autodiscover protocol in SMTP not using starttls

[aqueos]

hi,

in my test with a customer we found that there is an issue in the thunderbird config related to cgi-bin in apache template but we also found an issue in the microsoft protocol handling.

in the autodiscover protocol the autodiscover xml return :

      <Protocol>
        <Type>SMTP</Type>
        <Server>mail.xxxx.xx</Server>
        <Port>587</Port>
        <DomainRequired>off</DomainRequired>
        <SPA>off</SPA>
        <SSL>yes</SSL>
        <AuthRequired>on</AuthRequired>
        <LoginName>testconfig.xxxx</LoginName>
      </Protocol>

but the 587 port is not SSL, it is starttls. From what i can find the documentation state that SSL can only be "on" or "off" (and not yes/no).

https://msopenspecs.azureedge.net/files/MS-OXDSCLI/%5bMS-OXDSCLI%5d-210422.pdf

also the

directive override the one in SSL and could be set to : "auto" for letting exchange choose the most secure one. ``` 2.2.4.1.1.2.6.22 Encryption The Encryption element specifies the required encryption for the connection to the server. It MAY be an optional child element of the Protocol element (section 2.2.4.1.1.2.6). This element is valid only if the value of the Type element (section 2.2.4.1.1.2.6.46) is "IMAP, "POP3", or "SMTP". If the Encryption element is present, it overrides the SSL element (section 2.2.4.1.1.2.6.44). The following table specifies the possible values of the Encryption element. Value Meaning "None" No encryption is used. "SSL" SSL encryption is used. "TLS" TLS encryption is used. "Auto" The most secure encryption that the client and server support is used. ``` the test we done show that SSL fails because 587 is starttls so the encryption tag should be used for that as the ssl one is too narrow. I think auto is easier than to have to choose the none/ssl/tls one. Tls stand for starttls... best regards, Ghislain.

[jcameron]

This could be a bug ... what does the line starting with submission in your /etc/postfix/master.cf file contain?

[aqueos]

yes of course:

submission inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  #-o receive_override_options=no_milters

[jcameron]

So for the on/off vs yes/no thing in Outlook, we'll fix that in the next release.

For the STARTTLS mode, are you getting error messages from your mail clients that expect to be able to connect to port 587 directly in SSL mode?

[aqueos]

yes, the configuration worked mainly but then the user has to change the smtp settings to use starttls or was unable to send any email as outlook was setting it as SSL like if it was the 465 port.

i think this is exactly for that they added the "Encryption" keyword later because microsoft used port 25 until very recently, then they realized in 2019 oh! there is a 587 thing ! :p

regards, Ghislain.

[jcameron]

Sadly the documentation on what Outlook wants is kind of lacking. Do you have an example of what the correct XML looks like?

[aqueos]

i had some hard time finding it when i was trying to understand the issue but i eventualy found this on the microsoft website :

https://msopenspecs.azureedge.net/files/MS-OXDSCLI/%5bMS-OXDSCLI%5d.pdf

page 23 is the "Encryption" , SSL is page 27.

regards, Ghislain

[jcameron]

Ah, if if the server supports STARTTLS, we'd set <SSL>off</SSL> and <Encryption>auto</Encryption> ?

[aqueos]

the norm say that if you use Encryption it ignore SSL so you can do that or not use any SSL at all. i dont know if there is anyway to tell virtualmin our preference here, do we want the port 465 SSL or the 587 starttls.

The bonus of Encryption is that the 'auto' part is quite handy to let the client decide the best method.

[jcameron]

Thanks! I wonder if maybe it's simplest to just set <Encryption>auto</Encryption> always then?

[aqueos]

well yes seems easier and futur proof.

[jcameron]

Ok, I'l do that in the next release, and also better differentiate between port 465 (pure SSL) and ports with STARTTLS support.

[iliajie]

Ok, I'l do that in the next release, and also better differentiate between port 465 (pure SSL) and ports with STARTTLS support.

After applying the latest patches and updating the mail auto-configuration, when testing with Thunderbird, it consistently selects port 465 as the mail submission port. This seems incorrect, as port 587 with STARTTLS should be preferred!

[aqueos]

hi there,

after looking the net about those two choice it seems yes that port 587 starttls is the prefered way. right now both works but the RFC seems to favor using submission and not smtpS for email sending.

technicaly both works for me but yes if we want to be "good" citizen perhaps 587 starttls should be the default. :)

best regards, Ghislain.

[jcameron]

What's the difference between those ports though? Does Postfix not treat them the same?

[iliajie]

What's the difference between those ports though?

https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587

[jcameron]

Interesting .. so the currently checked-in code will prefer port 465 if enabled, then 587, then 25. But it sounds like maybe we should prefer 587? Although unclear if that's really the best choice if STARTTLS isn't supported..

[iliajie]

The idea is that STARTTLS on port 587 upgrades a connection from plaintext to SSL, there's a chance it might not happen. On the other hand, using SSL on port 465 guarantees encryption from the get-go. Interestingly, despite port 465's secure nature, it was once deprecated in favor of STARTTLS on port 587. Quite the puzzle, isn't it? There must be something else .. ?

[chris001]

From the docs:

"When TLS layer encryption is required ("smtpd_tls_security_level = encrypt"), the Postfix SMTP server will announce and accept AUTH only after the TLS layer has been activated with STARTTLS."

/etc/postfix/main.cf:
  smtpd_tls_security_level = encrypt

"it may however still be useful to only offer AUTH when TLS is active. To maintain compatibility with non-TLS clients, the default is to accept AUTH without encryption. In order to change this behavior [require encrypted login], set:"

/etc/postfix/main.cf:
  smtpd_tls_auth_only = yes

[iliajie]

With that in mind, we should prioritize STARTTLS on port 587 as our default choice.

[jcameron]

Ok I've fixed that here : https://github.com/virtualmin/virtualmin-gpl/commit/bf45573c437481b80654997355c575118b0b4927

[iliajie]

Excellent, thanks!