Hi, I only needed to add one setting and all the deferred test emails on O365
started flowing into my inbox
RAN vi /etc/postfix/main.cf
added
# -ALF 2018-06-28
smtpd_tls_security_level = may
RAN service postfix reload
Case closed, thanks.
-ANGELO FAZZINA
ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail
ang...@uconn.edu
University of Connecticut, ITS, SSG, Server Systems
860-486-9075
-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On
Behalf Of Fazzina, Angelo
Sent: Thursday, June 28, 2018 3:26 PM
To: Postfix users <postfix-users@postfix.org>
Subject: RE: Can postfix send encrypted but not authenticated emails ?
Hi, thank you Viktor.
I was able to replicate the error [ a deferral] from O365
450 4.4.317 cannot connect to remote server message= 451 5.7.3 STARTTLS is
required to send mail
My server 137.99.25.233 on port 25 is not accepting the mail.
I can not control what O365 does, they send on port 25, and I can't find my
settings that are blocking it?
Even stranger my identical servers in Azure will accept the mail ? just trying
to understand the differences to ID the problem.
Confused why this works :
[root@mta2 postfix]# telnet azuresmtp.uconn.edu 25
Trying 104.45.142.253...
Connected to azuresmtp.uconn.edu.
Escape character is '^]'.
220 uconnmta6.cloudapp.net ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-uconnmta6.cloudapp.net
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
And why this does not ?
[root@uconnMTA5 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
telnet: connect to address 137.99.25.233: Connection timed out
Am I on the right track noticing there is no 250-STARTTLS ?
[root@mta2 postfix]# telnet 137.99.25.233 25
Trying 137.99.25.233...
Connected to 137.99.25.233.
Escape character is '^]'.
220 mta3.uits.uconn.edu ESMTP Postfix (Debian/GNU)
ehlo uconn.edu
250-mta3.uits.uconn.edu
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
-ANGELO FAZZINA
ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail
ang...@uconn.edu
University of Connecticut, ITS, SSG, Server Systems
860-486-9075
-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On
Behalf Of Viktor Dukhovni
Sent: Thursday, June 28, 2018 1:05 PM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: Can postfix send encrypted but not authenticated emails ?
> On Jun 28, 2018, at 12:41 PM, Fazzina, Angelo <angelo.fazz...@uconn.edu>
> wrote:
>
> Hi, I have been reading the online docs for TLS_README.html and
> SASL_README.html but still having trouble deducing if I can get Postfix 2.6
> to accept email over port 587 without giving Postfix a username and password?
The submission service on ports 587 and 465 is for sending email outbound,
possibly to remote domains, from the end-user's MUA. While some MTAs on
laptops and SOHO environments send outbound mail via their provider's
submission service, they're essentially just proxies for the user's MUA,
and the mail is still on the "outbound" leg of its journey.
So 587 and 465 are not MTA-to-MTA relay services.
Outbound email requires authentication, due to the potential of open-relay
abuse by spammers.
> I would like to change it so postfix will accept email without a username and
> password, specifically from Office 365, and with encryption [TLS].
If the email is addressed to your domain (inbound email), Postfix will accept
it from all senders, without SASL authentication.
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FBASIC_CONFIGURATION_README.html%23mydestination&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844&sdata=pRznQ7f3nztX9VLEkNcu0otSkqdVKNKTAfkAPqmBO3Y%3D&reserved=0
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FVIRTUAL_README.html%23canonical&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504600844&sdata=VfZDH5y%2BaHj1Qhtdt87n3ato8oPDixD%2BbEFUuogter0%3D&reserved=0
> I would add that I am not looking to change the current config, but just add
> this new ability.
>
> Is it as simple as adding
>
> smtpd_tls_security_level = may
>
> into main.cf ?
To enable inbound opportunistic TLS you'll need that and a suitable
(self-signed is sufficient) certificate, if you already have one for
port 587, you can use that one.
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postfix.org%2FTLS_README.html%23quick-start&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C299d6e80854b4686562708d5dd19645b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636658023504757098&sdata=wowhYgr5ogYqjpQx%2Fwf6d1E8yoOVInQLGH78OJOixMY%3D&reserved=0
> I also heard Postfix can use maybe Kerberos tickets
Cross-organizational Kerberos is not common. And not needed in your
use case of relaying between MTAs. Kerberos can be used as a SASL
mechanism on port 587 between the MUA and the submission service.
This message's first hop is GSSAPI (specifically Kerberos) authenticated.
> Example : email to ang...@uconn.edu goes to O365 and then O365 will forward
> to smtp.uconn.edu [which relays back to O365] due to my mailbox being
> angelo.fazz...@uconn.edu . If you send directly to angelo.fazz...@uconn.edu
> O365 delivers to mailbox without having to forward the email.
This is multi-hop relaying on the inbound phase of message delivery, and
requires nothing fancy, just some address rewriting and routing.
--
Viktor.
