Re: TLS on 587

Mon, 14 Aug 2017 06:19:53 -0700 

On Mon, Aug 14, 2017 at 02:53:23PM +0400, Mohammed Khalid Ansari wrote:

> I have configured my postfix to run on 587. When I choose connection type as
> 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the client throws
> error. 

That's expected, since port 587 is SMTP with STARTTLS negotiation.
SMTP inside TLS is typically on port 465.

    http://www.postfix.org/TLS_README.html#server_enable

    TLS is sometimes used in the non-standard "wrapper" mode where
    a server always uses TLS, instead of announcing STARTTLS support
    and waiting for remote SMTP clients to request TLS service.
    Some clients, namely Outlook [Express] prefer the "wrapper"
    mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when
    run on a port<>25 and OE (5.01 Mac on all ports).

    It is strictly discouraged to use this mode from main.cf. If
    you want to support this service, enable a special port in
    master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no
    space around the "=") as an smtpd(8) command line option. Port
    465 (smtps) was once chosen for this feature.

The sample master.cf file distributed with Postfix source code
contains:

    #smtps     inet  n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/smtps
    #  -o smtpd_tls_wrappermode=yes
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

Just remove the "#" comment characters, and if necessary add
appropriate settings for the "mua_..." parameters to main.cf.

Note that there are some in the IETF who are trying to promote and
standardize port 465 for email submission:

    https://tools.ietf.org/html/draft-ietf-uta-email-deep-08#section-3

While this may end up in a final published RFC, it probably won't
have much of an impact on the deployed base of submission servers
for quite some time.

> I can configure 'STARTTLS' in outlook and proceed but on my cell phone I
> don't have don't option and hence not able to connect.

IIRC mobile phones that do email and the like do support STARTTLS, your
problem may be with the phone not accepting the server certificate.

Post the logs from your server associated with connections from
your phone.

-- 
        Viktor.

Reply via email to