Closed aqueos closed 6 months ago
This could be a bug ... what does the line starting with submission
in your /etc/postfix/master.cf
file contain?
yes of course:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#-o receive_override_options=no_milters
So for the on/off vs yes/no thing in Outlook, we'll fix that in the next release.
For the STARTTLS mode, are you getting error messages from your mail clients that expect to be able to connect to port 587 directly in SSL mode?
yes, the configuration worked mainly but then the user has to change the smtp settings to use starttls or was unable to send any email as outlook was setting it as SSL like if it was the 465 port.
i think this is exactly for that they added the "Encryption" keyword later because microsoft used port 25 until very recently, then they realized in 2019 oh! there is a 587 thing ! :p
regards, Ghislain.
Sadly the documentation on what Outlook wants is kind of lacking. Do you have an example of what the correct XML looks like?
i had some hard time finding it when i was trying to understand the issue but i eventualy found this on the microsoft website :
https://msopenspecs.azureedge.net/files/MS-OXDSCLI/%5bMS-OXDSCLI%5d.pdf
page 23 is the "Encryption" , SSL is page 27.
regards, Ghislain
Ah, if if the server supports STARTTLS, we'd set <SSL>off</SSL>
and <Encryption>auto</Encryption>
?
the norm say that if you use Encryption it ignore SSL so you can do that or not use any SSL at all. i dont know if there is anyway to tell virtualmin our preference here, do we want the port 465 SSL or the 587 starttls.
The bonus of Encryption is that the 'auto' part is quite handy to let the client decide the best method.
Thanks! I wonder if maybe it's simplest to just set <Encryption>auto</Encryption>
always then?
well yes seems easier and futur proof.
Ok, I'l do that in the next release, and also better differentiate between port 465 (pure SSL) and ports with STARTTLS support.
Ok, I'l do that in the next release, and also better differentiate between port 465 (pure SSL) and ports with STARTTLS support.
After applying the latest patches and updating the mail auto-configuration, when testing with Thunderbird, it consistently selects port 465 as the mail submission port. This seems incorrect, as port 587 with STARTTLS should be preferred!
hi there,
after looking the net about those two choice it seems yes that port 587 starttls is the prefered way. right now both works but the RFC seems to favor using submission and not smtpS for email sending.
technicaly both works for me but yes if we want to be "good" citizen perhaps 587 starttls should be the default. :)
best regards, Ghislain.
What's the difference between those ports though? Does Postfix not treat them the same?
What's the difference between those ports though?
https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587
Interesting .. so the currently checked-in code will prefer port 465 if enabled, then 587, then 25. But it sounds like maybe we should prefer 587? Although unclear if that's really the best choice if STARTTLS isn't supported..
The idea is that STARTTLS on port 587 upgrades a connection from plaintext to SSL, there's a chance it might not happen. On the other hand, using SSL on port 465 guarantees encryption from the get-go. Interestingly, despite port 465's secure nature, it was once deprecated in favor of STARTTLS on port 587. Quite the puzzle, isn't it? There must be something else .. ?
From the docs:
"When TLS layer encryption is required ("smtpd_tls_security_level = encrypt
"), the Postfix SMTP server will announce and accept AUTH
only after the TLS layer has been activated with STARTTLS
."
/etc/postfix/main.cf:
smtpd_tls_security_level = encrypt
"it may however still be useful to only offer AUTH
when TLS is active. To maintain compatibility with non-TLS clients, the default is to accept AUTH
without encryption. In order to change this behavior [require encrypted login], set:"
/etc/postfix/main.cf:
smtpd_tls_auth_only = yes
With that in mind, we should prioritize STARTTLS
on port 587 as our default choice.
Ok I've fixed that here : https://github.com/virtualmin/virtualmin-gpl/commit/bf45573c437481b80654997355c575118b0b4927
Excellent, thanks!
hi,
in my test with a customer we found that there is an issue in the thunderbird config related to cgi-bin in apache template but we also found an issue in the microsoft protocol handling.
in the autodiscover protocol the autodiscover xml return :
but the 587 port is not SSL, it is starttls. From what i can find the documentation state that SSL can only be "on" or "off" (and not yes/no).
https://msopenspecs.azureedge.net/files/MS-OXDSCLI/%5bMS-OXDSCLI%5d-210422.pdf
also the