On Fri, Jun 11, 2021 at 10:32:38AM -0500, Linda Pagillo wrote:
> Thank you Herbert! I will give that a try. However... I'm trying to test
> connecting to port 465 over SSL from my Outlook mail client and it will not
> connect. Any ideas why not? I can connect to 993 and 995 from Outlook.
Test one thing at a time. First get it working for interactive
connections via:
$ (sleep 2; printf "QUIT\r\n") | openssl s_client -noservername -brief
-connect 127.0.0.1:465
from which I see output of the form:
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = amnesiac.local
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
Server Temp Key: X25519, 253 bits
220 amnesiac.local ESMTP Postfix
DONE
showing a working TLS handshake. Once that works, proceeed to testing
Outlook, and looking at the Postfix logs for relevant diagnostic
messages. It some mail clients' SMTP configuration, IIRC "SSL" refers to
port 465 implicit SSL, and "TLS" refers to port 587 "STARTTLS", make
sure you're configuring the client to use implicit TLS.
The Postfix source distribution includes a stock master.cf file, which
has a commented out sample "submissions" (port 465) entry:
#submissions inet n - n - - smtpd
# -o syslog_name=postfix/submissions
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
You should start with:
465 inet n - n - - smtpd
-o syslog_name=postfix/submissions
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
and change as little as possible to meet your needs. If you end up
needing more complex rules, heed the advice in:
Instead of specifying complex smtpd_<xxx>_restrictions here,
specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
here, and specify mua_<xxx>_restrictions in main.cf (where
"<xxx>" is "client", "helo", "sender", "relay", or "recipient").
--
Viktor.
