyone have any experience with
managing iPhones and Postfix who can share with me something of value?
Thank you.
I only have a dozen or so iPhone users and don't use one myself, so
don't consider me an expert on this. It's also possible my users
have these problems and just haven't said anything. Anyway, here's
some random thoughts...
- don't use tls debug higher than level 1 unless you are willing to
dig into openssl source code.
- make sure your master.cf submission entry has
-o syslog_name=postfix/submission
so you can tell what port they're connecting to.
- if they're connecting to port 25, postscreen will interfere,
causing significant delays or preventing it from working at all.
- enable the wrappermode/smtps port if you haven't already. Seems
some of my iPhone users connect on that port despite instructions
that make no mention of it. I don't know why, and don't really care;
there is no difference in security/speed/whatever. I always enable
smtps because it reduces end-user frustration. The only downside is
"it's not a standard". Use the same settings as submission except
for the addition of
-o smtpd_tls_wrappermode=yes
-o syslog_name=postfix/smtps
HTH, and have a good weekend.
The Mail.app applications on iOS (iPhones or iPads) or OS X will
attempt to autodetect the port to connect to; 25, 465, and 587. It
works just fine over the submission port (587) without enabling the
SMTPS port (465), and the autodetection can be overridden in the
settings if needs be;
Settings > Mail, Contacts, Calendars > [accountname] > Account >
Outgoing Mail Server (SMTP) > Primary Server > Server Port
That's the case on iOS 6; earlier versions might differ slightly in
option names, but offer a similar override. Make sure your own SMTP
server is in fact the primary server, by the way, and not one of the
'Other SMTP Servers'.
This is what the submission service definition on one of our servers
looks like;
==
# Submission service for use by our clients
submission inet n - n - 128 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=permit_sasl_authenticated,reject
-o smtpd_proxy_filter=127.0.0.1:10025
==
It is important to note that we have seperate relay servers; the
mailbox servers clients connect to never open anything but the
submission port (587), and there is therefore never a problem with
clients trying to connect to postscreen on port 25. A similar setup can
be achieved by moving the submission service to a seperate IP address,
if possible.
Do however make sure that it is in fact your Postfix configuration, and
not a DNS issue of some sort. Test with an iPhone or iPad that has the
server port set manually, and see if the problem disappears. If it does
not, the problem might be elsewhere.
Other than that, there should not really be any compatibility issues
with iOS devices talking to Postfix, as long as your DNS and such is in
order.
HTH,
Jona
Thank you for your generous responses.
I do have the client's iPhone set to port 587, however, I'm still
wondering if the iPhone is trying to connect via SMTPS or port 25 (which
is not available). I would like to try setting up SMTP wrapper mode,
but does that in any way disable or interfere with the submission port
and TLS? From reading the Postfix docs I was not sure whether it would
override of TLS or not.
Also, I will check in to the DNS situation.
--Asai
