Re: Prevention of sending authentication via plaintext on port 25.
On 12/3/2016 at 10:45 AM, "John Fawcett"wrote: > >On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote: >> Here I am, replying to my own post again. What I said in the >prior post wasn't entirely true. I realized that I used the wrong >password in my prior attempt. I am still granted access to the >SMTP service after authenticating in plaintext on port 25. >> >> So I'm somewhat confused how to prevent/discourage users from >sending their authentication detail in the clear when there are >secure methods that exist (such as, $ openssl s_client -starttls >smtp -connect example.com:587) >> >> >> $ telnet example.com 25 >> Trying 87.138.xxx.yyy... >> Connected to example.com. >> Escape character is '^]'. >> 220 example.com ESMTP Postfix (Ubuntu) >> ehlo example.com >> 250-example.com >> 250-PIPELINING >> 250-SIZE 1024 >> 250-VRFY >> 250-ETRN >> 250-STARTTLS >> 250-AUTH PLAIN LOGIN >> 250-AUTH=PLAIN LOGIN >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250 DSN >> AUTH LOGIN >> 334 VXNlcm5hbWU6 >> dXNlckBleGFtcGxlLmNvbQ== >> 334 UGFzc3dvcmQ6 >> eW91IHdvdWxkIGRlY29kZSB0aGlz >> 235 2.7.0 Authentication successful >> quit >> >> >> Thanks >> >Sounds as though you have not disabled auth on port 25, so you have >still got > >smtpd_sasl_auth_only=yes > You mean, 'smtpd_tls_auth_only=yes' ? >for the smtpd service. You may have configured that in main.cf by >changing the default value or in master.cf for the specific smtpd >entry. > In the main.cf, I have set globally smtpd_tls_auth_only = yes and in the master.cf, just to make sure, I have: submission inet n - n - - smtpd -o smtpd_tls_auth_only=yes So yes, after changing no -> yes in the main.cf, I get the permissions that I want. >John
Re: Prevention of sending authentication via plaintext on port 25.
Here I am, replying to my own post again. What I said in the prior post wasn't entirely true. I realized that I used the wrong password in my prior attempt. I am still granted access to the SMTP service after authenticating in plaintext on port 25. So I'm somewhat confused how to prevent/discourage users from sending their authentication detail in the clear when there are secure methods that exist (such as, $ openssl s_client -starttls smtp -connect example.com:587) $ telnet example.com 25 Trying 87.138.xxx.yyy... Connected to example.com. Escape character is '^]'. 220 example.com ESMTP Postfix (Ubuntu) ehlo example.com 250-example.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 VXNlcm5hbWU6 dXNlckBleGFtcGxlLmNvbQ== 334 UGFzc3dvcmQ6 eW91IHdvdWxkIGRlY29kZSB0aGlz 235 2.7.0 Authentication successful quit Thanks On 12/3/2016 at 10:03 AM, rich.gre...@hushmail.com wrote: > >I suspected that was a typo. I figured it out. > >I made those changes, when I attempt an AUTH LOGIN, I get back >"535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6" which seems >to be appropriate. > >So the user is no longer rewarded with access to the SMTP services >when they attempt to connect using this method, such as sending a >plaintext password on port 25. Obviously, user irresponsibility >can't be prevented, but at least they are denied access for >attempting to connect in an irresponsible manner. So yes, I can >see how this works. > >Thanks > >On 12/3/2016 at 9:49 AM, "Wietse Venema">wrote: >> >>John Fawcett: >>> On 12/03/2016 04:10 PM, Wietse Venema wrote: >>> > rich.gre...@hushmail.com: >>> >> There are ports that exist for encrypted transfer of this >data >>> >> (such as 465, 587). What is the current state of the art for >>> >> preventing the user's client software from being able to do >>this >>> >> (sending their authentication details plaintext)? Is it >safe >>to >>> >> simply block this port external to the machine, for example, >>in >>> >> the router? >>> > Don't enable SASL auth on port 25. >>> > >>> > Do require smtpd_tls_auth_only=yes on port 587. >>> > >>> > This is easiest implemented by seting smtpd_sasl_auth_enable >>and >>> > smtpd_tls_auth_only in the master.cf entry for the port 587 >>service, >>> > and not setting them in main.cf. >>> > >>> > submission inet n - n - - smtpd >>> > -o syslog_name=postfix/submission >>> > -o smtpd_tls_security_level=encrypt >>> > -o smtpd_sasl_auth_enable=yes >>> > -o smtpd_sasl_auth_only=yes >>> > -o smtpd_reject_unlisted_recipient=no >>> > -o smtpd_client_restrictions=$mua_client_restrictions >>> > -o smtpd_helo_restrictions=$mua_helo_restrictions >>> > -o smtpd_sender_restrictions=$mua_sender_restrictions >>> > -o smtpd_recipient_restrictions= >>> > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject >>> > -o milter_macro_daemon_name=ORIGINATING >>> > >>> > (similar for the obsolete 'smtps' service on port 465). >>> > >>> > mua_client_restrictions, mua_helo_restrictions, >>mua_sender_restrictions >>> > can then be specified in main.cf. >>> > >>> > Wietse >>> >>> Wietse >>> >>> this looks like a typo >>> >>> -o smtpd_sasl_auth_only=yes >>> >>> that should be >>> >>> -o smtpd_tls_auth_only=yes >>> >>> in line with your comment above the config. >> >>Yes. >> >> Wietse
Re: Prevention of sending authentication via plaintext on port 25.
I suspected that was a typo. I figured it out. I made those changes, when I attempt an AUTH LOGIN, I get back "535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6" which seems to be appropriate. So the user is no longer rewarded with access to the SMTP services when they attempt to connect using this method, such as sending a plaintext password on port 25. Obviously, user irresponsibility can't be prevented, but at least they are denied access for attempting to connect in an irresponsible manner. So yes, I can see how this works. Thanks On 12/3/2016 at 9:49 AM, "Wietse Venema"wrote: > >John Fawcett: >> On 12/03/2016 04:10 PM, Wietse Venema wrote: >> > rich.gre...@hushmail.com: >> >> There are ports that exist for encrypted transfer of this data >> >> (such as 465, 587). What is the current state of the art for >> >> preventing the user's client software from being able to do >this >> >> (sending their authentication details plaintext)? Is it safe >to >> >> simply block this port external to the machine, for example, >in >> >> the router? >> > Don't enable SASL auth on port 25. >> > >> > Do require smtpd_tls_auth_only=yes on port 587. >> > >> > This is easiest implemented by seting smtpd_sasl_auth_enable >and >> > smtpd_tls_auth_only in the master.cf entry for the port 587 >service, >> > and not setting them in main.cf. >> > >> > submission inet n - n - - smtpd >> > -o syslog_name=postfix/submission >> > -o smtpd_tls_security_level=encrypt >> > -o smtpd_sasl_auth_enable=yes >> > -o smtpd_sasl_auth_only=yes >> > -o smtpd_reject_unlisted_recipient=no >> > -o smtpd_client_restrictions=$mua_client_restrictions >> > -o smtpd_helo_restrictions=$mua_helo_restrictions >> > -o smtpd_sender_restrictions=$mua_sender_restrictions >> > -o smtpd_recipient_restrictions= >> > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject >> > -o milter_macro_daemon_name=ORIGINATING >> > >> > (similar for the obsolete 'smtps' service on port 465). >> > >> > mua_client_restrictions, mua_helo_restrictions, >mua_sender_restrictions >> > can then be specified in main.cf. >> > >> >Wietse >> >> Wietse >> >> this looks like a typo >> >> -o smtpd_sasl_auth_only=yes >> >> that should be >> >> -o smtpd_tls_auth_only=yes >> >> in line with your comment above the config. > >Yes. > > Wietse
Prevention of sending authentication via plaintext on port 25.
I love to go and see what I can get away with using telnet. I decided to send and check email from the command line. Since I consider my test location to be low risk, I decided to try to send my password plaintext over port 25. I was a moderately surprised that it did work, as seen below in the typescript. Now imagine that if I was hosting for more people than just a few family members, any arbitrary user could, perhaps out of ignorance or convenience, be choosing to send their password plaintext. In the event of someone sniffing the authentication data, they would be able to transmit emails using a shell script, which concerns me. There are ports that exist for encrypted transfer of this data (such as 465, 587). What is the current state of the art for preventing the user's client software from being able to do this (sending their authentication details plaintext)? Is it safe to simply block this port external to the machine, for example, in the router? Thanks... $ telnet example.com 25 Trying 87.138.xxx.yyy... Connected to example.com. Escape character is '^]'. 220 example.com ESMTP Postfix (Ubuntu) helo example 250 example.com ehlo example 250-example.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 VXNlcm5hbWU6 dXNlckBleGFtcGxlLm9yZw== 334 UGFzc3dvcmQ6 cGFzc3dvcmQ= 235 2.7.0 Authentication successful mail from: <m...@example.org> 250 2.1.0 Ok rcpt to: <rich.gre...@hushmail.com> 250 2.1.5 Ok data 354 End data with . From: <m...@example.org> To: Rich Greder <rich.gre...@hushmail.com> Subject: Testing This is a test. . 250 2.0.0 Ok: queued as BFDEB3FE30 quit 221 2.0.0 Bye Connection closed by foreign host.
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
Okay, I'm made some exciting progress and I am grateful for the help. I will show to people how I got this working At first thought, I figured that it would simply be the IMAP password used by Dovecot to access my mailbox. Not exactly true... I did some digging in some blogs and the documentation for Dovecot and Postfix. I configured Dovecot to authenticate using a SHA512 encrypted password in a SQL database, just as was posted in a blog some time back (Reference 1). I found out that I can have SASL authentication for Postfix via Dovecot. I made a few changes according to a blog post (Reference 2) I can send and receive mail from Thunderbird now, which resolves this long and tortured thread. For the good of the internet community, I am sharing my configuration in it's working state. After all this, my main.cf has evolved to become: mydomain = example.com smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no readme_directory = no # TLS parameters smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem #smtpd_use_tls=yes #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache #Added December 1, 2016 TLS parameters smtpd_tls_received_header = yes smtpd_tls_auth_only = no smtpd_use_tls=yes smtp_tls_note_starttls_offer = yes smtpd_tls_session_cache_timeout = 3600s #end December 1, 2016 TLS parameters smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname #mydestination = $myhostname, example.com, localhost.com, , localhost mydestination = localhost relayhost = mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf #Added December 1 to enable SASL with Dovecot smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_local_domain = example.com smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination #End December 1 SASL/Dovecot parameters and the master.cf has become: == # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no)(never) (100) # == smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickupunix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgrunix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounceunix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verifyunix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scacheunix - - y - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - -
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
On 11/28/2016 at 4:56 PM, "Bill Cole"wrote: > >On 28 Nov 2016, at 17:29, rich.gre...@hushmail.com wrote: > >> I changed it. When I compose and send to an outside domain now, >I get >> an error that hints towards port 25 being strongly preferred >over 587. >> >> Sending of the message failed. >> The message could not be sent because connecting to Outgoing >server >> (SMTP) timothylegg.com failed. The server may be unavailable or >is >> refusing SMTP connections. Please verify that your Outgoing >server >> (SMTP) settings are correct and try again. > > >OK: this implies that you don't have a port 587 submission service >running at all. I did not. I opened 587 to the machine (I didn't realize it was closed) I made modifications to the master.cf file. >To get one, you need an entry similar to this in >your >master.cf file: > >submission inet n - n - - smtpd > -o syslog_name=postfix/submit I assume you mean -o syslog_name=postfix/submission, I did that. > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o >smtpd_recipient_restrictions=permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > >You can see the currently active entries from master.cf with >"postconf >-Mf" if you're running a reasonably modern version of Postfix. > Yep, it's reasonable modern. Double checking here. smtp inet n - y - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING >This has gone far past the point where it is essential for you to >heed >the recommendations in the last section of the DEBUG_README file >(part >of the Postfix distribution) which are also sent to new >subscribers to >this list, regarding how best to effectively seek assistance here. Thanks for reminding me of this. I found the online copy and I love it when I realize something in plain site that has been there forever without my noticing it. (Like the tcpdump command. I'm going to play with that for sure.) >Noel >Jones suggested this to you almost 6 hours ago in a message which >you >replied to, and it is advice which has not gone obsolete in that >time. So the server and thunderbird are talking to each other. Apparently I don't have a password to access the SMTP server I have running. This must be the SASL authentication I've read about in the past. Dovecot/Squirrelmail apparently are able to access it just fine, so I'll look in the config files for it. It must be in there somewhere.
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
On 11/28/2016 at 3:25 PM, "Viktor Dukhovni"wrote: > >On Mon, Nov 28, 2016 at 02:59:22PM -0600, rich.gre...@hushmail.com >wrote: > >> >>smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pe >m >> >> >smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem >> > >> >The key file setting seems to have a typo. >> > >> >> smtpd_use_tls=yes >> > >> >> I commented >> #smtpd_use_tls=yes >> and added >> smtpd_tls_security_level = may > >Did you also fix the key_file setting? > Yes, I did. >> Squirrelmail is installed with a package manager. Smoke and >mirrors is >> an understatement for how it is installed. In future, I will be >installing >> this from a tarball to have a grasp of how it interacts with >> postfix/dovecot/apache. I composed a test email and the email >appeared >> in the destination mailbox (I tested using this email address). > >You have received headers and logs that should indicate how the >mail it sent entered your mailbox. You can also look at the >relevant >application settings. > I found the error console. There were errors in regards to a JavaScriipt file included with Thunderbird that returned a failure number upon exit. I don't think it's hinting at the problem though (NS_ERROR_UNEXPECTED: Component returned failure code 0x8000 (NS_ERROR_UNEXPETED) nslMsgMailNewsUrl.server resource:///modules/activity/alertHook.js) >> >Was this via port 25 or 587? >> >> Not entirely sure. I looked in and the field is filled with a >25, so I >> assume the autodetect feature determined port 25. It said, next >to that >> box, the default was port 587. > >Then set it back to the default, and do make sure your master.cf >file has a working definition of the submission service. > I changed it. When I compose and send to an outside domain now, I get an error that hints towards port 25 being strongly preferred over 587. Sending of the message failed. The message could not be sent because connecting to Outgoing server (SMTP) timothylegg.com failed. The server may be unavailable or is refusing SMTP connections. Please verify that your Outgoing server (SMTP) settings are correct and try again. >> I performed all my tests with my actual domain name, not >example.com (I've >> seen it happen on this very list about two years ago -- don't >laugh). My >> domain is based on my name and I cannot have a search engine >return forum >> posts as results for a query of my name. > >Hiding the real server name limits the help that you can get. Your >choice. I can trust people on the basis that the personal information does not become posted on a world-readable forum. I will provide this information on a case by case basis. For you, I sent you an email to the address you subscribed to the list with. > >> >Perhaps you're better of with mailinabox.email, rather than DIY? >> >> I want to learn how it works today. I chose postfix because >it's widely >> used by the kinds of people who write HOWTO documents online. >I've >> considered switching to whichever platform has the most O'Reilly >books >> written in the past 3 years, but I'm still here anyway. >Hopefully a new >> Postfix book will come out soon. Hildebrand's book is over ten >years old >> now. It was a good book, just ten years is a bad age for a >software book >> to reach (unless it is authored by Knuth, of course). > >I don't think a new book is likely any time soon. The market for >mail server books is small, and books become dated quickly. If I ever figure this out... I will admit, I love to write. > >> An error occurred while sending mail. The mail server responded: > >> 4.7.1 : Relay access denied. >> Please check the message recipient "rich.gre...@hushmail.com" >and try again > >Your next challenge is configuring SASL auth on port 587. > >> Nov 28 21:48:14 example postfix/smtpd[2767]: Anonymous TLS >connection established from 75-120-xxx- >yyy.dyn.centurytel.net[75.120.xxx.yyy]: TLSv1.2 with cipher ECDHE- >RSA-AES128-GCM-SHA256 (128/128 bits) > >If you've configured a distinct syslog_name for the submission >service >(as recommended), then this is not submission, and your client >should >be using port 587 instead. However TLS is working, so that's >progress. > >> Nov 28 21:48:14 example postfix/smtpd[2767]: NOQUEUE: reject: >RCPT from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: 454 >4.7.1 : Relay access denied; >from= to= proto=ESMTP >helo=<[10.211.55.24]> > >This is expected, your server is not an open relay. > >> Nov 28 21:48:22 example postfix/smtpd[2770]: Anonymous TLS >connection established from a15-204.smtp- >out.amazonses.com[54.240.15.204]: TLSv1 with cipher ECDHE-RSA- >AES128-SHA (128/128 bits) >> Nov 28 21:48:22 example postfix/smtpd[2770]: A41DE40299: >client=a15-204.smtp-out.amazonses.com[54.240.15.204] >> Nov 28 21:48:22
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
On 11/28/2016 at 1:28 PM, "Viktor Dukhovni"wrote: > >> On Nov 28, 2016, at 2:13 PM, rich.gre...@hushmail.com wrote: >> >> # TLS parameters >> smtpd_tls_loglevel = 1; > >If that ';' is really there, get rid of it. > Got rid of it. C habits are hard to break. Good eye spotting that; mistakes like those cause config files to be deleted and rewritten. >> >smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem >> smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem > >The key file setting seems to have a typo. > >> smtpd_use_tls=yes > I commented #smtpd_use_tls=yes and added smtpd_tls_security_level = may >The non-obsolete setting is: "smtpd_tls_security_level = may" > >> smtpd_tls_session_cache_database = >btree:${data_directory}/smtpd_scache > >Not recommended, let TLS session tickets do the work. Commented #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > >> smtp_tls_session_cache_database = >btree:${data_directory}/smtp_scache > >This one is fine. > >> I sent a test message from squirrelmail to myself, and it worked. > >"It worked" is meaningless. Was TLS used? Is that sent via port >587 or >port 25? Logs? > Squirrelmail is installed with a package manager. Smoke and mirrors is an understatement for how it is installed. In future, I will be installing this from a tarball to have a grasp of how it interacts with postfix/dovecot/apache. I composed a test email and the email appeared in the destination mailbox (I tested using this email address). >> I tried with Thunderbird, and it had a problem. > >Was this via port 25 or 587? > Not entirely sure. I looked in and the field is filled with a 25, so I assume the autodetect feature determined port 25. It said, next to that box, the default was port 587. >> Sending of the message failed. >> An error occurred while sending mail: Unable to establish a >secure link with Outgoing server (SMTP) example.com using STARTTLS >since it doesn't advertise that feature. Switch off STARTTLS for >that server or contact your service provider. > >Did it even contact the same server? The obfuscated "example.com" >is not terribly >helpful. > I performed all my tests with my actual domain name, not example.com (I've seen it happen on this very list about two years ago -- don't laugh). My domain is based on my name and I cannot have a search engine return forum posts as results for a query of my name. You may have guessed correctly that the name on this account is not real and neither is the Berlin time zone in the system logs representing my actual location. >Perhaps you're better of with mailinabox.email, rather than DIY? > I think I wrote and deleted 1000+ words to keep this on topic because I tend to enter a history discussion about how email used to be so easy when I did this in the late 1990s. I didn't keep up. I got busy and hired consultants to do the setup for me over the past 15 years. I look now and wonder what on earth has gone on. To be fair, I used to login plaintext password via telnet the last time I successfully installed qmail on my FreeBSD box. I want to learn how it works today. I chose postfix because it's widely used by the kinds of people who write HOWTO documents online. I've considered switching to whichever platform has the most O'Reilly books written in the past 3 years, but I'm still here anyway. Hopefully a new Postfix book will come out soon. Hildebrand's book is over ten years old now. It was a good book, just ten years is a bad age for a software book to reach (unless it is authored by Knuth, of course). Anyways The performance has evolved. I get a meaningful error message from Thunderbird now. An error occurred while sending mail. The mail server responded: 4.7.1 : Relay access denied. Please check the message recipient "rich.gre...@hushmail.com" and try again I checked in /var/log/mail.log Not sure what to make of this. This is the reason why I ask students to think about documentation and usability... Nov 28 21:48:13 example postfix/smtpd[2767]: connect from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy] Nov 28 21:48:14 example postfix/smtpd[2767]: Anonymous TLS connection established from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Nov 28 21:48:14 example postfix/smtpd[2767]: NOQUEUE: reject: RCPT from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: 454 4.7.1 : Relay access denied; from= to= proto=ESMTP helo=<[10.211.55.24]> Nov 28 21:48:21 example postfix/smtpd[2770]: connect from a15-204.smtp-out.amazonses.com[54.240.15.204] Nov 28 21:48:22 example postfix/smtpd[2770]: Anonymous TLS connection established from a15-204.smtp-out.amazonses.com[54.240.15.204]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
Okay, Victor, thanks for the stats in the second email! That is quite interesting to read. I have only recently (this summer) heard of LetsEncrypt.org. Up until that point, I had expected that I was condemned by powers-that-be to buy a key annually forever. Oh yeah, I love the "smoke and mirrors" comment about letsencrypt.org. That was priceless. I made a few changes in my main.cf # TLS parameters smtpd_tls_loglevel = 1; smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache I sent a test message from squirrelmail to myself, and it worked. I tried with Thunderbird, and it had a problem. Sending of the message failed. An error occurred while sending mail: Unable to establish a secure link with Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider. So it suggests that I switch off STARTTLS, which implies that it detected that it was running, but at the same time, it took issue that it wasn't formally informed that it was running, which is a bit pedantic. So I wondered why it did not advertise that it was enabled. I telnet'd into my machine on port 25 and after giving EHLO example.com, I saw it right there: 250-STARTTLS To me, it sure does look like it advertised that feature. What could be wrong here? On 11/28/2016 at 12:30 PM, "Viktor Dukhovni"wrote: > >On Mon, Nov 28, 2016 at 12:18:09PM -0600, rich.gre...@hushmail.com >wrote: > >> Okay, I am already using letsencrypt.org for my port 443 >traffic. So once >> I have it extended to also cover SMTP on port 587, would it be >acceptable >> to disable port 25, or is port 25 still needed (perhaps to >suggest to >> clients that it isn't accepting any traffic except 587) > > * Port 25: This is where you receive email sent *to you* by >other domains > * Port 587: This is where your MUA sends email *from you*, >possibly destined > to other domains. > >Enable either or both as desired. > >> I have to admit, I have no idea how letsencrypt.org works. > >Smoke and mirrors. > >> For years, I just made self-signed certificates and it worked >okay, until >> some mover-shaker type decided we can't do that anymore, and >made it >> brutally difficult to access my website for typical users. Out >of concern >> of the same happening to email clients, I won't make any more >self-signed >> certificates. I never expected that letsencrypt.org would >support email >> services as well, so their HOWTO docs for SMTP encryption is my >next stop. > >Self-signed or self-issued is still the best option for port 25 >DANE, for port 587, Let's Encrypt is a reasonable way to avoid MUA >friction. Many domains (at least 2900 at last count) use Let's >Encrypt on port 25, even though that's not what I'd recommend (and >indeed it is not uncommon for LE users to mishandle the initial >key rotation, though they tend to get the hang of it after a >while). > >For most users, I highly recommend the mailinabox setup, it is >reliable >and easy to deploy. > >https://mailinabox.email/ > >-- > Viktor.
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
Okay, I am already using letsencrypt.org for my port 443 traffic. So once I have it extended to also cover SMPT on port 587, would it be acceptable to disable port 25, or is port 25 still needed (perhaps to suggest to clients that it isn't accepting any traffic except 587) I have to admit, I have no idea how letsencrypt.org works. For years, I just made self-signed certificates and it worked okay, until some mover-shaker type decided we can't do that anymore, and made it brutally difficult to access my website for typical users. Out of concern of the same happening to email clients, I won't make any more self-signed certificates. I never expected that letsencrypt.org would support email services as well, so their HOWTO docs for SMTP encryption is my next stop. Thanks very much for the tip. On 11/28/2016 at 12:07 PM, "Viktor Dukhovni"wrote: > >On Mon, Nov 28, 2016 at 11:57:44AM -0600, rich.gre...@hushmail.com >wrote: > >> Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179- >xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] >> Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS >library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 >alert unknown ca:s3_pkt.c:1472:SSL alert number 48: > >The MUA tells Postfix (alert unknown ca) that it does not trust >the issuer of the Postfix server's X.509 TLS certificate. To avoid >that, you'd to configure a Let's Encrypt or similar certificate >for the submission (port 587) SMTP service. > >Alternatively, you need to configure the mail client to trust your >own (likely self-signed) certificate that is currently deployed. > >http://www.postfix.org/TLS_README.html#server_tls > >If you'd like to some day deploy DANE, also look at: > >http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the- >news-td86436.html#a86444 >https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0- >2-dane-tlsa-records-with-le-certificates/7022 >https://www.internetsociety.org/deploy360/blog/2016/03/lets- >encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ > >-- > Viktor.
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
I should make clear in the post that u...@example.com is the IMAP mailbox name and that m...@example.com is a virtual alias. This machine hosts about 8 domains and has, I think, three mailboxes. I am the sole user of the email system. On 11/28/2016 at 11:58 AM, rich.gre...@hushmail.com wrote: > >Okay, I am really curious how this works then. Good catch on the >'www' test. I winged it without reading the manpage. I've never >known a good starting point for learning DNS, so that is >definitely a weak point. So, now that the DNS is out of the way. >I'm going to dig deeper here. > >When I try to send a message to myself using Thunderbird, >m...@example.com, I get this > >Sending of the message failed. >The message could not be sent using Outgoing server (SMTP) >example.com for an unknown reason. Please verify that your >Outgoing server (SMTP) settings are correct and try again. > >Then about half a second later, a popup window appears titled 'Add >security exception' that begins "You are about to override how >Thunderbird identifies this site". I click on 'Get Certificate', >but it doesn't really do anything. > >So I look in the logs: > >mail.log > >Nov 28 18:34:56 example dovecot: imap-login: Login: >user=, method=PLAIN, rip=69.179.xxx.yyy, >lip=192.168.178.31, mpid=1291, TLS, session= >Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179- >xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] >Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library >problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert >unknown ca:s3_pkt.c:1472:SSL alert number 48: >Nov 28 18:35:16 example postfix/smtpd[1293]: lost connection after >STARTTLS from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] >Nov 28 18:35:16 example postfix/smtpd[1293]: disconnect from 69- >179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] ehlo=1 starttls=1 >commands=2 > >I have no idea what this means. > >The only other log file with a recent entry would be the auth.log >which seems to only detail the 20 or so attempts of SSH login each >minute from across the world, which is normal for anybody with a >website. > >Rick > >On 11/28/2016 at 11:12 AM, "Noel Jones" >wrote: >> >>On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote: >>> Hello, >>> >>> First, email has been working fine on this server for past >>several months while using the Squirrelmail web client located on >>the same server. I am needing an alternative method to access >>mail services and decided, on a whim, to try Thunderbird. >>Thunderbird interacted with the Dovecot IMAP server just fine, >but >>when I tried to test sending mail over SMTP, it failed. I wish >the >>error they gave me was more verbose, but it wasn't. So I decided >>to test things in more detail. >>> >>> I decided that, since SMTP is a plain-text protocol, I should >be >>able to interact via telnet. Searching on this idea, I found a >>really interesting webpage >>> >>> https://www.port25.com/how-to-check-an-smtp-connection-with-a- >>manual-telnet-session-2/ >>> >>> There was something strange with the MX record. I modified the >>URL, of course. >>> >>> nslookup -type=mx example.com >>> Server: 8.8.8.8 >>> Address:8.8.8.8#53 >>> >>> Non-authoritative answer: >>> example.com mail exchanger = 10 mail.example.com. >>> >>> Authoritative answers can be found from: >>> >>> >>> and that was it. >> >>Nothing wrong here, MX records don't contain an IP. You can >>compare >>with -type=mx gmail.com. >> >> >>> >>> I decided to perform the same test, but pull the www record and >>with that I actually got an IP address. >>> >>> nslookup -type=www example.com >>> unknown query type: www >>> Server: 8.8.8.8 >>> Address:8.8.8.8#53 >>> >>> Non-authoritative answer: >>> Name: example.com >>> Address: 87.xxx.yyy.zzz >>> >> >>There is no type=www. This test is broken. >> >> >>http://www.postfix.org/DEBUG_README.html >> >>If you show postfix logs and describe the actual error you're >>getting, maybe someone can help. >>http://www.postfix.org/DEBUG_README.html#mail >> >> >> -- Noel Jones
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
Okay, I am really curious how this works then. Good catch on the 'www' test. I winged it without reading the manpage. I've never known a good starting point for learning DNS, so that is definitely a weak point. So, now that the DNS is out of the way. I'm going to dig deeper here. When I try to send a message to myself using Thunderbird, m...@example.com, I get this Sending of the message failed. The message could not be sent using Outgoing server (SMTP) example.com for an unknown reason. Please verify that your Outgoing server (SMTP) settings are correct and try again. Then about half a second later, a popup window appears titled 'Add security exception' that begins "You are about to override how Thunderbird identifies this site". I click on 'Get Certificate', but it doesn't really do anything. So I look in the logs: mail.log Nov 28 18:34:56 example dovecot: imap-login: Login: user=, method=PLAIN, rip=69.179.xxx.yyy, lip=192.168.178.31, mpid=1291, TLS, session= Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1472:SSL alert number 48: Nov 28 18:35:16 example postfix/smtpd[1293]: lost connection after STARTTLS from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] Nov 28 18:35:16 example postfix/smtpd[1293]: disconnect from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] ehlo=1 starttls=1 commands=2 I have no idea what this means. The only other log file with a recent entry would be the auth.log which seems to only detail the 20 or so attempts of SSH login each minute from across the world, which is normal for anybody with a website. Rick On 11/28/2016 at 11:12 AM, "Noel Jones" wrote: > >On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote: >> Hello, >> >> First, email has been working fine on this server for past >several months while using the Squirrelmail web client located on >the same server. I am needing an alternative method to access >mail services and decided, on a whim, to try Thunderbird. >Thunderbird interacted with the Dovecot IMAP server just fine, but >when I tried to test sending mail over SMTP, it failed. I wish the >error they gave me was more verbose, but it wasn't. So I decided >to test things in more detail. >> >> I decided that, since SMTP is a plain-text protocol, I should be >able to interact via telnet. Searching on this idea, I found a >really interesting webpage >> >> https://www.port25.com/how-to-check-an-smtp-connection-with-a- >manual-telnet-session-2/ >> >> There was something strange with the MX record. I modified the >URL, of course. >> >> nslookup -type=mx example.com >> Server: 8.8.8.8 >> Address: 8.8.8.8#53 >> >> Non-authoritative answer: >> example.com mail exchanger = 10 mail.example.com. >> >> Authoritative answers can be found from: >> >> >> and that was it. > >Nothing wrong here, MX records don't contain an IP. You can >compare >with -type=mx gmail.com. > > >> >> I decided to perform the same test, but pull the www record and >with that I actually got an IP address. >> >> nslookup -type=www example.com >> unknown query type: www >> Server: 8.8.8.8 >> Address: 8.8.8.8#53 >> >> Non-authoritative answer: >> Name:example.com >> Address: 87.xxx.yyy.zzz >> > >There is no type=www. This test is broken. > > >http://www.postfix.org/DEBUG_README.html > >If you show postfix logs and describe the actual error you're >getting, maybe someone can help. >http://www.postfix.org/DEBUG_README.html#mail > > > -- Noel Jones
SMTP Error with Thunderbird with remote Ubuntu Server 16.04
Hello, First, email has been working fine on this server for past several months while using the Squirrelmail web client located on the same server. I am needing an alternative method to access mail services and decided, on a whim, to try Thunderbird. Thunderbird interacted with the Dovecot IMAP server just fine, but when I tried to test sending mail over SMTP, it failed. I wish the error they gave me was more verbose, but it wasn't. So I decided to test things in more detail. I decided that, since SMTP is a plain-text protocol, I should be able to interact via telnet. Searching on this idea, I found a really interesting webpage https://www.port25.com/how-to-check-an-smtp-connection-with-a-manual-telnet-session-2/ There was something strange with the MX record. I modified the URL, of course. nslookup -type=mx example.com Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: example.com mail exchanger = 10 mail.example.com. Authoritative answers can be found from: and that was it. I decided to perform the same test, but pull the www record and with that I actually got an IP address. nslookup -type=www example.com unknown query type: www Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: Name: example.com Address: 87.xxx.yyy.zzz
Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04
Okay, I accidentally sent this half-composed. But yes. I was able to send via SMTP, but only if my destination address was on my machine (which is probably good) Maybe since I sent this, I let people deliver their opinions on if this is an MX record issue first. Thanks Rick On 11/28/2016 at 9:08 AM, rich.gre...@hushmail.com wrote: > >Hello, > >First, email has been working fine on this server for past several >months while using the Squirrelmail web client located on the same >server. I am needing an alternative method to access mail >services and decided, on a whim, to try Thunderbird. Thunderbird >interacted with the Dovecot IMAP server just fine, but when I >tried to test sending mail over SMTP, it failed. I wish the error >they gave me was more verbose, but it wasn't. So I decided to >test things in more detail. > >I decided that, since SMTP is a plain-text protocol, I should be >able to interact via telnet. Searching on this idea, I found a >really interesting webpage > >https://www.port25.com/how-to-check-an-smtp-connection-with-a- >manual-telnet-session-2/ > >There was something strange with the MX record. I modified the >URL, of course. > >nslookup -type=mx example.com >Server:8.8.8.8 >Address: 8.8.8.8#53 > >Non-authoritative answer: >example.commail exchanger = 10 mail.example.com. > >Authoritative answers can be found from: > > >and that was it. > >I decided to perform the same test, but pull the www record and >with that I actually got an IP address. > >nslookup -type=www example.com >unknown query type: www >Server:8.8.8.8 >Address: 8.8.8.8#53 > >Non-authoritative answer: >Name: example.com >Address: 87.xxx.yyy.zzz