Re: Prevention of sending authentication via plaintext on port 25.

[rich . greder]

On 12/3/2016 at 10:45 AM, "John Fawcett"  wrote:
>
>On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote:
>> Here I am, replying to my own post again.  What I said in the 
>prior post wasn't entirely true.  I realized that I used the wrong 
>password in my prior attempt.  I am still granted access to the 
>SMTP service after authenticating in plaintext on port 25.
>>
>> So I'm somewhat confused how to prevent/discourage users from 
>sending their authentication detail in the clear when there are 
>secure methods that exist (such as, $ openssl s_client -starttls 
>smtp -connect example.com:587)
>>
>>
>> $ telnet example.com 25
>> Trying 87.138.xxx.yyy...
>> Connected to example.com.
>> Escape character is '^]'.
>> 220 example.com ESMTP Postfix (Ubuntu)
>> ehlo example.com
>> 250-example.com
>> 250-PIPELINING
>> 250-SIZE 1024
>> 250-VRFY
>> 250-ETRN
>> 250-STARTTLS
>> 250-AUTH PLAIN LOGIN
>> 250-AUTH=PLAIN LOGIN
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>> AUTH LOGIN
>> 334 VXNlcm5hbWU6
>> dXNlckBleGFtcGxlLmNvbQ==
>> 334 UGFzc3dvcmQ6
>> eW91IHdvdWxkIGRlY29kZSB0aGlz
>> 235 2.7.0 Authentication successful
>> quit
>>
>>
>> Thanks
>>
>Sounds as though you have not disabled auth on port 25, so you have
>still got
>
>smtpd_sasl_auth_only=yes
>

You mean, 'smtpd_tls_auth_only=yes' ?

>for the smtpd service. You may have configured that in main.cf by 
>changing the default value or in master.cf for the specific smtpd 
>entry.
>

In the main.cf, I have set globally

smtpd_tls_auth_only = yes

and in the master.cf, just to make sure, I have:

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_auth_only=yes

So yes, after changing no -> yes in the main.cf, I get the permissions that I 
want.

>John

Re: Prevention of sending authentication via plaintext on port 25.

[rich . greder]

Here I am, replying to my own post again.  What I said in the prior post wasn't 
entirely true.  I realized that I used the wrong password in my prior attempt.  
I am still granted access to the SMTP service after authenticating in plaintext 
on port 25.

So I'm somewhat confused how to prevent/discourage users from sending their 
authentication detail in the clear when there are secure methods that exist 
(such as, $ openssl s_client -starttls smtp -connect example.com:587)


$ telnet example.com 25
Trying 87.138.xxx.yyy...
Connected to example.com.
Escape character is '^]'.
220 example.com ESMTP Postfix (Ubuntu)
ehlo example.com
250-example.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlckBleGFtcGxlLmNvbQ==
334 UGFzc3dvcmQ6
eW91IHdvdWxkIGRlY29kZSB0aGlz
235 2.7.0 Authentication successful
quit


Thanks

On 12/3/2016 at 10:03 AM, rich.gre...@hushmail.com wrote:
>
>I suspected that was a typo.  I figured it out.
>
>I made those changes, when I attempt an AUTH LOGIN, I get back 
>"535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6" which seems 
>to be appropriate. 
>
>So the user is no longer rewarded with access to the SMTP services 
>when they attempt to connect using this method, such as sending a 
>plaintext password on port 25.  Obviously, user irresponsibility 
>can't be prevented, but at least they are denied access for 
>attempting to connect in an irresponsible manner.  So yes, I can 
>see how this works.
>
>Thanks
>
>On 12/3/2016 at 9:49 AM, "Wietse Venema"  
>wrote:
>>
>>John Fawcett:
>>> On 12/03/2016 04:10 PM, Wietse Venema wrote:
>>> > rich.gre...@hushmail.com:
>>> >> There are ports that exist for encrypted transfer of this 
>data
>>> >> (such as 465, 587).  What is the current state of the art for
>>> >> preventing the user's client software from being able to do 
>>this
>>> >> (sending their authentication details plaintext)?  Is it 
>safe 
>>to
>>> >> simply block this port external to the machine, for example, 
>>in
>>> >> the router?
>>> > Don't enable SASL auth on port 25.
>>> >
>>> > Do require smtpd_tls_auth_only=yes on port 587.
>>> >
>>> > This is easiest implemented by seting smtpd_sasl_auth_enable 
>>and
>>> > smtpd_tls_auth_only in the master.cf entry for the port 587 
>>service,
>>> > and not setting them in main.cf.
>>> >
>>> > submission inet n   -   n   -   -   smtpd
>>> >   -o syslog_name=postfix/submission
>>> >   -o smtpd_tls_security_level=encrypt
>>> >   -o smtpd_sasl_auth_enable=yes
>>> >   -o smtpd_sasl_auth_only=yes
>>> >   -o smtpd_reject_unlisted_recipient=no
>>> >   -o smtpd_client_restrictions=$mua_client_restrictions
>>> >   -o smtpd_helo_restrictions=$mua_helo_restrictions
>>> >   -o smtpd_sender_restrictions=$mua_sender_restrictions
>>> >   -o smtpd_recipient_restrictions=
>>> >   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>>> >   -o milter_macro_daemon_name=ORIGINATING
>>> >
>>> > (similar for the obsolete 'smtps' service on port 465).
>>> >
>>> > mua_client_restrictions, mua_helo_restrictions, 
>>mua_sender_restrictions
>>> > can then be specified in main.cf.
>>> >
>>> >   Wietse
>>> 
>>> Wietse
>>> 
>>> this looks like a typo
>>> 
>>> -o smtpd_sasl_auth_only=yes
>>> 
>>> that should be
>>> 
>>> -o smtpd_tls_auth_only=yes
>>> 
>>> in line with your comment above the config.
>>
>>Yes.
>>
>>  Wietse

Re: Prevention of sending authentication via plaintext on port 25.

[rich . greder]

I suspected that was a typo.  I figured it out.

I made those changes, when I attempt an AUTH LOGIN, I get back "535 5.7.8 
Error: authentication failed: UGFzc3dvcmQ6" which seems to be appropriate. 

So the user is no longer rewarded with access to the SMTP services when they 
attempt to connect using this method, such as sending a plaintext password on 
port 25.  Obviously, user irresponsibility can't be prevented, but at least 
they are denied access for attempting to connect in an irresponsible manner.  
So yes, I can see how this works.

Thanks

On 12/3/2016 at 9:49 AM, "Wietse Venema"  wrote:
>
>John Fawcett:
>> On 12/03/2016 04:10 PM, Wietse Venema wrote:
>> > rich.gre...@hushmail.com:
>> >> There are ports that exist for encrypted transfer of this data
>> >> (such as 465, 587).  What is the current state of the art for
>> >> preventing the user's client software from being able to do 
>this
>> >> (sending their authentication details plaintext)?  Is it safe 
>to
>> >> simply block this port external to the machine, for example, 
>in
>> >> the router?
>> > Don't enable SASL auth on port 25.
>> >
>> > Do require smtpd_tls_auth_only=yes on port 587.
>> >
>> > This is easiest implemented by seting smtpd_sasl_auth_enable 
>and
>> > smtpd_tls_auth_only in the master.cf entry for the port 587 
>service,
>> > and not setting them in main.cf.
>> >
>> > submission inet n   -   n   -   -   smtpd
>> >   -o syslog_name=postfix/submission
>> >   -o smtpd_tls_security_level=encrypt
>> >   -o smtpd_sasl_auth_enable=yes
>> >   -o smtpd_sasl_auth_only=yes
>> >   -o smtpd_reject_unlisted_recipient=no
>> >   -o smtpd_client_restrictions=$mua_client_restrictions
>> >   -o smtpd_helo_restrictions=$mua_helo_restrictions
>> >   -o smtpd_sender_restrictions=$mua_sender_restrictions
>> >   -o smtpd_recipient_restrictions=
>> >   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>> >   -o milter_macro_daemon_name=ORIGINATING
>> >
>> > (similar for the obsolete 'smtps' service on port 465).
>> >
>> > mua_client_restrictions, mua_helo_restrictions, 
>mua_sender_restrictions
>> > can then be specified in main.cf.
>> >
>> >Wietse
>> 
>> Wietse
>> 
>> this looks like a typo
>> 
>> -o smtpd_sasl_auth_only=yes
>> 
>> that should be
>> 
>> -o smtpd_tls_auth_only=yes
>> 
>> in line with your comment above the config.
>
>Yes.
>
>   Wietse

Prevention of sending authentication via plaintext on port 25.

[rich . greder]

I love to go and see what I can get away with using telnet.  I decided to send 
and check email from the command line.

Since I consider my test location to be low risk, I decided to try to send my 
password plaintext over port 25.  I was a moderately surprised that it did 
work, as seen below in the typescript.  Now imagine that if I was hosting for 
more people than just a few family members, any arbitrary user could, perhaps 
out of ignorance or convenience, be choosing to send their password plaintext.  
In the event of someone sniffing the authentication data, they would be able to 
transmit emails using a shell script, which concerns me.

There are ports that exist for encrypted transfer of this data (such as 465, 
587).  What is the current state of the art for preventing the user's client 
software from being able to do this (sending their authentication details 
plaintext)?  Is it safe to simply block this port external to the machine, for 
example, in the router?

Thanks...

$ telnet example.com 25
Trying 87.138.xxx.yyy...
Connected to example.com.
Escape character is '^]'.
220 example.com ESMTP Postfix (Ubuntu)
helo example
250 example.com
ehlo example
250-example.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlckBleGFtcGxlLm9yZw==
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 2.7.0 Authentication successful
mail from: <m...@example.org>
250 2.1.0 Ok
rcpt to: <rich.gre...@hushmail.com>
250 2.1.5 Ok
data
354 End data with .
From:  <m...@example.org>
To: Rich Greder <rich.gre...@hushmail.com>
Subject: Testing
This is a test.
.

250 2.0.0 Ok: queued as BFDEB3FE30
quit
221 2.0.0 Bye
Connection closed by foreign host.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

Okay, I'm made some exciting progress and I am grateful for the help.  I will 
show to people how I got this working

At first thought, I figured that it would simply be the IMAP password used by 
Dovecot to access my mailbox.  Not exactly true...  I did some digging in some 
blogs and the documentation for Dovecot and Postfix.  I configured Dovecot to 
authenticate using a SHA512 encrypted password in a SQL database, just as was 
posted in a blog some time back (Reference 1).  I found out that I can have 
SASL authentication for Postfix via Dovecot.  I made a few changes according to 
a blog post (Reference 2)

I can send and receive mail from Thunderbird now, which resolves this long and 
tortured thread.

For the good of the internet community, I am sharing my configuration in it's 
working state.


After all this, my main.cf has evolved to become:

mydomain = example.com
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#Added December 1, 2016 TLS parameters
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtpd_use_tls=yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s
#end December 1, 2016 TLS parameters

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
myhostname = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = $myhostname, example.com, localhost.com, , localhost
mydestination = localhost
relayhost = 
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

#Added December 1 to enable SASL with Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = example.com
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
#End December 1 SASL/Dovecot parameters

and the master.cf has become:

==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (no)(never) (100)
# ==
smtp  inet  n   -   y   -   -   smtpd
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
pickupunix  n   -   y   60  1   pickup
cleanup   unix  n   -   y   -   0   cleanup
qmgr  unix  n   -   n   300 1   qmgr
tlsmgrunix  -   -   y   1000?   1   tlsmgr
rewrite   unix  -   -   y   -   -   trivial-rewrite
bounceunix  -   -   y   -   0   bounce
defer unix  -   -   y   -   0   bounce
trace unix  -   -   y   -   0   bounce
verifyunix  -   -   y   -   1   verify
flush unix  n   -   y   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   y   -   -   smtp
relay unix  -   -   y   -   -   smtp
showq unix  n   -   y   -   -   showq
error unix  -   -   y   -   -   error
retry unix  -   -   y   -   -   error
discard   unix  -   -   y   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   y   -   -   lmtp
anvil unix  -   -   y   -   1   anvil
scacheunix  -   -   y   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -   

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

On 11/28/2016 at 4:56 PM, "Bill Cole" 
 wrote:
>
>On 28 Nov 2016, at 17:29, rich.gre...@hushmail.com wrote:
>
>> I changed it.  When I compose and send to an outside domain now, 
>I get 
>> an error that hints towards port 25 being strongly preferred 
>over 587.
>>
>> Sending of the message failed.
>> The message could not be sent because connecting to Outgoing 
>server 
>> (SMTP) timothylegg.com failed. The server may be unavailable or 
>is 
>> refusing SMTP connections. Please verify that your Outgoing 
>server 
>> (SMTP) settings are correct and try again.
>
>
>OK: this implies that you don't have a port 587 submission service 
>running at all. 

I did not.  I opened 587 to the machine (I didn't realize it was closed)

I made modifications to the master.cf file.

>To get one, you need an entry similar to this in 
>your 
>master.cf file:
>
>submission inet  n   -   n   -   -   smtpd
> -o syslog_name=postfix/submit

I assume you mean -o syslog_name=postfix/submission,  I did that.

> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o 
>smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
>
>You can see the currently active entries from master.cf with 
>"postconf 
>-Mf" if you're running a reasonably modern version of Postfix.
>

Yep, it's reasonable modern.  Double checking here.

smtp   inet  n   -   y   -   -   smtpd
submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING


>This has gone far past the point where it is essential for you to 
>heed 
>the recommendations in the last section of the DEBUG_README file 
>(part 
>of the Postfix distribution) which are also sent to new 
>subscribers to 
>this list, regarding how best to effectively seek assistance here. 

Thanks for reminding me of this.  I found the online copy and I love it when I 
realize something in plain site that has been there forever without my noticing 
it.  (Like the tcpdump command.  I'm going to play with that for sure.)

>Noel 
>Jones suggested this to you almost 6 hours ago in a message which 
>you 
>replied to, and it is advice which has not gone obsolete in that 
>time.

So the server and thunderbird are talking to each other.  Apparently I don't 
have a password to access the SMTP server I have running.  This must be the 
SASL authentication I've read about in the past.  Dovecot/Squirrelmail 
apparently are able to access it just fine, so I'll look in the config files 
for it.  It must be in there somewhere.  

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

On 11/28/2016 at 3:25 PM, "Viktor Dukhovni"  wrote:
>
>On Mon, Nov 28, 2016 at 02:59:22PM -0600, rich.gre...@hushmail.com 
>wrote:
>
>> 
>>smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pe
>m
>> >> 
>smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
>> >
>> >The key file setting seems to have a typo.
>> >
>> >> smtpd_use_tls=yes
>> >
>> 
>> I commented 
>> #smtpd_use_tls=yes
>> and added 
>> smtpd_tls_security_level = may
>
>Did you also fix the key_file setting?
>

Yes, I did.

>> Squirrelmail is installed with a package manager.  Smoke and 
>mirrors is
>> an understatement for how it is installed.  In future, I will be 
>installing
>> this from a tarball to have a grasp of how it interacts with
>> postfix/dovecot/apache.  I composed a test email and the email 
>appeared
>> in the destination mailbox (I tested using this email address).
>
>You have received headers and logs that should indicate how the
>mail it sent entered your mailbox.  You can also look at the 
>relevant
>application settings.
>

I found the error console.  There were errors in regards to a JavaScriipt file 
included with Thunderbird that returned a failure number upon exit. I don't 
think it's hinting at the problem though (NS_ERROR_UNEXPECTED: Component 
returned failure code 0x8000 (NS_ERROR_UNEXPETED) nslMsgMailNewsUrl.server 
resource:///modules/activity/alertHook.js)
 
>> >Was this via port 25 or 587?
>>
>> Not entirely sure.  I looked in and the field is filled with a 
>25, so I
>> assume the autodetect feature determined port 25.  It said, next 
>to that
>> box, the default was port 587.
>
>Then set it back to the default, and do make sure your master.cf
>file has a working definition of the submission service.
>

I changed it.  When I compose and send to an outside domain now, I get an error 
that hints towards port 25 being strongly preferred over 587.

Sending of the message failed.
The message could not be sent because connecting to Outgoing server (SMTP) 
timothylegg.com failed. The server may be unavailable or is refusing SMTP 
connections. Please verify that your Outgoing server (SMTP) settings are 
correct and try again.


>> I performed all my tests with my actual domain name, not 
>example.com (I've
>> seen it happen on this very list about two years ago -- don't 
>laugh).  My
>> domain is based on my name and I cannot have a search engine 
>return forum
>> posts as results for a query of my name.
>
>Hiding the real server name limits the help that you can get.  Your
>choice.

I can trust people on the basis that the personal information does not become 
posted on a world-readable forum.  I will provide this information on a case by 
case basis.  For you, I sent you an email to the address you subscribed to the 
list with.

>
>> >Perhaps you're better of with mailinabox.email, rather than DIY?
>> 
>> I want to learn how it works today.  I chose postfix because 
>it's widely
>> used by the kinds of people who write HOWTO documents online.  
>I've
>> considered switching to whichever platform has the most O'Reilly 
>books
>> written in the past 3 years, but I'm still here anyway.  
>Hopefully a new
>> Postfix book will come out soon.  Hildebrand's book is over ten 
>years old
>> now.  It was a good book, just ten years is a bad age for a 
>software book
>> to reach (unless it is authored by Knuth, of course).
>
>I don't think a new book is likely any time soon.  The market for
>mail server books is small, and books become dated quickly.

If I ever figure this out...

I will admit, I love to write.

>
>> An error occurred while sending mail. The mail server responded: 
> 
>> 4.7.1 : Relay access denied.
>>  Please check the message recipient "rich.gre...@hushmail.com" 
>and try again
>
>Your next challenge is configuring SASL auth on port 587.
>
>> Nov 28 21:48:14 example postfix/smtpd[2767]: Anonymous TLS 
>connection established from 75-120-xxx-
>yyy.dyn.centurytel.net[75.120.xxx.yyy]: TLSv1.2 with cipher ECDHE-
>RSA-AES128-GCM-SHA256 (128/128 bits)
>
>If you've configured a distinct syslog_name for the submission 
>service
>(as recommended), then this is not submission, and your client 
>should
>be using port 587 instead.  However TLS is working, so that's 
>progress.
>
>> Nov 28 21:48:14 example postfix/smtpd[2767]: NOQUEUE: reject: 
>RCPT from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: 454 
>4.7.1 : Relay access denied; 
>from= to= proto=ESMTP 
>helo=<[10.211.55.24]>
>
>This is expected, your server is not an open relay.
>
>> Nov 28 21:48:22 example postfix/smtpd[2770]: Anonymous TLS 
>connection established from a15-204.smtp-
>out.amazonses.com[54.240.15.204]: TLSv1 with cipher ECDHE-RSA-
>AES128-SHA (128/128 bits)
>> Nov 28 21:48:22 example postfix/smtpd[2770]: A41DE40299: 
>client=a15-204.smtp-out.amazonses.com[54.240.15.204]
>> Nov 28 21:48:22 

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

On 11/28/2016 at 1:28 PM, "Viktor Dukhovni"  wrote:
>
>> On Nov 28, 2016, at 2:13 PM, rich.gre...@hushmail.com wrote:
>> 
>> # TLS parameters
>> smtpd_tls_loglevel = 1;
>
>If that ';' is really there, get rid of it.
>

Got rid of it.  C habits are hard to break.  Good eye spotting that; mistakes 
like those cause config files to be deleted and rewritten.

>> 
>smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
>> smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
>
>The key file setting seems to have a typo.
>
>> smtpd_use_tls=yes
>

I commented 
#smtpd_use_tls=yes
and added 
smtpd_tls_security_level = may

>The non-obsolete setting is: "smtpd_tls_security_level = may"
>
>> smtpd_tls_session_cache_database = 
>btree:${data_directory}/smtpd_scache
>
>Not recommended, let TLS session tickets do the work.
 Commented

#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

>
>> smtp_tls_session_cache_database = 
>btree:${data_directory}/smtp_scache
>
>This one is fine.
>
>> I sent a test message from squirrelmail to myself, and it worked.
>
>"It worked" is meaningless.  Was TLS used?  Is that sent via port 
>587 or
>port 25?  Logs?
>

Squirrelmail is installed with a package manager.  Smoke and mirrors is an 
understatement for how it is installed.  In future, I will be installing this 
from a tarball to have a grasp of how it interacts with postfix/dovecot/apache. 
 I composed a test email and the email appeared in the destination mailbox (I 
tested using this email address).

>> I tried with Thunderbird, and it had a problem. 
>
>Was this via port 25 or 587?
>
Not entirely sure.  I looked in and the field is filled with a 25, so I assume 
the autodetect feature determined port 25.  It said, next to that box, the 
default was port 587.

>> Sending of the message failed.
>> An error occurred while sending mail: Unable to establish a 
>secure link with Outgoing server (SMTP) example.com using STARTTLS 
>since it doesn't advertise that feature. Switch off STARTTLS for 
>that server or contact your service provider.
>
>Did it even contact the same server?  The obfuscated "example.com" 
>is not terribly
>helpful.
>

I performed all my tests with my actual domain name, not example.com (I've seen 
it happen on this very list about two years ago -- don't laugh).  My domain is 
based on my name and I cannot have a search engine return forum posts as 
results for a query of my name.  You may have guessed correctly that the name 
on this account is not real and neither is the Berlin time zone in the system 
logs representing my actual location.

>Perhaps you're better of with mailinabox.email, rather than DIY?
>

I think I wrote and deleted 1000+ words to keep this on topic because I tend to 
enter a history discussion about how email used to be so easy when I did this 
in the late 1990s.  I didn't keep up.  I got busy and hired consultants to do 
the setup for me over the past 15 years.  I look now and wonder what on earth 
has gone on.  To be fair, I used to login plaintext password via telnet the 
last time I successfully installed qmail on my FreeBSD box.

I want to learn how it works today.  I chose postfix because it's widely used 
by the kinds of people who write HOWTO documents online.  I've considered 
switching to whichever platform has the most O'Reilly books written in the past 
3 years, but I'm still here anyway.  Hopefully a new Postfix book will come out 
soon.  Hildebrand's book is over ten years old now.  It was a good book, just 
ten years is a bad age for a software book to reach (unless it is authored by 
Knuth, of course).

Anyways

The performance has evolved.  I get a meaningful error message from Thunderbird 
now.

An error occurred while sending mail. The mail server responded:  
4.7.1 : Relay access denied.
 Please check the message recipient "rich.gre...@hushmail.com" and try again

I checked in /var/log/mail.log

Not sure what to make of this. This is the reason why I ask students to think 
about documentation and usability...

Nov 28 21:48:13 example postfix/smtpd[2767]: connect from 
75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]
Nov 28 21:48:14 example postfix/smtpd[2767]: Anonymous TLS connection 
established from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: TLSv1.2 
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov 28 21:48:14 example postfix/smtpd[2767]: NOQUEUE: reject: RCPT from 
75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: 454 4.7.1 
: Relay access denied; from= 
to= proto=ESMTP helo=<[10.211.55.24]>
Nov 28 21:48:21 example postfix/smtpd[2770]: connect from 
a15-204.smtp-out.amazonses.com[54.240.15.204]
Nov 28 21:48:22 example postfix/smtpd[2770]: Anonymous TLS connection 
established from a15-204.smtp-out.amazonses.com[54.240.15.204]: TLSv1 with 
cipher ECDHE-RSA-AES128-SHA (128/128 

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

Okay, 

Victor, thanks for the stats in the second email!  That is quite interesting to 
read.  I have only recently (this summer) heard of LetsEncrypt.org.  Up until 
that point, I had expected that I was condemned by powers-that-be to buy a key 
annually forever.

Oh yeah, I love the "smoke and mirrors" comment about letsencrypt.org.  That 
was priceless.

I made a few changes in my main.cf

# TLS parameters
smtpd_tls_loglevel = 1;
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

I sent a test message from squirrelmail to myself, and it worked.  I tried with 
Thunderbird, and it had a problem. 

Sending of the message failed.
An error occurred while sending mail: Unable to establish a secure link with 
Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise 
that feature. Switch off STARTTLS for that server or contact your service 
provider.

So it suggests that I switch off STARTTLS, which implies that it detected that 
it was running, but at the same time, it took issue that it wasn't formally 
informed that it was running, which is a bit pedantic.  So I wondered why it 
did not advertise that it was enabled.  I telnet'd into my machine on port 25 
and after giving EHLO example.com, I saw it right there:

250-STARTTLS

To me, it sure does look like it advertised that feature.

What could be wrong here?

On 11/28/2016 at 12:30 PM, "Viktor Dukhovni"  wrote:
>
>On Mon, Nov 28, 2016 at 12:18:09PM -0600, rich.gre...@hushmail.com 
>wrote:
>
>> Okay, I am already using letsencrypt.org for my port 443 
>traffic. So once
>> I have it extended to also cover SMTP on port 587, would it be 
>acceptable
>> to disable port 25, or is port 25 still needed (perhaps to 
>suggest to
>> clients that it isn't accepting any traffic except 587)
>
>  * Port  25: This is where you receive email sent *to you* by 
>other domains
>  * Port 587: This is where your MUA sends email *from you*, 
>possibly destined
> to other domains.
>
>Enable either or both as desired.
>
>> I have to admit, I have no idea how letsencrypt.org works.
>
>Smoke and mirrors.
>
>> For years, I just made self-signed certificates and it worked 
>okay, until
>> some mover-shaker type decided we can't do that anymore, and 
>made it
>> brutally difficult to access my website for typical users.  Out 
>of concern
>> of the same happening to email clients, I won't make any more 
>self-signed
>> certificates.  I never expected that letsencrypt.org would 
>support email
>> services as well, so their HOWTO docs for SMTP encryption is my 
>next stop.
>
>Self-signed or self-issued is still the best option for port 25
>DANE, for port 587, Let's Encrypt is a reasonable way to avoid MUA
>friction.  Many domains (at least 2900 at last count) use Let's
>Encrypt on port 25, even though that's not what I'd recommend (and
>indeed it is not uncommon for LE users to mishandle the initial
>key rotation, though they tend to get the hang of it after a 
>while).
>
>For most users, I highly recommend the mailinabox setup, it is 
>reliable
>and easy to deploy.
>
>https://mailinabox.email/
>
>-- 
>   Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

Okay, I am already using letsencrypt.org for my port 443 traffic. So once I 
have it extended to also cover SMPT on port 587, would it be acceptable to 
disable port 25, or is port 25 still needed (perhaps to suggest to clients that 
it isn't accepting any traffic except 587)

I have to admit, I have no idea how letsencrypt.org works.  For years, I just 
made self-signed certificates and it worked okay, until some mover-shaker type 
decided we can't do that anymore, and made it brutally difficult to access my 
website for typical users.  Out of concern of the same happening to email 
clients, I won't make any more self-signed certificates.  I never expected that 
letsencrypt.org would support email services as well, so their HOWTO docs for 
SMTP encryption is my next stop.

Thanks very much for the tip.

On 11/28/2016 at 12:07 PM, "Viktor Dukhovni"  wrote:
>
>On Mon, Nov 28, 2016 at 11:57:44AM -0600, rich.gre...@hushmail.com 
>wrote:
>
>> Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179-
>xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
>> Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS 
>library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 
>alert unknown ca:s3_pkt.c:1472:SSL alert number 48:
>
>The MUA tells Postfix (alert unknown ca) that it does not trust
>the issuer of the Postfix server's X.509 TLS certificate.  To avoid
>that, you'd to configure a Let's Encrypt or similar certificate
>for the submission (port 587) SMTP service.
>
>Alternatively, you need to configure the mail client to trust your
>own (likely self-signed) certificate that is currently deployed.
>
>http://www.postfix.org/TLS_README.html#server_tls
>
>If you'd like to some day deploy DANE, also look at:
>
>http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-
>news-td86436.html#a86444
>https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-
>2-dane-tlsa-records-with-le-certificates/7022
>https://www.internetsociety.org/deploy360/blog/2016/03/lets-
>encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
>
>-- 
>   Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

I should make clear in the post that u...@example.com is the IMAP mailbox name 
and that m...@example.com is a virtual alias.  This machine hosts about 8 
domains and has, I think, three mailboxes. I am the sole user of the email 
system.

On 11/28/2016 at 11:58 AM, rich.gre...@hushmail.com wrote:
>
>Okay, I am really curious how this works then.  Good catch on the 
>'www' test.  I winged it without reading the manpage.  I've never 
>known a good starting point for learning DNS, so that is 
>definitely a weak point.  So, now that the DNS is out of the way.  
>I'm going to dig deeper here.
>
>When I try to send a message to myself using Thunderbird, 
>m...@example.com, I get this
>
>Sending of the message failed.
>The message could not be sent using Outgoing server (SMTP) 
>example.com for an unknown reason. Please verify that your 
>Outgoing server (SMTP) settings are correct and try again.
>
>Then about half a second later, a popup window appears titled 'Add 
>security exception' that begins "You are about to override how 
>Thunderbird identifies this site".  I click on 'Get Certificate', 
>but it doesn't really do anything.
>
>So I look in the logs:
>
>mail.log
>
>Nov 28 18:34:56 example dovecot: imap-login: Login: 
>user=, method=PLAIN, rip=69.179.xxx.yyy, 
>lip=192.168.178.31, mpid=1291, TLS, session=
>Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179-
>xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
>Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library 
>problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert 
>unknown ca:s3_pkt.c:1472:SSL alert number 48:
>Nov 28 18:35:16 example postfix/smtpd[1293]: lost connection after 
>STARTTLS from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
>Nov 28 18:35:16 example postfix/smtpd[1293]: disconnect from 69-
>179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] ehlo=1 starttls=1 
>commands=2
>
>I have no idea what this means.  
>
>The only other log file with a recent entry would be the auth.log 
>which seems to only detail the 20 or so attempts of SSH login each 
>minute from across the world, which is normal for anybody with a 
>website.
>
>Rick
>
>On 11/28/2016 at 11:12 AM, "Noel Jones"  
>wrote:
>>
>>On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote:
>>> Hello,
>>> 
>>> First, email has been working fine on this server for past 
>>several months while using the Squirrelmail web client located on 
>>the same server.  I am needing an alternative method to access 
>>mail services and decided, on a whim, to try Thunderbird.  
>>Thunderbird interacted with the Dovecot IMAP server just fine, 
>but 
>>when I tried to test sending mail over SMTP, it failed. I wish 
>the 
>>error they gave me was more verbose, but it wasn't.  So I decided 
>>to test things in more detail.
>>> 
>>> I decided that, since SMTP is a plain-text protocol, I should 
>be 
>>able to interact via telnet.  Searching on this idea, I found a 
>>really interesting webpage
>>> 
>>> https://www.port25.com/how-to-check-an-smtp-connection-with-a-
>>manual-telnet-session-2/
>>> 
>>> There was something strange with the MX record.  I modified the 
>>URL, of course.
>>> 
>>> nslookup -type=mx example.com
>>> Server: 8.8.8.8
>>> Address:8.8.8.8#53
>>> 
>>> Non-authoritative answer:
>>> example.com mail exchanger = 10 mail.example.com.
>>> 
>>> Authoritative answers can be found from:
>>> 
>>> 
>>> and that was it.
>>
>>Nothing wrong here, MX records don't contain an IP.  You can 
>>compare
>>with -type=mx gmail.com.
>>
>>
>>> 
>>> I decided to perform the same test, but pull the www record and 
>>with that I actually got an IP address.
>>> 
>>> nslookup -type=www example.com
>>> unknown query type: www
>>> Server: 8.8.8.8
>>> Address:8.8.8.8#53
>>> 
>>> Non-authoritative answer:
>>> Name:   example.com
>>> Address: 87.xxx.yyy.zzz
>>> 
>>
>>There is no type=www.  This test is broken.
>>
>>
>>http://www.postfix.org/DEBUG_README.html
>>
>>If you show postfix logs and describe the actual error you're
>>getting, maybe someone can help.
>>http://www.postfix.org/DEBUG_README.html#mail
>>
>>
>>  -- Noel Jones

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

Okay, I am really curious how this works then.  Good catch on the 'www' test.  
I winged it without reading the manpage.  I've never known a good starting 
point for learning DNS, so that is definitely a weak point.  So, now that the 
DNS is out of the way.  I'm going to dig deeper here.

When I try to send a message to myself using Thunderbird, m...@example.com, I 
get this

Sending of the message failed.
The message could not be sent using Outgoing server (SMTP) example.com for an 
unknown reason. Please verify that your Outgoing server (SMTP) settings are 
correct and try again.

Then about half a second later, a popup window appears titled 'Add security 
exception' that begins "You are about to override how Thunderbird identifies 
this site".  I click on 'Get Certificate', but it doesn't really do anything.

So I look in the logs:

mail.log

Nov 28 18:34:56 example dovecot: imap-login: Login: user=, 
method=PLAIN, rip=69.179.xxx.yyy, lip=192.168.178.31, mpid=1291, TLS, 
session=
Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 
69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library problem: 
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown 
ca:s3_pkt.c:1472:SSL alert number 48:
Nov 28 18:35:16 example postfix/smtpd[1293]: lost connection after STARTTLS 
from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
Nov 28 18:35:16 example postfix/smtpd[1293]: disconnect from 
69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] ehlo=1 starttls=1 commands=2

I have no idea what this means.  

The only other log file with a recent entry would be the auth.log which seems 
to only detail the 20 or so attempts of SSH login each minute from across the 
world, which is normal for anybody with a website.

Rick

On 11/28/2016 at 11:12 AM, "Noel Jones"  wrote:
>
>On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote:
>> Hello,
>> 
>> First, email has been working fine on this server for past 
>several months while using the Squirrelmail web client located on 
>the same server.  I am needing an alternative method to access 
>mail services and decided, on a whim, to try Thunderbird.  
>Thunderbird interacted with the Dovecot IMAP server just fine, but 
>when I tried to test sending mail over SMTP, it failed. I wish the 
>error they gave me was more verbose, but it wasn't.  So I decided 
>to test things in more detail.
>> 
>> I decided that, since SMTP is a plain-text protocol, I should be 
>able to interact via telnet.  Searching on this idea, I found a 
>really interesting webpage
>> 
>> https://www.port25.com/how-to-check-an-smtp-connection-with-a-
>manual-telnet-session-2/
>> 
>> There was something strange with the MX record.  I modified the 
>URL, of course.
>> 
>> nslookup -type=mx example.com
>> Server:  8.8.8.8
>> Address: 8.8.8.8#53
>> 
>> Non-authoritative answer:
>> example.com  mail exchanger = 10 mail.example.com.
>> 
>> Authoritative answers can be found from:
>> 
>> 
>> and that was it.
>
>Nothing wrong here, MX records don't contain an IP.  You can 
>compare
>with -type=mx gmail.com.
>
>
>> 
>> I decided to perform the same test, but pull the www record and 
>with that I actually got an IP address.
>> 
>> nslookup -type=www example.com
>> unknown query type: www
>> Server:  8.8.8.8
>> Address: 8.8.8.8#53
>> 
>> Non-authoritative answer:
>> Name:example.com
>> Address: 87.xxx.yyy.zzz
>> 
>
>There is no type=www.  This test is broken.
>
>
>http://www.postfix.org/DEBUG_README.html
>
>If you show postfix logs and describe the actual error you're
>getting, maybe someone can help.
>http://www.postfix.org/DEBUG_README.html#mail
>
>
>  -- Noel Jones

SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

Hello,

First, email has been working fine on this server for past several months while 
using the Squirrelmail web client located on the same server.  I am needing an 
alternative method to access mail services and decided, on a whim, to try 
Thunderbird.  Thunderbird interacted with the Dovecot IMAP server just fine, 
but when I tried to test sending mail over SMTP, it failed. I wish the error 
they gave me was more verbose, but it wasn't.  So I decided to test things in 
more detail.

I decided that, since SMTP is a plain-text protocol, I should be able to 
interact via telnet.  Searching on this idea, I found a really interesting 
webpage

https://www.port25.com/how-to-check-an-smtp-connection-with-a-manual-telnet-session-2/

There was something strange with the MX record.  I modified the URL, of course.

nslookup -type=mx example.com
Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
example.com mail exchanger = 10 mail.example.com.

Authoritative answers can be found from:


and that was it.

I decided to perform the same test, but pull the www record and with that I 
actually got an IP address.

nslookup -type=www example.com
unknown query type: www
Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
Name:   example.com
Address: 87.xxx.yyy.zzz

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

[rich . greder]

Okay,

I accidentally sent this half-composed.  But yes. I was able to send via SMTP, 
but only if my destination address was on my machine (which is probably good)

Maybe since I sent this, I let people deliver their opinions on if this is an 
MX record issue first.

Thanks

Rick

On 11/28/2016 at 9:08 AM, rich.gre...@hushmail.com wrote:
>
>Hello,
>
>First, email has been working fine on this server for past several 
>months while using the Squirrelmail web client located on the same 
>server.  I am needing an alternative method to access mail 
>services and decided, on a whim, to try Thunderbird.  Thunderbird 
>interacted with the Dovecot IMAP server just fine, but when I 
>tried to test sending mail over SMTP, it failed. I wish the error 
>they gave me was more verbose, but it wasn't.  So I decided to 
>test things in more detail.
>
>I decided that, since SMTP is a plain-text protocol, I should be 
>able to interact via telnet.  Searching on this idea, I found a 
>really interesting webpage
>
>https://www.port25.com/how-to-check-an-smtp-connection-with-a-
>manual-telnet-session-2/
>
>There was something strange with the MX record.  I modified the 
>URL, of course.
>
>nslookup -type=mx example.com
>Server:8.8.8.8
>Address:   8.8.8.8#53
>
>Non-authoritative answer:
>example.commail exchanger = 10 mail.example.com.
>
>Authoritative answers can be found from:
>
>
>and that was it.
>
>I decided to perform the same test, but pull the www record and 
>with that I actually got an IP address.
>
>nslookup -type=www example.com
>unknown query type: www
>Server:8.8.8.8
>Address:   8.8.8.8#53
>
>Non-authoritative answer:
>Name:  example.com
>Address: 87.xxx.yyy.zzz