Re: Outlook 2010 smtp auth probs ?

[Matus UHLAR - fantomas]

On 29 Dec 2017, at 02:18, Matus UHLAR - fantomas  wrote:

ssl usually means port 465 with implicit SSL, while 587 requires explicit
ssl (aka starttls).


On 29.12.17 07:43, @lbutlr wrote:

As I understand it port 465 was deprecated 20 years ago.

It holds on in some servers because old versions (like pre 2010) of
Microsoft software do not support STARTTLS and some people refuse to
upgrade for security reasons.


pre-2007, as I mentioned in my mail you repled to :-)
also applies for outlook express which is also ld and deprecated.


(My solution was to only allow mail submission on port 587. People with old 
clients have to use webmail or update).


2 reasons:
1. I've had problem with smtp/starttsl on port 587, caused by AV software,
   using 465 with implicit SSL helped.
2. it's not possible to reject plaintext connections on 465, and if somebody
   disabled plaintext, users would notice immediately

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

Re: Outlook 2010 smtp auth probs ?

[Viktor Dukhovni]

> On Dec 29, 2017, at 9:43 AM, @lbutlr  wrote:
> 
> As I understand it port 465 was deprecated 20 years ago.

Strangely enough, it may get a second life:

   https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-3
   https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-3.3
   https://tools.ietf.org/html/draft-ietf-uta-email-deep-12#section-7.3

This will soon be an RFC, it is presently in the RFC Editor queue.

-- 
-- 
Viktor.

Re: Outlook 2010 smtp auth probs ?

[@lbutlr]

On 29 Dec 2017, at 02:18, Matus UHLAR - fantomas  wrote:
> ssl usually means port 465 with implicit SSL, while 587 requires explicit
> ssl (aka starttls).

As I understand it port 465 was deprecated 20 years ago.

It holds on in some servers because old versions (like pre 2010) of Microsoft 
software do not support STARTTLS and some people refuse to upgrade for security 
reasons.

(My solution was to only allow mail submission on port 587. People with old 
clients have to use webmail or update).

-- 
No Sigs. Blame Apple.

Re: Outlook 2010 smtp auth probs ?

[Voytek]

>> so, it connects on port 25...?
>
> apparently - did you look to master.cf if there's "-o syslog_name" option
> in the submission service?

Matus,

thanks for your help

no, no syslog:
# grep syslog  master.cf
#

BUT, I got the user to EDIT her existing account and, alter server host
names from old.server to new.server, bingo, she's in:

Dec 29 20:54:13 geko postfix/pipe[23598]: C6EED61DA696:
to=, relay=dovecot, delay=0.56, delays=0.18/0/0/0.37,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 20:54:24 geko postfix/smtpd[23584]: 5448D61DA696:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=no...@dom.org.au
Dec 29 20:54:24 geko postfix/qmgr[18784]: 5448D61DA696:
from=, size=640, nrcpt=1 (queue active)
Dec 29 20:54:24 geko postfix/pipe[23598]: 5448D61DA696:
to=, relay=dovecot, delay=0.57, delays=0.19/0/0/0.38,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 20:55:28 geko postfix/smtpd[23584]: ECFB361DA6AB:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=no...@dom.org.au
Dec 29 20:55:29 geko postfix/qmgr[18784]: ECFB361DA6AB:
from=, size=2705, nrcpt=1 (queue active)

so, I think, either something is screwed up in that Outlook2010 - or, the
user screwed something ...

anyhow, I'm thinking of rsyncing Maildir to new server, and,  get user to
EDIT existing account ? (somthing I was trying to avoid)
can you any gotchas in doing that ?

thanks again,

V

Re: Outlook 2010 smtp auth probs ?

[Matus UHLAR - fantomas]

On 29.12.17 20:47, Voytek wrote:

On Fri, December 29, 2017 8:18 pm, Matus UHLAR - fantomas wrote:


ssl usually means port 465 with implicit SSL, while 587 requires explicit
 ssl (aka starttls).


with Outlook 2010, it has: none/tls/ssl/auto


so it's the same as 2007. TLS means starttls and runt on port 587.
(versions prior to 2007 supported only starttls on prt 25 and implicit ssl
on any other port, needing 465).


However, with default postfix/master configuration, those should report
postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf
 options for those services that should contain "-o syslog_name=..."

the line below contains postfix/smtpd which indicates port 25 was used,
unless don't set syslog_name in master.cf.


(Outlook account setup test message)
Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
: Client host
rejected: Access denied; from= to=
proto=ESMTP helo=


"Client host rejected: Access denied" indicates failed
"check_client_access"
directive. That also means that none of former directives succeeded,
including permit_sasl_authenticated. sasl is not enabled on port 25 by
default (iirc)

587 and 465 usually only allow and require authentication, since they
only have "permit_sasl_authenticated,reject" options.

This also indicates that the client did not connect to port 587/465 - are
 those ports open and accessible from client?


it's 587
yes, definitely, I've setupup 4 or 5 TBird mail clients no issues, I have
K9 mail client, no issues
also, tested with Outlook 2016

and, the Outlook in question does work with 'old' 2.1 server

maybe port 587 that was entered didn't stick ?

so, it connects on port 25...?


apparently - did you look to master.cf if there's "-o syslog_name" option in
the submission service?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.

Re: Outlook 2010 smtp auth probs ?

[Voytek]

On Fri, December 29, 2017 8:18 pm, Matus UHLAR - fantomas wrote:

> ssl usually means port 465 with implicit SSL, while 587 requires explicit
>  ssl (aka starttls).

with Outlook 2010, it has: none/tls/ssl/auto

so, I've tried tls as well as ssl, just in case

> However, with default postfix/master configuration, those should report
> postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf
>  options for those services that should contain "-o syslog_name=..."
>
> the line below contains postfix/smtpd which indicates port 25 was used,
> unless don't set syslog_name in master.cf.
>
>> (Outlook account setup test message)
>> Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
>> d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
>> : Client host
>> rejected: Access denied; from= to=
>> proto=ESMTP helo=
>
> "Client host rejected: Access denied" indicates failed
> "check_client_access"
> directive. That also means that none of former directives succeeded,
> including permit_sasl_authenticated. sasl is not enabled on port 25 by
> default (iirc)
>
> 587 and 465 usually only allow and require authentication, since they
> only have "permit_sasl_authenticated,reject" options.
>
> This also indicates that the client did not connect to port 587/465 - are
>  those ports open and accessible from client?

it's 587
yes, definitely, I've setupup 4 or 5 TBird mail clients no issues, I have
K9 mail client, no issues
also, tested with Outlook 2016

and, the Outlook in question does work with 'old' 2.1 server

maybe port 587 that was entered didn't stick ?

so, it connects on port 25...?

Starting Nmap 5.51
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps
995/tcp open  pop3s

Re: Outlook 2010 smtp auth probs ?

[Matus UHLAR - fantomas]

On 29.12.17 15:32, Voytek wrote:

smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated,
reject_unauth_destination, check_policy_service inet:127.0.0.1:10040,
check_recipient_access hash:/etc/postfix/recipient_no_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net,



tried with 'port 587 TLS' as well as 'port 587 SSL'


ssl usually means port 465 with implicit SSL, while 587 requires explicit
ssl (aka starttls).

However, with default postfix/master configuration, those should report
postfix/smtps/smtpd (465) or postfix/submission/smtpd (587), see master.cf
options for those services that should contain "-o syslog_name=..."

the line below contains postfix/smtpd which indicates port 25 was used,
unless don't set syslog_name in master.cf.


(Outlook account setup test message)
Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
: Client host
rejected: Access denied; from= to=
proto=ESMTP helo=


"Client host rejected: Access denied" indicates failed "check_client_access"
directive. That also means that none of former directives succeeded,
including permit_sasl_authenticated. sasl is not enabled on port 25 by
default (iirc)

587 and 465 usually only allow and require authentication, since they only
have "permit_sasl_authenticated,reject" options. 


This also indicates that the client did not connect to port 587/465 - are
those ports open and accessible from client?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

Outlook 2010 smtp auth probs ?

[Voytek]

this might be off topic, I'm not sure if I have an issue with Postfix
setup - or just end user email client setup:

I have old postfix 2.1 server, migrating to new 3.x, copied over 2.1
/etc/postfix, all seemed OK till now trying to setup an Outlook 2010
client

as I don't have Outlook 2010 to hand, I've installed 2016, tested account
setup, all worked, both IMAP and 587/SMTP auth

the end user in question is remote to me, 2010 seems to have different
options than 2016 I have tested

the Outlook system is remote to me, it's possible end user screwed
something up

on Outlook, the setup for old 2.1 server and new 3.x server is supposedly
identical: SMTP 587 TLS - but I'm not there.

is there some simple Outlook option that I have overlooked ?
or is there something wrong with my server config ??

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
check_helo_access pcre:/etc/postfix/helo_access.pcre

smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated,
reject_unauth_destination, check_policy_service inet:127.0.0.1:10040,
check_recipient_access hash:/etc/postfix/recipient_no_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net,

tried with 'port 587 TLS' as well as 'port 587 SSL'

the user can use old 2.1 server, no issues, BUT, when trying to send with
2010, it fails, on the server, I see this:

(Outlook account setup test message)
Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
: Client host
rejected: Access denied; from= to=
proto=ESMTP helo=

on the old 2.1 server works fine, I see this:
 14:34:08 emu postfix/qmgr[5951]: 30762185383: from=,
size=638, nrcpt=1 (queue active)
Dec 29 14:34:08 emu postfix/pipe[8733]: 30762185383:
to=, relay=dovecot, delay=0.32, delays=0.22/0.01/0/0.1,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 14:34:17 emu postfix/smtpd[8727]: 482B6185383:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=no...@dom.org.au
Dec 29 14:34:17 emu postfix/qmgr[5951]: 482B6185383:
from=, size=638, nrcpt=1 (queue active)
Dec 29 14:34:17 emu postfix/pipe[8733]: 482B6185383:
to=, relay=dovecot, delay=0.23, delays=0.19/0/0/0.05,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 14:40:04 emu postfix/smtpd[10332]: 83EAC185383:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=no...@dom.org.au
Dec 29 14:40:05 emu postfix/qmgr[5951]: 83EAC185383:
from=, size=25709, nrcpt=1 (queue active)