Dear Mr. Victor, Sorry for the late response on your request of log.
Following is the log when I ran postfix on submission (587) port with connection type in the client as SSL/TLS (and not STARTTLS)... Sep 13 21:07:54 mx02 postfix/smtpd[19896]: connect from unknown[192.168.10.38] Sep 13 21:07:54 mx02 postfix/smtpd[19896]: lost connection after UNKNOWN from unknown[192.168.10.38] Sep 13 21:07:54 mx02 postfix/smtpd[19896]: disconnect from unknown[192.168.10.38] And the client (Outlook) shows the following error... Send test email message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance. When I changed the connection type to STARTTLS in the client it succeeded and generated the following log... Sep 13 21:12:58 mx02 postfix/smtpd[19972]: connect from unknown[192.168.10.38] Sep 13 21:12:59 mx02 postfix/smtpd[19972]: Anonymous TLS connection established from unknown[192.168.10.38]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Sep 13 21:12:59 mx02 postfix/smtpd[19972]: 4235945E2424: client=unknown[192.168.10.38], sasl_method=LOGIN, sasl_username=khalidansari Sep 13 21:12:59 mx02 postfix/cleanup[19981]: 4235945E2424: message-id=<> Sep 13 21:12:59 mx02 postfix/qmgr[19890]: 4235945E2424: from=<khalidans...@alrumaithy.ae>, size=1177, nrcpt=1 (queue active) Sep 13 21:12:59 mx02 postfix/local[19982]: 4235945E2424: to=<khalidans...@alrumaithy.ae>, relay=local, delay=0.13, delays=0.11/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir) Sep 13 21:12:59 mx02 postfix/qmgr[19890]: 4235945E2424: removed Sep 13 21:12:59 mx02 postfix/smtpd[19972]: disconnect from unknown[192.168.10.38] Thanks -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni Sent: Monday, August 14, 2017 5:19 PM To: postfix-users@postfix.org Subject: Re: TLS on 587 On Mon, Aug 14, 2017 at 02:53:23PM +0400, Mohammed Khalid Ansari wrote: > I have configured my postfix to run on 587. When I choose connection > type as 'STARTTLS' everything is fine but when I choose 'SSL/TLS', the > client throws error. That's expected, since port 587 is SMTP with STARTTLS negotiation. SMTP inside TLS is typically on port 465. http://www.postfix.org/TLS_README.html#server_enable TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports). It is strictly discouraged to use this mode from main.cf. If you want to support this service, enable a special port in master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) command line option. Port 465 (smtps) was once chosen for this feature. The sample master.cf file distributed with Postfix source code contains: #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Just remove the "#" comment characters, and if necessary add appropriate settings for the "mua_..." parameters to main.cf. Note that there are some in the IETF who are trying to promote and standardize port 465 for email submission: https://tools.ietf.org/html/draft-ietf-uta-email-deep-08#section-3 While this may end up in a final published RFC, it probably won't have much of an impact on the deployed base of submission servers for quite some time. > I can configure 'STARTTLS' in outlook and proceed but on my cell phone > I don't have don't option and hence not able to connect. IIRC mobile phones that do email and the like do support STARTTLS, your problem may be with the phone not accepting the server certificate. Post the logs from your server associated with connections from your phone. -- Viktor.
