Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-12-01 Thread Bill Cole 

On 1 Dec 2016, at 13:47, rich.gre...@hushmail.com wrote:

On 11/28/2016 at 4:56 PM, "Bill Cole" 
 wrote:

[...]

I made modifications to the master.cf file.


To get one, you need an entry similar to this in
your
master.cf file:

submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submit


I assume you mean -o syslog_name=postfix/submission,  I did that.


syslog_name can be any reasonable ASCII token you like. Its only purpose 
is to distinguish different configs of the same running binary in system 
logs. I prefer the shorter syslog_name, but it's not unreasonable to 
match the service name.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-12-01 Thread rich . greder 
Okay, I'm made some exciting progress and I am grateful for the help.  I will 
show to people how I got this working

At first thought, I figured that it would simply be the IMAP password used by 
Dovecot to access my mailbox.  Not exactly true...  I did some digging in some 
blogs and the documentation for Dovecot and Postfix.  I configured Dovecot to 
authenticate using a SHA512 encrypted password in a SQL database, just as was 
posted in a blog some time back (Reference 1).  I found out that I can have 
SASL authentication for Postfix via Dovecot.  I made a few changes according to 
a blog post (Reference 2)

I can send and receive mail from Thunderbird now, which resolves this long and 
tortured thread.

For the good of the internet community, I am sharing my configuration in it's 
working state.


After all this, my main.cf has evolved to become:

mydomain = example.com
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#Added December 1, 2016 TLS parameters
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtpd_use_tls=yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_session_cache_timeout = 3600s
#end December 1, 2016 TLS parameters

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
myhostname = example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = $myhostname, example.com, localhost.com, , localhost
mydestination = localhost
relayhost = 
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

#Added December 1 to enable SASL with Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = example.com
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
#End December 1 SASL/Dovecot parameters

and the master.cf has become:

==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (no)(never) (100)
# ==
smtp  inet  n   -   y   -   -   smtpd
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
pickupunix  n   -   y   60  1   pickup
cleanup   unix  n   -   y   -   0   cleanup
qmgr  unix  n   -   n   300 1   qmgr
tlsmgrunix  -   -   y   1000?   1   tlsmgr
rewrite   unix  -   -   y   -   -   trivial-rewrite
bounceunix  -   -   y   -   0   bounce
defer unix  -   -   y   -   0   bounce
trace unix  -   -   y   -   0   bounce
verifyunix  -   -   y   -   1   verify
flush unix  n   -   y   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   y   -   -   smtp
relay unix  -   -   y   -   -   smtp
showq unix  n   -   y   -   -   showq
error unix  -   -   y   -   -   error
retry unix  -   -   y   -   -   error
discard   unix  -   -   y   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   y   -   -   lmtp
anvil unix  -   -   y   -   1   anvil
scacheunix  -   -   y   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-12-01 Thread rich . greder 


On 11/28/2016 at 4:56 PM, "Bill Cole" 
 wrote:
>
>On 28 Nov 2016, at 17:29, rich.gre...@hushmail.com wrote:
>
>> I changed it.  When I compose and send to an outside domain now, 
>I get 
>> an error that hints towards port 25 being strongly preferred 
>over 587.
>>
>> Sending of the message failed.
>> The message could not be sent because connecting to Outgoing 
>server 
>> (SMTP) timothylegg.com failed. The server may be unavailable or 
>is 
>> refusing SMTP connections. Please verify that your Outgoing 
>server 
>> (SMTP) settings are correct and try again.
>
>
>OK: this implies that you don't have a port 587 submission service 
>running at all. 

I did not.  I opened 587 to the machine (I didn't realize it was closed)

I made modifications to the master.cf file.

>To get one, you need an entry similar to this in 
>your 
>master.cf file:
>
>submission inet  n   -   n   -   -   smtpd
> -o syslog_name=postfix/submit

I assume you mean -o syslog_name=postfix/submission,  I did that.

> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o 
>smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
>
>You can see the currently active entries from master.cf with 
>"postconf 
>-Mf" if you're running a reasonably modern version of Postfix.
>

Yep, it's reasonable modern.  Double checking here.

smtp   inet  n   -   y   -   -   smtpd
submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING


>This has gone far past the point where it is essential for you to 
>heed 
>the recommendations in the last section of the DEBUG_README file 
>(part 
>of the Postfix distribution) which are also sent to new 
>subscribers to 
>this list, regarding how best to effectively seek assistance here. 

Thanks for reminding me of this.  I found the online copy and I love it when I 
realize something in plain site that has been there forever without my noticing 
it.  (Like the tcpdump command.  I'm going to play with that for sure.)

>Noel 
>Jones suggested this to you almost 6 hours ago in a message which 
>you 
>replied to, and it is advice which has not gone obsolete in that 
>time.

So the server and thunderbird are talking to each other.  Apparently I don't 
have a password to access the SMTP server I have running.  This must be the 
SASL authentication I've read about in the past.  Dovecot/Squirrelmail 
apparently are able to access it just fine, so I'll look in the config files 
for it.  It must be in there somewhere.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Rodrigo Cunha 
Texto em portugues:
Pelo que eu entendi você está com problemas para enviar e-mails partindo do
thunderbird; não sei se compreendi o motivo do teste de DNS mas me parece
que você quer confirmar o MX.
Em geral a porta segura do SMTP é a 465, o gmail utiliza a 587.
Utilizando a lógica seu dominio não contém o www, o www é um subdominio
portanto o teste deve ser feito para o dominio.
Entre no servidor e faça o teste:
netstat -putona e observe se o seu servidor está ouvindo nas portas 465 587
ou 25("insegura"), caso não esteja o serviço provavelmente não está
funcionando ou está em outra porta.
Observe quais portas o MTA esta rodando os seus serviços.

google translate to English
"
>From what I understand you're having trouble sending emails from
thunderbird; I do not know if I understood the reason for the DNS test but
I think you want to confirm the MX.
In general, SMTP is a 465, gmail uses a 587.
Using a logic your domain does not contain the www, the www a subdomain
then the test must be done for the domain.
Enter the server and take the test:
Netstat -putona shows that your server is running on ports 465 587 or 25 (
"insecure") if it is not working or is not working or is on another port.
Notice which ports or MTA are running your services.

"




2016-11-28 20:56 GMT-02:00 Bill Cole <
postfixlists-070...@billmail.scconsult.com>:

> On 28 Nov 2016, at 17:29, rich.gre...@hushmail.com wrote:
>
> I changed it.  When I compose and send to an outside domain now, I get an
>> error that hints towards port 25 being strongly preferred over 587.
>>
>> Sending of the message failed.
>> The message could not be sent because connecting to Outgoing server
>> (SMTP) timothylegg.com failed. The server may be unavailable or is
>> refusing SMTP connections. Please verify that your Outgoing server (SMTP)
>> settings are correct and try again.
>>
>
>
> OK: this implies that you don't have a port 587 submission service running
> at all. To get one, you need an entry similar to this in your master.cf
> file:
>
> submission inet  n   -   n   -   -   smtpd
> -o syslog_name=postfix/submit
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
>
> You can see the currently active entries from master.cf with "postconf
> -Mf" if you're running a reasonably modern version of Postfix.
>
> This has gone far past the point where it is essential for you to heed the
> recommendations in the last section of the DEBUG_README file (part of the
> Postfix distribution) which are also sent to new subscribers to this list,
> regarding how best to effectively seek assistance here. Noel Jones
> suggested this to you almost 6 hours ago in a message which you replied to,
> and it is advice which has not gone obsolete in that time.
>



-- 
Atenciosamente,
Rodrigo da Silva Cunha

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Bill Cole 

On 28 Nov 2016, at 17:29, rich.gre...@hushmail.com wrote:

I changed it.  When I compose and send to an outside domain now, I get 
an error that hints towards port 25 being strongly preferred over 587.


Sending of the message failed.
The message could not be sent because connecting to Outgoing server 
(SMTP) timothylegg.com failed. The server may be unavailable or is 
refusing SMTP connections. Please verify that your Outgoing server 
(SMTP) settings are correct and try again.



OK: this implies that you don't have a port 587 submission service 
running at all. To get one, you need an entry similar to this in your 
master.cf file:


submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submit
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

You can see the currently active entries from master.cf with "postconf 
-Mf" if you're running a reasonably modern version of Postfix.


This has gone far past the point where it is essential for you to heed 
the recommendations in the last section of the DEBUG_README file (part 
of the Postfix distribution) which are also sent to new subscribers to 
this list, regarding how best to effectively seek assistance here. Noel 
Jones suggested this to you almost 6 hours ago in a message which you 
replied to, and it is advice which has not gone obsolete in that time.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Viktor Dukhovni 
On Mon, Nov 28, 2016 at 04:29:58PM -0600, rich.gre...@hushmail.com wrote:

> >Did you also fix the key_file setting?
> 
> Yes, I did.

Good, at this point STARTTLS is working on port 25.

> >You have received headers and logs that should indicate how the
> >mail it sent entered your mailbox.  You can also look at the 
> >relevant application settings.
> 
> I found the error console.

Wrong logs.  Look at the Postfix logs.  If there are none matching
the time of your connection attempt, that would indicate that you've
enabled the submission service that Thunderbird is trying to use.

> >Then set it back to the default, and do make sure your master.cf
> >file has a working definition of the submission service.
> 
> I changed it.  When I compose and send to an outside domain now, I get an
> error that hints towards port 25 being strongly preferred over 587.

You do have to enable submission in master.cf.  And test it for
basic connectivity and STARTLS support with "telnet" or the like,
before bothering with Thunderbird.

-- 
Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 


On 11/28/2016 at 3:25 PM, "Viktor Dukhovni"  wrote:
>
>On Mon, Nov 28, 2016 at 02:59:22PM -0600, rich.gre...@hushmail.com 
>wrote:
>
>> 
>>smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pe
>m
>> >> 
>smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
>> >
>> >The key file setting seems to have a typo.
>> >
>> >> smtpd_use_tls=yes
>> >
>> 
>> I commented 
>> #smtpd_use_tls=yes
>> and added 
>> smtpd_tls_security_level = may
>
>Did you also fix the key_file setting?
>

Yes, I did.

>> Squirrelmail is installed with a package manager.  Smoke and 
>mirrors is
>> an understatement for how it is installed.  In future, I will be 
>installing
>> this from a tarball to have a grasp of how it interacts with
>> postfix/dovecot/apache.  I composed a test email and the email 
>appeared
>> in the destination mailbox (I tested using this email address).
>
>You have received headers and logs that should indicate how the
>mail it sent entered your mailbox.  You can also look at the 
>relevant
>application settings.
>

I found the error console.  There were errors in regards to a JavaScriipt file 
included with Thunderbird that returned a failure number upon exit. I don't 
think it's hinting at the problem though (NS_ERROR_UNEXPECTED: Component 
returned failure code 0x8000 (NS_ERROR_UNEXPETED) nslMsgMailNewsUrl.server 
resource:///modules/activity/alertHook.js)
 
>> >Was this via port 25 or 587?
>>
>> Not entirely sure.  I looked in and the field is filled with a 
>25, so I
>> assume the autodetect feature determined port 25.  It said, next 
>to that
>> box, the default was port 587.
>
>Then set it back to the default, and do make sure your master.cf
>file has a working definition of the submission service.
>

I changed it.  When I compose and send to an outside domain now, I get an error 
that hints towards port 25 being strongly preferred over 587.

Sending of the message failed.
The message could not be sent because connecting to Outgoing server (SMTP) 
timothylegg.com failed. The server may be unavailable or is refusing SMTP 
connections. Please verify that your Outgoing server (SMTP) settings are 
correct and try again.


>> I performed all my tests with my actual domain name, not 
>example.com (I've
>> seen it happen on this very list about two years ago -- don't 
>laugh).  My
>> domain is based on my name and I cannot have a search engine 
>return forum
>> posts as results for a query of my name.
>
>Hiding the real server name limits the help that you can get.  Your
>choice.

I can trust people on the basis that the personal information does not become 
posted on a world-readable forum.  I will provide this information on a case by 
case basis.  For you, I sent you an email to the address you subscribed to the 
list with.

>
>> >Perhaps you're better of with mailinabox.email, rather than DIY?
>> 
>> I want to learn how it works today.  I chose postfix because 
>it's widely
>> used by the kinds of people who write HOWTO documents online.  
>I've
>> considered switching to whichever platform has the most O'Reilly 
>books
>> written in the past 3 years, but I'm still here anyway.  
>Hopefully a new
>> Postfix book will come out soon.  Hildebrand's book is over ten 
>years old
>> now.  It was a good book, just ten years is a bad age for a 
>software book
>> to reach (unless it is authored by Knuth, of course).
>
>I don't think a new book is likely any time soon.  The market for
>mail server books is small, and books become dated quickly.

If I ever figure this out...

I will admit, I love to write.

>
>> An error occurred while sending mail. The mail server responded: 
> 
>> 4.7.1 : Relay access denied.
>>  Please check the message recipient "rich.gre...@hushmail.com" 
>and try again
>
>Your next challenge is configuring SASL auth on port 587.
>
>> Nov 28 21:48:14 example postfix/smtpd[2767]: Anonymous TLS 
>connection established from 75-120-xxx-
>yyy.dyn.centurytel.net[75.120.xxx.yyy]: TLSv1.2 with cipher ECDHE-
>RSA-AES128-GCM-SHA256 (128/128 bits)
>
>If you've configured a distinct syslog_name for the submission 
>service
>(as recommended), then this is not submission, and your client 
>should
>be using port 587 instead.  However TLS is working, so that's 
>progress.
>
>> Nov 28 21:48:14 example postfix/smtpd[2767]: NOQUEUE: reject: 
>RCPT from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: 454 
>4.7.1 : Relay access denied; 
>from= to= proto=ESMTP 
>helo=<[10.211.55.24]>
>
>This is expected, your server is not an open relay.
>
>> Nov 28 21:48:22 example postfix/smtpd[2770]: Anonymous TLS 
>connection established from a15-204.smtp-
>out.amazonses.com[54.240.15.204]: TLSv1 with cipher ECDHE-RSA-
>AES128-SHA (128/128 bits)
>> Nov 28 21:48:22 example postfix/smtpd[2770]: A41DE40299: 
>client=a15-204.smtp-out.amazonses.com[54.240.15.204]
>> Nov 28 21:48:22

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Viktor Dukhovni 
On Mon, Nov 28, 2016 at 02:59:22PM -0600, rich.gre...@hushmail.com wrote:

> >smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
> >> smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
> >
> >The key file setting seems to have a typo.
> >
> >> smtpd_use_tls=yes
> >
> 
> I commented 
> #smtpd_use_tls=yes
> and added 
> smtpd_tls_security_level = may

Did you also fix the key_file setting?

> Squirrelmail is installed with a package manager.  Smoke and mirrors is
> an understatement for how it is installed.  In future, I will be installing
> this from a tarball to have a grasp of how it interacts with
> postfix/dovecot/apache.  I composed a test email and the email appeared
> in the destination mailbox (I tested using this email address).

You have received headers and logs that should indicate how the
mail it sent entered your mailbox.  You can also look at the relevant
application settings.

> >Was this via port 25 or 587?
>
> Not entirely sure.  I looked in and the field is filled with a 25, so I
> assume the autodetect feature determined port 25.  It said, next to that
> box, the default was port 587.

Then set it back to the default, and do make sure your master.cf
file has a working definition of the submission service.

> I performed all my tests with my actual domain name, not example.com (I've
> seen it happen on this very list about two years ago -- don't laugh).  My
> domain is based on my name and I cannot have a search engine return forum
> posts as results for a query of my name.

Hiding the real server name limits the help that you can get.  Your
choice.

> >Perhaps you're better of with mailinabox.email, rather than DIY?
> 
> I want to learn how it works today.  I chose postfix because it's widely
> used by the kinds of people who write HOWTO documents online.  I've
> considered switching to whichever platform has the most O'Reilly books
> written in the past 3 years, but I'm still here anyway.  Hopefully a new
> Postfix book will come out soon.  Hildebrand's book is over ten years old
> now.  It was a good book, just ten years is a bad age for a software book
> to reach (unless it is authored by Knuth, of course).

I don't think a new book is likely any time soon.  The market for
mail server books is small, and books become dated quickly.

> An error occurred while sending mail. The mail server responded:  
> 4.7.1 : Relay access denied.
>  Please check the message recipient "rich.gre...@hushmail.com" and try again

Your next challenge is configuring SASL auth on port 587.

> Nov 28 21:48:14 example postfix/smtpd[2767]: Anonymous TLS connection 
> established from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: TLSv1.2 
> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

If you've configured a distinct syslog_name for the submission service
(as recommended), then this is not submission, and your client should
be using port 587 instead.  However TLS is working, so that's progress.

> Nov 28 21:48:14 example postfix/smtpd[2767]: NOQUEUE: reject: RCPT from 
> 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: 454 4.7.1 
> : Relay access denied; from= 
> to= proto=ESMTP helo=<[10.211.55.24]>

This is expected, your server is not an open relay.

> Nov 28 21:48:22 example postfix/smtpd[2770]: Anonymous TLS connection 
> established from a15-204.smtp-out.amazonses.com[54.240.15.204]: TLSv1 with 
> cipher ECDHE-RSA-AES128-SHA (128/128 bits)
> Nov 28 21:48:22 example postfix/smtpd[2770]: A41DE40299: 
> client=a15-204.smtp-out.amazonses.com[54.240.15.204]
> Nov 28 21:48:22 example postfix/cleanup[2771]: A41DE40299: 
> message-id=<01000158acb1e81a-3d5a5696-adeb-4679-b83b-89ac56be773d-000...@email.amazonses.com>
> Nov 28 21:48:23 example postfix/qmgr[2661]: A41DE40299: 
> from=<201611282048092acfa6d079d946c6976028094d10p0na-c1dg1rhq8hb...@bounces.amazon.com>,
>  size=58163, nrcpt=1 (queue active)
> Nov 28 21:48:23 example dovecot: lmtp(2773): Connect from local
> Nov 28 21:48:23 example dovecot: lmtp(u...@example.com): 
> khNUDReYPFjVCgAAs5y1Cg: 
> msgid=<01000158acb1e81a-3d5a5696-adeb-4679-b83b-89ac56be773d-000...@email.amazonses.com>:
>  saved mail to INBOX
> Nov 28 21:48:23 example postfix/lmtp[2772]: A41DE40299: 
> to=, orig_to=, 
> relay=example.com[private/dovecot-lmtp], delay=0.77, 
> delays=0.61/0.03/0.05/0.08, dsn=2.0.0, status=sent (250 2.0.0 
>  khNUDReYPFjVCgAAs5y1Cg Saved)

Inbound mail is also working.

So your problem is squarely with submission.  See SASL_README.

-- 
Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 
On 11/28/2016 at 1:28 PM, "Viktor Dukhovni"  wrote:
>
>> On Nov 28, 2016, at 2:13 PM, rich.gre...@hushmail.com wrote:
>> 
>> # TLS parameters
>> smtpd_tls_loglevel = 1;
>
>If that ';' is really there, get rid of it.
>

Got rid of it.  C habits are hard to break.  Good eye spotting that; mistakes 
like those cause config files to be deleted and rewritten.

>> 
>smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
>> smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
>
>The key file setting seems to have a typo.
>
>> smtpd_use_tls=yes
>

I commented 
#smtpd_use_tls=yes
and added 
smtpd_tls_security_level = may

>The non-obsolete setting is: "smtpd_tls_security_level = may"
>
>> smtpd_tls_session_cache_database = 
>btree:${data_directory}/smtpd_scache
>
>Not recommended, let TLS session tickets do the work.
 Commented

#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

>
>> smtp_tls_session_cache_database = 
>btree:${data_directory}/smtp_scache
>
>This one is fine.
>
>> I sent a test message from squirrelmail to myself, and it worked.
>
>"It worked" is meaningless.  Was TLS used?  Is that sent via port 
>587 or
>port 25?  Logs?
>

Squirrelmail is installed with a package manager.  Smoke and mirrors is an 
understatement for how it is installed.  In future, I will be installing this 
from a tarball to have a grasp of how it interacts with postfix/dovecot/apache. 
 I composed a test email and the email appeared in the destination mailbox (I 
tested using this email address).

>> I tried with Thunderbird, and it had a problem. 
>
>Was this via port 25 or 587?
>
Not entirely sure.  I looked in and the field is filled with a 25, so I assume 
the autodetect feature determined port 25.  It said, next to that box, the 
default was port 587.

>> Sending of the message failed.
>> An error occurred while sending mail: Unable to establish a 
>secure link with Outgoing server (SMTP) example.com using STARTTLS 
>since it doesn't advertise that feature. Switch off STARTTLS for 
>that server or contact your service provider.
>
>Did it even contact the same server?  The obfuscated "example.com" 
>is not terribly
>helpful.
>

I performed all my tests with my actual domain name, not example.com (I've seen 
it happen on this very list about two years ago -- don't laugh).  My domain is 
based on my name and I cannot have a search engine return forum posts as 
results for a query of my name.  You may have guessed correctly that the name 
on this account is not real and neither is the Berlin time zone in the system 
logs representing my actual location.

>Perhaps you're better of with mailinabox.email, rather than DIY?
>

I think I wrote and deleted 1000+ words to keep this on topic because I tend to 
enter a history discussion about how email used to be so easy when I did this 
in the late 1990s.  I didn't keep up.  I got busy and hired consultants to do 
the setup for me over the past 15 years.  I look now and wonder what on earth 
has gone on.  To be fair, I used to login plaintext password via telnet the 
last time I successfully installed qmail on my FreeBSD box.

I want to learn how it works today.  I chose postfix because it's widely used 
by the kinds of people who write HOWTO documents online.  I've considered 
switching to whichever platform has the most O'Reilly books written in the past 
3 years, but I'm still here anyway.  Hopefully a new Postfix book will come out 
soon.  Hildebrand's book is over ten years old now.  It was a good book, just 
ten years is a bad age for a software book to reach (unless it is authored by 
Knuth, of course).

Anyways

The performance has evolved.  I get a meaningful error message from Thunderbird 
now.

An error occurred while sending mail. The mail server responded:  
4.7.1 : Relay access denied.
 Please check the message recipient "rich.gre...@hushmail.com" and try again

I checked in /var/log/mail.log

Not sure what to make of this. This is the reason why I ask students to think 
about documentation and usability...

Nov 28 21:48:13 example postfix/smtpd[2767]: connect from 
75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]
Nov 28 21:48:14 example postfix/smtpd[2767]: Anonymous TLS connection 
established from 75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: TLSv1.2 
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov 28 21:48:14 example postfix/smtpd[2767]: NOQUEUE: reject: RCPT from 
75-120-xxx-yyy.dyn.centurytel.net[75.120.xxx.yyy]: 454 4.7.1 
: Relay access denied; from= 
to= proto=ESMTP helo=<[10.211.55.24]>
Nov 28 21:48:21 example postfix/smtpd[2770]: connect from 
a15-204.smtp-out.amazonses.com[54.240.15.204]
Nov 28 21:48:22 example postfix/smtpd[2770]: Anonymous TLS connection 
established from a15-204.smtp-out.amazonses.com[54.240.15.204]: TLSv1 with 
cipher ECDHE-RSA-AES128-SHA (128/128

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Viktor Dukhovni 

> On Nov 28, 2016, at 2:13 PM, rich.gre...@hushmail.com wrote:
> 
> # TLS parameters
> smtpd_tls_loglevel = 1;

If that ';' is really there, get rid of it.

> smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
> smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem

The key file setting seems to have a typo.

> smtpd_use_tls=yes

The non-obsolete setting is: "smtpd_tls_security_level = may"

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

Not recommended, let TLS session tickets do the work.

> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

This one is fine.

> I sent a test message from squirrelmail to myself, and it worked.

"It worked" is meaningless.  Was TLS used?  Is that sent via port 587 or
port 25?  Logs?

> I tried with Thunderbird, and it had a problem. 

Was this via port 25 or 587?

> Sending of the message failed.
> An error occurred while sending mail: Unable to establish a secure link with 
> Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise 
> that feature. Switch off STARTTLS for that server or contact your service 
> provider.

Did it even contact the same server?  The obfuscated "example.com" is not 
terribly
helpful.

Perhaps you're better of with mailinabox.email, rather than DIY?

-- 
Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 
Okay, 

Victor, thanks for the stats in the second email!  That is quite interesting to 
read.  I have only recently (this summer) heard of LetsEncrypt.org.  Up until 
that point, I had expected that I was condemned by powers-that-be to buy a key 
annually forever.

Oh yeah, I love the "smoke and mirrors" comment about letsencrypt.org.  That 
was priceless.

I made a few changes in my main.cf

# TLS parameters
smtpd_tls_loglevel = 1;
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

I sent a test message from squirrelmail to myself, and it worked.  I tried with 
Thunderbird, and it had a problem. 

Sending of the message failed.
An error occurred while sending mail: Unable to establish a secure link with 
Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise 
that feature. Switch off STARTTLS for that server or contact your service 
provider.

So it suggests that I switch off STARTTLS, which implies that it detected that 
it was running, but at the same time, it took issue that it wasn't formally 
informed that it was running, which is a bit pedantic.  So I wondered why it 
did not advertise that it was enabled.  I telnet'd into my machine on port 25 
and after giving EHLO example.com, I saw it right there:

250-STARTTLS

To me, it sure does look like it advertised that feature.

What could be wrong here?

On 11/28/2016 at 12:30 PM, "Viktor Dukhovni"  wrote:
>
>On Mon, Nov 28, 2016 at 12:18:09PM -0600, rich.gre...@hushmail.com 
>wrote:
>
>> Okay, I am already using letsencrypt.org for my port 443 
>traffic. So once
>> I have it extended to also cover SMTP on port 587, would it be 
>acceptable
>> to disable port 25, or is port 25 still needed (perhaps to 
>suggest to
>> clients that it isn't accepting any traffic except 587)
>
>  * Port  25: This is where you receive email sent *to you* by 
>other domains
>  * Port 587: This is where your MUA sends email *from you*, 
>possibly destined
> to other domains.
>
>Enable either or both as desired.
>
>> I have to admit, I have no idea how letsencrypt.org works.
>
>Smoke and mirrors.
>
>> For years, I just made self-signed certificates and it worked 
>okay, until
>> some mover-shaker type decided we can't do that anymore, and 
>made it
>> brutally difficult to access my website for typical users.  Out 
>of concern
>> of the same happening to email clients, I won't make any more 
>self-signed
>> certificates.  I never expected that letsencrypt.org would 
>support email
>> services as well, so their HOWTO docs for SMTP encryption is my 
>next stop.
>
>Self-signed or self-issued is still the best option for port 25
>DANE, for port 587, Let's Encrypt is a reasonable way to avoid MUA
>friction.  Many domains (at least 2900 at last count) use Let's
>Encrypt on port 25, even though that's not what I'd recommend (and
>indeed it is not uncommon for LE users to mishandle the initial
>key rotation, though they tend to get the hang of it after a 
>while).
>
>For most users, I highly recommend the mailinabox setup, it is 
>reliable
>and easy to deploy.
>
>https://mailinabox.email/
>
>-- 
>   Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Viktor Dukhovni 
On Mon, Nov 28, 2016 at 07:29:15PM +0100, Florian Piekert wrote:

> I use the same certificate for postfix, apache, dovecot, proftpd, etc... 
> (from cacert.org).

The cacert.org root CA's MD5 self-signature tends to trigger
inteoperability problems.  You're typically better off with some
other CA.

* Not cacert.org
* Not StartCom
* Not WoSign

As a data point on popularity, with those taken out, the top 10
issuers of certs for DANE MX hosts are:

1010 O=Let's Encrypt
 188 O=COMODO CA Limited
 103 O=GeoTrust Inc.
  57 O=Gandi
  46 O=GlobalSign nv-sa
  23 O=thawte\, Inc.
  12 O=GoDaddy.com\, Inc.
  11 O=DigiCert Inc
   7 O=Symantec Corporation
   7 O=GeoTrust\, Inc.

Pick one that works for you.  Grouping by the full name of the
intermediate issuer:

1006 CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
 171 CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  57 CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR
  37 CN=RapidSSL SHA256 CA - G3,O=GeoTrust Inc.,C=US
  32 CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
  23 CN=RapidSSL SHA256 CA,O=GeoTrust Inc.,C=US
  12 CN=RapidSSL SHA256 CA - G2,O=GeoTrust Inc.,C=US
  11 CN=Go Daddy Secure Certificate Authority - 
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, 
Inc.,L=Scottsdale,ST=Arizona,C=US
  11 CN=GlobalSign Domain Validation CA - SHA256 - G2,O=GlobalSign 
nv-sa,C=BE
  10 CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB

-- 
Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Viktor Dukhovni 
On Mon, Nov 28, 2016 at 12:18:09PM -0600, rich.gre...@hushmail.com wrote:

> Okay, I am already using letsencrypt.org for my port 443 traffic. So once
> I have it extended to also cover SMTP on port 587, would it be acceptable
> to disable port 25, or is port 25 still needed (perhaps to suggest to
> clients that it isn't accepting any traffic except 587)

  * Port  25: This is where you receive email sent *to you* by other domains
  * Port 587: This is where your MUA sends email *from you*, possibly destined
  to other domains.

Enable either or both as desired.

> I have to admit, I have no idea how letsencrypt.org works.

Smoke and mirrors.

> For years, I just made self-signed certificates and it worked okay, until
> some mover-shaker type decided we can't do that anymore, and made it
> brutally difficult to access my website for typical users.  Out of concern
> of the same happening to email clients, I won't make any more self-signed
> certificates.  I never expected that letsencrypt.org would support email
> services as well, so their HOWTO docs for SMTP encryption is my next stop.

Self-signed or self-issued is still the best option for port 25
DANE, for port 587, Let's Encrypt is a reasonable way to avoid MUA
friction.  Many domains (at least 2900 at last count) use Let's
Encrypt on port 25, even though that's not what I'd recommend (and
indeed it is not uncommon for LE users to mishandle the initial
key rotation, though they tend to get the hang of it after a while).

For most users, I highly recommend the mailinabox setup, it is reliable
and easy to deploy.

https://mailinabox.email/

-- 
Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Florian Piekert 
Am 28.11.2016 um 19:18 schrieb rich.gre...@hushmail.com:

> Okay, I am already using letsencrypt.org for my port 443 traffic. So
> once I have it extended to also cover SMPT on port 587, would it be
> acceptable to disable port 25, or is port 25 still needed (perhaps to
> suggest to clients that it isn't accepting any traffic except 587)

If you do not expect to _receive_ any _external_ emails on that server/machine, 
you can disable port 25 and just stick to port 587. On the other hand if you 
just narrow down access by appropriate postfix configuration, nobody can access 
it unless you permit it specifically in those configuration settings. Then it 
doesn't hurt being there. You might find some attempts of relay, maybe. 

The availability of port 587 for sure is no guarantee other (malicious) parties 
don't go for port 25 as well...

If you really want to prevent port 25 traffic inbound, block it globally on the 
external interface in the firewall.

> I have to admit, I have no idea how letsencrypt.org works.  For years, I just 
> made self-signed certificates and it worked okay, until some mover-shaker 
> type decided we can't do that anymore, and made it brutally difficult to 
> access my website for typical users.  Out of concern of the same happening to 
> email clients, I won't make any more self-signed certificates.  I never 
> expected that letsencrypt.org would support email services as well, so their 
> HOWTO docs for SMTP encryption is my next stop.

I use the same certificate for postfix, apache, dovecot, proftpd, etc... (from 
cacert.org).


-- 

Florian Piekert   flo...@floppy.org

Spargelweg 5Telephone+Fax: +49-700-00floppy
38179 Schwülper-Walle/Germany  +49-179- 3928582
===
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  flo...@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to this address of mine. Thx!



signature.asc
Description: OpenPGP digital signature

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Florian Piekert 
Am 28.11.2016 um 18:57 schrieb rich.gre...@hushmail.com:

Hello,

it looks Thunderbird can't validate the certificate the mailserver is using. 
The dialogue you refer to is normal. What I recommend to my folks when using my 
servers is to simply "accept it" and get done with it (happens every 6 months 
when I update the certs).

What then usually helps is either try to resend or stop & start thunderbird 
again.


> Okay, I am really curious how this works then.  Good catch on the 'www' test. 
>  I winged it without reading the manpage.  I've never known a good starting 
> point for learning DNS, so that is definitely a weak point.  So, now that the 
> DNS is out of the way.  I'm going to dig deeper here.
> 
> When I try to send a message to myself using Thunderbird, m...@example.com, I 
> get this
> 
> Sending of the message failed.
> The message could not be sent using Outgoing server (SMTP) example.com for an 
> unknown reason. Please verify that your Outgoing server (SMTP) settings are 
> correct and try again.
> 
> Then about half a second later, a popup window appears titled 'Add security 
> exception' that begins "You are about to override how Thunderbird identifies 
> this site".  I click on 'Get Certificate', but it doesn't really do anything.
> 
> So I look in the logs:
> 
> mail.log
> 
> Nov 28 18:34:56 example dovecot: imap-login: Login: user=, 
> method=PLAIN, rip=69.179.xxx.yyy, lip=192.168.178.31, mpid=1291, TLS, 
> session=
> Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 
> 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
> Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library problem: 
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown 
> ca:s3_pkt.c:1472:SSL alert number 48:
> Nov 28 18:35:16 example postfix/smtpd[1293]: lost connection after STARTTLS 
> from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
> Nov 28 18:35:16 example postfix/smtpd[1293]: disconnect from 
> 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] ehlo=1 starttls=1 commands=2
> 
> I have no idea what this means.  
> 
> The only other log file with a recent entry would be the auth.log which seems 
> to only detail the 20 or so attempts of SSH login each minute from across the 
> world, which is normal for anybody with a website.
> 
> Rick
> 
> On 11/28/2016 at 11:12 AM, "Noel Jones"  wrote:
>>
>> On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote:
>>> Hello,
>>>
>>> First, email has been working fine on this server for past 
>> several months while using the Squirrelmail web client located on 
>> the same server.  I am needing an alternative method to access 
>> mail services and decided, on a whim, to try Thunderbird.  
>> Thunderbird interacted with the Dovecot IMAP server just fine, but 
>> when I tried to test sending mail over SMTP, it failed. I wish the 
>> error they gave me was more verbose, but it wasn't.  So I decided 
>> to test things in more detail.
>>>
>>> I decided that, since SMTP is a plain-text protocol, I should be 
>> able to interact via telnet.  Searching on this idea, I found a 
>> really interesting webpage
>>>
>>> https://www.port25.com/how-to-check-an-smtp-connection-with-a-
>> manual-telnet-session-2/
>>>
>>> There was something strange with the MX record.  I modified the 
>> URL, of course.
>>>
>>> nslookup -type=mx example.com
>>> Server: 8.8.8.8
>>> Address:8.8.8.8#53
>>>
>>> Non-authoritative answer:
>>> example.com mail exchanger = 10 mail.example.com.
>>>
>>> Authoritative answers can be found from:
>>>
>>>
>>> and that was it.
>>
>> Nothing wrong here, MX records don't contain an IP.  You can 
>> compare
>> with -type=mx gmail.com.
>>
>>
>>>
>>> I decided to perform the same test, but pull the www record and 
>> with that I actually got an IP address.
>>>
>>> nslookup -type=www example.com
>>> unknown query type: www
>>> Server: 8.8.8.8
>>> Address:8.8.8.8#53
>>>
>>> Non-authoritative answer:
>>> Name:   example.com
>>> Address: 87.xxx.yyy.zzz
>>>
>>
>> There is no type=www.  This test is broken.
>>
>>
>> http://www.postfix.org/DEBUG_README.html
>>
>> If you show postfix logs and describe the actual error you're
>> getting, maybe someone can help.
>> http://www.postfix.org/DEBUG_README.html#mail
>>
>>
>>  -- Noel Jones
> 
> 


-- 

Florian Piekert   flo...@floppy.org

Spargelweg 5Telephone+Fax: +49-700-00floppy
38179 Schwülper-Walle/Germany  +49-179- 3928582
===
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  flo...@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to this address of mine. Thx!



signature.asc
Description:

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 
Okay, I am already using letsencrypt.org for my port 443 traffic. So once I 
have it extended to also cover SMPT on port 587, would it be acceptable to 
disable port 25, or is port 25 still needed (perhaps to suggest to clients that 
it isn't accepting any traffic except 587)

I have to admit, I have no idea how letsencrypt.org works.  For years, I just 
made self-signed certificates and it worked okay, until some mover-shaker type 
decided we can't do that anymore, and made it brutally difficult to access my 
website for typical users.  Out of concern of the same happening to email 
clients, I won't make any more self-signed certificates.  I never expected that 
letsencrypt.org would support email services as well, so their HOWTO docs for 
SMTP encryption is my next stop.

Thanks very much for the tip.

On 11/28/2016 at 12:07 PM, "Viktor Dukhovni"  wrote:
>
>On Mon, Nov 28, 2016 at 11:57:44AM -0600, rich.gre...@hushmail.com 
>wrote:
>
>> Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179-
>xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
>> Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS 
>library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 
>alert unknown ca:s3_pkt.c:1472:SSL alert number 48:
>
>The MUA tells Postfix (alert unknown ca) that it does not trust
>the issuer of the Postfix server's X.509 TLS certificate.  To avoid
>that, you'd to configure a Let's Encrypt or similar certificate
>for the submission (port 587) SMTP service.
>
>Alternatively, you need to configure the mail client to trust your
>own (likely self-signed) certificate that is currently deployed.
>
>http://www.postfix.org/TLS_README.html#server_tls
>
>If you'd like to some day deploy DANE, also look at:
>
>http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-
>news-td86436.html#a86444
>https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-
>2-dane-tlsa-records-with-le-certificates/7022
>https://www.internetsociety.org/deploy360/blog/2016/03/lets-
>encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
>
>-- 
>   Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Viktor Dukhovni 
On Mon, Nov 28, 2016 at 11:57:44AM -0600, rich.gre...@hushmail.com wrote:

> Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 
> 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
> Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library problem: 
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown 
> ca:s3_pkt.c:1472:SSL alert number 48:

The MUA tells Postfix (alert unknown ca) that it does not trust
the issuer of the Postfix server's X.509 TLS certificate.  To avoid
that, you'd to configure a Let's Encrypt or similar certificate
for the submission (port 587) SMTP service.

Alternatively, you need to configure the mail client to trust your
own (likely self-signed) certificate that is currently deployed.

http://www.postfix.org/TLS_README.html#server_tls

If you'd like to some day deploy DANE, also look at:


http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444

https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/

-- 
Viktor.

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 
I should make clear in the post that u...@example.com is the IMAP mailbox name 
and that m...@example.com is a virtual alias.  This machine hosts about 8 
domains and has, I think, three mailboxes. I am the sole user of the email 
system.

On 11/28/2016 at 11:58 AM, rich.gre...@hushmail.com wrote:
>
>Okay, I am really curious how this works then.  Good catch on the 
>'www' test.  I winged it without reading the manpage.  I've never 
>known a good starting point for learning DNS, so that is 
>definitely a weak point.  So, now that the DNS is out of the way.  
>I'm going to dig deeper here.
>
>When I try to send a message to myself using Thunderbird, 
>m...@example.com, I get this
>
>Sending of the message failed.
>The message could not be sent using Outgoing server (SMTP) 
>example.com for an unknown reason. Please verify that your 
>Outgoing server (SMTP) settings are correct and try again.
>
>Then about half a second later, a popup window appears titled 'Add 
>security exception' that begins "You are about to override how 
>Thunderbird identifies this site".  I click on 'Get Certificate', 
>but it doesn't really do anything.
>
>So I look in the logs:
>
>mail.log
>
>Nov 28 18:34:56 example dovecot: imap-login: Login: 
>user=, method=PLAIN, rip=69.179.xxx.yyy, 
>lip=192.168.178.31, mpid=1291, TLS, session=
>Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179-
>xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
>Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library 
>problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert 
>unknown ca:s3_pkt.c:1472:SSL alert number 48:
>Nov 28 18:35:16 example postfix/smtpd[1293]: lost connection after 
>STARTTLS from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
>Nov 28 18:35:16 example postfix/smtpd[1293]: disconnect from 69-
>179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] ehlo=1 starttls=1 
>commands=2
>
>I have no idea what this means.  
>
>The only other log file with a recent entry would be the auth.log 
>which seems to only detail the 20 or so attempts of SSH login each 
>minute from across the world, which is normal for anybody with a 
>website.
>
>Rick
>
>On 11/28/2016 at 11:12 AM, "Noel Jones"  
>wrote:
>>
>>On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote:
>>> Hello,
>>> 
>>> First, email has been working fine on this server for past 
>>several months while using the Squirrelmail web client located on 
>>the same server.  I am needing an alternative method to access 
>>mail services and decided, on a whim, to try Thunderbird.  
>>Thunderbird interacted with the Dovecot IMAP server just fine, 
>but 
>>when I tried to test sending mail over SMTP, it failed. I wish 
>the 
>>error they gave me was more verbose, but it wasn't.  So I decided 
>>to test things in more detail.
>>> 
>>> I decided that, since SMTP is a plain-text protocol, I should 
>be 
>>able to interact via telnet.  Searching on this idea, I found a 
>>really interesting webpage
>>> 
>>> https://www.port25.com/how-to-check-an-smtp-connection-with-a-
>>manual-telnet-session-2/
>>> 
>>> There was something strange with the MX record.  I modified the 
>>URL, of course.
>>> 
>>> nslookup -type=mx example.com
>>> Server: 8.8.8.8
>>> Address:8.8.8.8#53
>>> 
>>> Non-authoritative answer:
>>> example.com mail exchanger = 10 mail.example.com.
>>> 
>>> Authoritative answers can be found from:
>>> 
>>> 
>>> and that was it.
>>
>>Nothing wrong here, MX records don't contain an IP.  You can 
>>compare
>>with -type=mx gmail.com.
>>
>>
>>> 
>>> I decided to perform the same test, but pull the www record and 
>>with that I actually got an IP address.
>>> 
>>> nslookup -type=www example.com
>>> unknown query type: www
>>> Server: 8.8.8.8
>>> Address:8.8.8.8#53
>>> 
>>> Non-authoritative answer:
>>> Name:   example.com
>>> Address: 87.xxx.yyy.zzz
>>> 
>>
>>There is no type=www.  This test is broken.
>>
>>
>>http://www.postfix.org/DEBUG_README.html
>>
>>If you show postfix logs and describe the actual error you're
>>getting, maybe someone can help.
>>http://www.postfix.org/DEBUG_README.html#mail
>>
>>
>>  -- Noel Jones

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 
Okay, I am really curious how this works then.  Good catch on the 'www' test.  
I winged it without reading the manpage.  I've never known a good starting 
point for learning DNS, so that is definitely a weak point.  So, now that the 
DNS is out of the way.  I'm going to dig deeper here.

When I try to send a message to myself using Thunderbird, m...@example.com, I 
get this

Sending of the message failed.
The message could not be sent using Outgoing server (SMTP) example.com for an 
unknown reason. Please verify that your Outgoing server (SMTP) settings are 
correct and try again.

Then about half a second later, a popup window appears titled 'Add security 
exception' that begins "You are about to override how Thunderbird identifies 
this site".  I click on 'Get Certificate', but it doesn't really do anything.

So I look in the logs:

mail.log

Nov 28 18:34:56 example dovecot: imap-login: Login: user=, 
method=PLAIN, rip=69.179.xxx.yyy, lip=192.168.178.31, mpid=1291, TLS, 
session=
Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 
69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS library problem: 
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown 
ca:s3_pkt.c:1472:SSL alert number 48:
Nov 28 18:35:16 example postfix/smtpd[1293]: lost connection after STARTTLS 
from 69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy]
Nov 28 18:35:16 example postfix/smtpd[1293]: disconnect from 
69-179-xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] ehlo=1 starttls=1 commands=2

I have no idea what this means.  

The only other log file with a recent entry would be the auth.log which seems 
to only detail the 20 or so attempts of SSH login each minute from across the 
world, which is normal for anybody with a website.

Rick

On 11/28/2016 at 11:12 AM, "Noel Jones"  wrote:
>
>On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote:
>> Hello,
>> 
>> First, email has been working fine on this server for past 
>several months while using the Squirrelmail web client located on 
>the same server.  I am needing an alternative method to access 
>mail services and decided, on a whim, to try Thunderbird.  
>Thunderbird interacted with the Dovecot IMAP server just fine, but 
>when I tried to test sending mail over SMTP, it failed. I wish the 
>error they gave me was more verbose, but it wasn't.  So I decided 
>to test things in more detail.
>> 
>> I decided that, since SMTP is a plain-text protocol, I should be 
>able to interact via telnet.  Searching on this idea, I found a 
>really interesting webpage
>> 
>> https://www.port25.com/how-to-check-an-smtp-connection-with-a-
>manual-telnet-session-2/
>> 
>> There was something strange with the MX record.  I modified the 
>URL, of course.
>> 
>> nslookup -type=mx example.com
>> Server:  8.8.8.8
>> Address: 8.8.8.8#53
>> 
>> Non-authoritative answer:
>> example.com  mail exchanger = 10 mail.example.com.
>> 
>> Authoritative answers can be found from:
>> 
>> 
>> and that was it.
>
>Nothing wrong here, MX records don't contain an IP.  You can 
>compare
>with -type=mx gmail.com.
>
>
>> 
>> I decided to perform the same test, but pull the www record and 
>with that I actually got an IP address.
>> 
>> nslookup -type=www example.com
>> unknown query type: www
>> Server:  8.8.8.8
>> Address: 8.8.8.8#53
>> 
>> Non-authoritative answer:
>> Name:example.com
>> Address: 87.xxx.yyy.zzz
>> 
>
>There is no type=www.  This test is broken.
>
>
>http://www.postfix.org/DEBUG_README.html
>
>If you show postfix logs and describe the actual error you're
>getting, maybe someone can help.
>http://www.postfix.org/DEBUG_README.html#mail
>
>
>  -- Noel Jones

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread Noel Jones 
On 11/28/2016 9:07 AM, rich.gre...@hushmail.com wrote:
> Hello,
> 
> First, email has been working fine on this server for past several months 
> while using the Squirrelmail web client located on the same server.  I am 
> needing an alternative method to access mail services and decided, on a whim, 
> to try Thunderbird.  Thunderbird interacted with the Dovecot IMAP server just 
> fine, but when I tried to test sending mail over SMTP, it failed. I wish the 
> error they gave me was more verbose, but it wasn't.  So I decided to test 
> things in more detail.
> 
> I decided that, since SMTP is a plain-text protocol, I should be able to 
> interact via telnet.  Searching on this idea, I found a really interesting 
> webpage
> 
> https://www.port25.com/how-to-check-an-smtp-connection-with-a-manual-telnet-session-2/
> 
> There was something strange with the MX record.  I modified the URL, of 
> course.
> 
> nslookup -type=mx example.com
> Server:   8.8.8.8
> Address:  8.8.8.8#53
> 
> Non-authoritative answer:
> example.com   mail exchanger = 10 mail.example.com.
> 
> Authoritative answers can be found from:
> 
> 
> and that was it.

Nothing wrong here, MX records don't contain an IP.  You can compare
with -type=mx gmail.com.


> 
> I decided to perform the same test, but pull the www record and with that I 
> actually got an IP address.
> 
> nslookup -type=www example.com
> unknown query type: www
> Server:   8.8.8.8
> Address:  8.8.8.8#53
> 
> Non-authoritative answer:
> Name: example.com
> Address: 87.xxx.yyy.zzz
> 

There is no type=www.  This test is broken.


http://www.postfix.org/DEBUG_README.html

If you show postfix logs and describe the actual error you're
getting, maybe someone can help.
http://www.postfix.org/DEBUG_README.html#mail


  -- Noel Jones

SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 
Hello,

First, email has been working fine on this server for past several months while 
using the Squirrelmail web client located on the same server.  I am needing an 
alternative method to access mail services and decided, on a whim, to try 
Thunderbird.  Thunderbird interacted with the Dovecot IMAP server just fine, 
but when I tried to test sending mail over SMTP, it failed. I wish the error 
they gave me was more verbose, but it wasn't.  So I decided to test things in 
more detail.

I decided that, since SMTP is a plain-text protocol, I should be able to 
interact via telnet.  Searching on this idea, I found a really interesting 
webpage

https://www.port25.com/how-to-check-an-smtp-connection-with-a-manual-telnet-session-2/

There was something strange with the MX record.  I modified the URL, of course.

nslookup -type=mx example.com
Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
example.com mail exchanger = 10 mail.example.com.

Authoritative answers can be found from:


and that was it.

I decided to perform the same test, but pull the www record and with that I 
actually got an IP address.

nslookup -type=www example.com
unknown query type: www
Server: 8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
Name:   example.com
Address: 87.xxx.yyy.zzz

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

2016-11-28 Thread rich . greder 
Okay,

I accidentally sent this half-composed.  But yes. I was able to send via SMTP, 
but only if my destination address was on my machine (which is probably good)

Maybe since I sent this, I let people deliver their opinions on if this is an 
MX record issue first.

Thanks

Rick

On 11/28/2016 at 9:08 AM, rich.gre...@hushmail.com wrote:
>
>Hello,
>
>First, email has been working fine on this server for past several 
>months while using the Squirrelmail web client located on the same 
>server.  I am needing an alternative method to access mail 
>services and decided, on a whim, to try Thunderbird.  Thunderbird 
>interacted with the Dovecot IMAP server just fine, but when I 
>tried to test sending mail over SMTP, it failed. I wish the error 
>they gave me was more verbose, but it wasn't.  So I decided to 
>test things in more detail.
>
>I decided that, since SMTP is a plain-text protocol, I should be 
>able to interact via telnet.  Searching on this idea, I found a 
>really interesting webpage
>
>https://www.port25.com/how-to-check-an-smtp-connection-with-a-
>manual-telnet-session-2/
>
>There was something strange with the MX record.  I modified the 
>URL, of course.
>
>nslookup -type=mx example.com
>Server:8.8.8.8
>Address:   8.8.8.8#53
>
>Non-authoritative answer:
>example.commail exchanger = 10 mail.example.com.
>
>Authoritative answers can be found from:
>
>
>and that was it.
>
>I decided to perform the same test, but pull the www record and 
>with that I actually got an IP address.
>
>nslookup -type=www example.com
>unknown query type: www
>Server:8.8.8.8
>Address:   8.8.8.8#53
>
>Non-authoritative answer:
>Name:  example.com
>Address: 87.xxx.yyy.zzz