Re: Outlook 2010 smtp auth probs ?
On 29 Dec 2017, at 02:18, Matus UHLAR - fantomaswrote: ssl usually means port 465 with implicit SSL, while 587 requires explicit ssl (aka starttls). On 29.12.17 07:43, @lbutlr wrote: As I understand it port 465 was deprecated 20 years ago. It holds on in some servers because old versions (like pre 2010) of Microsoft software do not support STARTTLS and some people refuse to upgrade for security reasons. pre-2007, as I mentioned in my mail you repled to :-) also applies for outlook express which is also ld and deprecated. (My solution was to only allow mail submission on port 587. People with old clients have to use webmail or update). 2 reasons: 1. I've had problem with smtp/starttsl on port 587, caused by AV software, using 465 with implicit SSL helped. 2. it's not possible to reject plaintext connections on 465, and if somebody disabled plaintext, users would notice immediately -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: Outlook 2010 smtp auth probs ?
> On Dec 29, 2017, at 9:43 AM, @lbutlrwrote: > > As I understand it port 465 was deprecated 20 years ago. Strangely enough, it may get a second life: https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-3 https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-3.3 https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-7.3 This will soon be an RFC, it is presently in the RFC Editor queue. -- -- Viktor.
Re: Outlook 2010 smtp auth probs ?
On 29 Dec 2017, at 02:18, Matus UHLAR - fantomaswrote: > ssl usually means port 465 with implicit SSL, while 587 requires explicit > ssl (aka starttls). As I understand it port 465 was deprecated 20 years ago. It holds on in some servers because old versions (like pre 2010) of Microsoft software do not support STARTTLS and some people refuse to upgrade for security reasons. (My solution was to only allow mail submission on port 587. People with old clients have to use webmail or update). -- No Sigs. Blame Apple.
Re: Outlook 2010 smtp auth probs ?
>> so, it connects on port 25...? > > apparently - did you look to master.cf if there's "-o syslog_name" option > in the submission service? Matus, thanks for your help no, no syslog: # grep syslog master.cf # BUT, I got the user to EDIT her existing account and, alter server host names from old.server to new.server, bingo, she's in: Dec 29 20:54:13 geko postfix/pipe[23598]: C6EED61DA696: to=, relay=dovecot, delay=0.56, delays=0.18/0/0/0.37, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 29 20:54:24 geko postfix/smtpd[23584]: 5448D61DA696: client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107], sasl_method=LOGIN, sasl_username=no...@dom.org.au Dec 29 20:54:24 geko postfix/qmgr[18784]: 5448D61DA696: from= , size=640, nrcpt=1 (queue active) Dec 29 20:54:24 geko postfix/pipe[23598]: 5448D61DA696: to= , relay=dovecot, delay=0.57, delays=0.19/0/0/0.38, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 29 20:55:28 geko postfix/smtpd[23584]: ECFB361DA6AB: client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107], sasl_method=LOGIN, sasl_username=no...@dom.org.au Dec 29 20:55:29 geko postfix/qmgr[18784]: ECFB361DA6AB: from= , size=2705, nrcpt=1 (queue active) so, I think, either something is screwed up in that Outlook2010 - or, the user screwed something ... anyhow, I'm thinking of rsyncing Maildir to new server, and, get user to EDIT existing account ? (somthing I was trying to avoid) can you any gotchas in doing that ? thanks again, V
Re: Outlook 2010 smtp auth probs ?
On 29.12.17 20:47, Voytek wrote: On Fri, December 29, 2017 8:18 pm, Matus UHLAR - fantomas wrote: ssl usually means port 465 with implicit SSL, while 587 requires explicit ssl (aka starttls). with Outlook 2010, it has: none/tls/ssl/auto so it's the same as 2007. TLS means starttls and runt on port 587. (versions prior to 2007 supported only starttls on prt 25 and implicit ssl on any other port, needing 465). However, with default postfix/master configuration, those should report postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf options for those services that should contain "-o syslog_name=..." the line below contains postfix/smtpd which indicates port 25 was used, unless don't set syslog_name in master.cf. (Outlook account setup test message) Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1: Client host rejected: Access denied; from= to= proto=ESMTP helo= "Client host rejected: Access denied" indicates failed "check_client_access" directive. That also means that none of former directives succeeded, including permit_sasl_authenticated. sasl is not enabled on port 25 by default (iirc) 587 and 465 usually only allow and require authentication, since they only have "permit_sasl_authenticated,reject" options. This also indicates that the client did not connect to port 587/465 - are those ports open and accessible from client? it's 587 yes, definitely, I've setupup 4 or 5 TBird mail clients no issues, I have K9 mail client, no issues also, tested with Outlook 2016 and, the Outlook in question does work with 'old' 2.1 server maybe port 587 that was entered didn't stick ? so, it connects on port 25...? apparently - did you look to master.cf if there's "-o syslog_name" option in the submission service? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: Outlook 2010 smtp auth probs ?
On Fri, December 29, 2017 8:18 pm, Matus UHLAR - fantomas wrote: > ssl usually means port 465 with implicit SSL, while 587 requires explicit > ssl (aka starttls). with Outlook 2010, it has: none/tls/ssl/auto so, I've tried tls as well as ssl, just in case > However, with default postfix/master configuration, those should report > postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf > options for those services that should contain "-o syslog_name=..." > > the line below contains postfix/smtpd which indicates port 25 was used, > unless don't set syslog_name in master.cf. > >> (Outlook account setup test message) >> Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from >> d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1 >>: Client host >> rejected: Access denied; from= to= >> proto=ESMTP helo= > > "Client host rejected: Access denied" indicates failed > "check_client_access" > directive. That also means that none of former directives succeeded, > including permit_sasl_authenticated. sasl is not enabled on port 25 by > default (iirc) > > 587 and 465 usually only allow and require authentication, since they > only have "permit_sasl_authenticated,reject" options. > > This also indicates that the client did not connect to port 587/465 - are > those ports open and accessible from client? it's 587 yes, definitely, I've setupup 4 or 5 TBird mail clients no issues, I have K9 mail client, no issues also, tested with Outlook 2016 and, the Outlook in question does work with 'old' 2.1 server maybe port 587 that was entered didn't stick ? so, it connects on port 25...? Starting Nmap 5.51 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s
Re: Outlook 2010 smtp auth probs ?
On 29.12.17 15:32, Voytek wrote: smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks, check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10040, check_recipient_access hash:/etc/postfix/recipient_no_checks, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, tried with 'port 587 TLS' as well as 'port 587 SSL' ssl usually means port 465 with implicit SSL, while 587 requires explicit ssl (aka starttls). However, with default postfix/master configuration, those should report postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf options for those services that should contain "-o syslog_name=..." the line below contains postfix/smtpd which indicates port 25 was used, unless don't set syslog_name in master.cf. (Outlook account setup test message) Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1: Client host rejected: Access denied; from= to= proto=ESMTP helo= "Client host rejected: Access denied" indicates failed "check_client_access" directive. That also means that none of former directives succeeded, including permit_sasl_authenticated. sasl is not enabled on port 25 by default (iirc) 587 and 465 usually only allow and require authentication, since they only have "permit_sasl_authenticated,reject" options. This also indicates that the client did not connect to port 587/465 - are those ports open and accessible from client? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft]
Outlook 2010 smtp auth probs ?
this might be off topic, I'm not sure if I have an issue with Postfix setup - or just end user email client setup: I have old postfix 2.1 server, migrating to new 3.x, copied over 2.1 /etc/postfix, all seemed OK till now trying to setup an Outlook 2010 client as I don't have Outlook 2010 to hand, I've installed 2016, tested account setup, all worked, both IMAP and 587/SMTP auth the end user in question is remote to me, 2010 seems to have different options than 2016 I have tested the Outlook system is remote to me, it's possible end user screwed something up on Outlook, the setup for old 2.1 server and new 3.x server is supposedly identical: SMTP 587 TLS - but I'm not there. is there some simple Outlook option that I have overlooked ? or is there something wrong with my server config ?? smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks, check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10040, check_recipient_access hash:/etc/postfix/recipient_no_checks, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_checks, check_client_access hash:/etc/postfix/client_checks, check_client_access pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, tried with 'port 587 TLS' as well as 'port 587 SSL' the user can use old 2.1 server, no issues, BUT, when trying to send with 2010, it fails, on the server, I see this: (Outlook account setup test message) Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1: Client host rejected: Access denied; from= to= proto=ESMTP helo= on the old 2.1 server works fine, I see this: 14:34:08 emu postfix/qmgr[5951]: 30762185383: from= , size=638, nrcpt=1 (queue active) Dec 29 14:34:08 emu postfix/pipe[8733]: 30762185383: to= , relay=dovecot, delay=0.32, delays=0.22/0.01/0/0.1, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 29 14:34:17 emu postfix/smtpd[8727]: 482B6185383: client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107], sasl_method=LOGIN, sasl_username=no...@dom.org.au Dec 29 14:34:17 emu postfix/qmgr[5951]: 482B6185383: from= , size=638, nrcpt=1 (queue active) Dec 29 14:34:17 emu postfix/pipe[8733]: 482B6185383: to= , relay=dovecot, delay=0.23, delays=0.19/0/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service) Dec 29 14:40:04 emu postfix/smtpd[10332]: 83EAC185383: client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107], sasl_method=LOGIN, sasl_username=no...@dom.org.au Dec 29 14:40:05 emu postfix/qmgr[5951]: 83EAC185383: from= , size=25709, nrcpt=1 (queue active)