Done !
Default for tls_wrappermode is 'no'. I changed the values.
Bad to have to enable 465 port just for using outlook mobile. I could change,
but customers won't, and they would complain...
Thx again for your daily help, Viktor and everyone in this ML 😊
-----Message d'origine-----
De : owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> De la
part de Viktor Dukhovni
Envoyé : jeudi 1 avril 2021 21:25
À : postfix-users@postfix.org
Objet : Re: problem connecting from Outlook Android
On Thu, Apr 01, 2021 at 08:31:59PM +0200, DEPRÉ Gaëtan - NGServers.com wrote:
> You're right, Viktor.
>
> See below :
>
> smtp inet n - y - 1 postscreen
> -o smtpd_sasl_auth_enable=no
> smtpd pass - - y - - smtpd
> dnsblog unix - - y - 0 dnsblog
> tlsproxy unix - - y - 0 tlsproxy
> smtps inet n - y - - smtpd
Well there's your problem. You have neglected to enable TLS wrapper mode for
the port 465 service, so it is still a STARTTLS service, but this time without
all the settings appropriate for submission...
The stock master.cf file from postfix.org has:
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
Adjust as needed.
> submission inet n - y - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=may
> -o smtpd_tls_auth_only=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_sasl_security_options=noanonymous
> -o smtpd_client_restrictions=$mua_client_restrictions
> -o smtpd_sender_login_maps=$mua_sender_login_maps
> -o smtpd_sender_restrictions=$mua_sender_restrictions
> -o smtpd_relay_restrictions=$mua_relay_restrictions
> -o milter_macro_daemon_name=ORIGINATING
> -o smtpd_helo_required=no
> -o smtpd_helo_restrictions=
> -o cleanup_service_name=submission-header-cleanup
> pickup unix n - y 60 1 pickup
> cleanup unix n - y - 0 cleanup
> qmgr unix n - n 300 1 qmgr
> tlsmgr unix - - y 1000? 1 tlsmgr
> rewrite unix - - y - - trivial-rewrite
> bounce unix - - y - 0 bounce
> defer unix - - y - 0 bounce
> trace unix - - y - 0 bounce
> verify unix - - y - 1 verify
> flush unix n - y 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - y - - smtp
> relay unix - - y - - smtp
> showq unix n - y - - showq
> error unix - - y - - error
> retry unix - - y - - error
> discard unix - - y - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - y - - lmtp
> anvil unix - - y - 1 anvil
> scache unix - - y - 1 scache
> submission-header-cleanup unix n - n - 0 cleanup
> -o header_checks=regexp:/etc/postfix/submission_header_cleanup
>
>
>
>
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> bounce_queue_lifetime = 1h
> bounce_template_file = /etc/postfix/bounce.cf compatibility_level = 2
> inet_interfaces = 127.0.0.1, ::1, ww.xx.yy.zz local_recipient_maps =
> $virtual_mailbox_maps mailbox_size_limit = 0 maximal_backoff_time =
> 15m maximal_queue_lifetime = 1h message_size_limit = 104857600
> milter_default_action = accept milter_mail_macros = i {mail_addr}
> {client_addr} {client_name} {auth_authen} milter_protocol = 6
> minimal_backoff_time = 5m mua_client_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject
> mua_relay_restrictions =
>
> reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynet
> works,permit_sasl_authenticated,reject
> mua_sender_login_maps = mysql:/etc/postfix/sql/sender-login-maps.cf
> mua_sender_restrictions =
>
> permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,check_sender_access
> mysql:/etc/postfix/sql/sender_checks.cf,reject
> mydestination =
> myhostname = mailserver.domain.dom
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> non_smtpd_milters = inet:localhost:11332 postscreen_access_list =
> permit_mynetworks cidr:/etc/postfix/postscreen_access
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = drop
> postscreen_dnsbl_sites = all.spam-rbl.fr*2, zen.spamhaus.org*3,
> bl.spameatingmonkey.net*2,
> postscreen_dnsbl_threshold = 2
> postscreen_greet_action = drop
> queue_run_delay = 5m
> recipient_delimiter = +
> smtp_dns_support_level = dnssec
> smtp_tls_ciphers = high
> smtp_tls_loglevel = 2
> smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
> smtp_tls_security_level = dane
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = Bienvenue sur le serveur mail mailserver.domain.dom !
> smtpd_client_restrictions = permit_mynetworks check_client_access
> hash:/etc/postfix/without_ptr reject_unknown_client_hostname
> smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required
> = yes smtpd_helo_restrictions = permit_mynetworks
> reject_invalid_helo_hostname
> reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
> smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions =
> check_recipient_access
> hash:/etc/postfix/custom_replies check_recipient_access
> mysql:/etc/postfix/sql/recipient-access.cf check_policy_service
> inet:127.0.0.1:12340
> smtpd_relay_restrictions = reject_non_fqdn_recipient permit_sasl_authenticated
> reject_unknown_recipient_domain permit_mynetworks
> reject_unauth_destination smtpd_sender_restrictions =
> check_sender_access hash:/etc/postfix/sender_access smtpd_tls_CAfile =
> /etc/letsencrypt/live/mail.ngservers.com/chain.pem
> smtpd_tls_cert_file =
> /etc/letsencrypt/live/mail.ngservers.com/cert.pem
> smtpd_tls_ciphers = high
> smtpd_tls_key_file =
> /etc/letsencrypt/live/mail.ngservers.com/privkey.pem
> smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1.1, TLSv1.2
> smtpd_tls_security_level = may smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> tls_high_cipherlist =
>
> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMEL
> LIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC
> 4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
> tls_preempt_cipherlist = yes
> tls_ssl_options = NO_COMPRESSION
> virtual_alias_maps =
>
> mysql:/etc/postfix/sql/aliases.cf,mysql:/etc/postfix/sql/email2email.c
> f virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
> virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
> virtual_transport = lmtp:unix:private/dovecot-lmtp
>
> -----Message d'origine-----
> De : owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org>
> De la part de Viktor Dukhovni Envoyé : jeudi 1 avril 2021 19:41 À :
> Postfix users <postfix-users@postfix.org> Objet : Re: problem
> connecting from Outlook Android
>
>
>
> > On Apr 1, 2021, at 1:38 PM, DEPRÉ Gaëtan - NGServers.com
> > <gde...@ngservers.com> wrote:
> >
> > I enabled port 465, but no chance. Still the same problem, only with
> > android/outlook...
>
> This would be far more productive if you also post configuration details.
>
> $ postconf -Mf
> $ postconf -nf
>
> --
> Viktor.
>
>
