Re: TLS auth failure from iPhone

Mon, 14 Sep 2009 18:04:54 -0700 

Quoting LuKreme <krem...@kreme.com>:


On 14-Sep-2009, at 08:59, Victor Duchovni wrote:

On Mon, Sep 14, 2009 at 11:52:27PM +1000, Simon Wilson wrote:


And it never succeeds. If I set smtpd_tls_auth_only to no and
disable Use SSL on the iPhone it auths over SMTP (insecurely) and sends fine. 

Sep 14 23:17:59 server04 postfix/smtpd[4774]: connect from
unknown[120.152.28.100]
Sep 14 23:18:00 server04 postfix/smtpd[4774]: 233D6573DF:
client=unknown[120.152.28.100], sasl_method=PLAIN, sasl_username=simon

This used to work, and I am just not sure what has changed...


Carrier (MITM) proxying port 25 submission via a proxy (that does not
support SSL)?
I assume by MITM you mean man in the middle... in which case the assessment would appear to be a logical one. No idea how I would ever verify if that is the case or not though. 


So I have enabled port 587 in postfix master.cf,so now I have:

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd

Port forward 587 on the router, and tell the iPhone to use 587
instead of 25 and now it works... ?!?

Do I need to change anything else in main.cf, or master.cf, or
will everything else still work the same as per if it had been
submitted on 25?
I believe that the same change that was made in 10.6 was made in iPhone OS 3.1, and that is that the order of ports tried has changed. 

Used to be, Mail tried to connect to port 25 first. If that failed,



it then tried to connect to 587.
What is happening to you, I think, is that the client is able to connect to port 587, but is not able to send for some reason. Mail sees this as a successful CONNECTION, so it never tries the other ports.
Originally I had only port 25 open on the router, and it used to work fine, with the iPhone specifically told to use port 25 and SSL. Then something changed (on the iPhone I suspect). Only then did I open port 587 and tried telling the iPhone to use that with SSL after enabling "submission" in master.cf. 

That now appears to be stable and working.
I guess I just really wanted to confirm that all of my other settings and options will work on 587 as they were on 25 etc, i.e. recipient restrictions, amavis, etc. 

Thanks for your responses guys.

--
Simon Wilson
www.simonandkate.net

Reply via email to