Loading ...
Sorry, an error occurred while loading the content.

Re: Testing out SMTPS

Expand Messages
  • Stan Hoeppner
    ... Do you need SMTPS? If so, for what? I m guessing you are blindly assuming you should have it because some online mail server tester tests for it and told
    Message 1 of 15 , Feb 4, 2013
    • 0 Attachment
      On 2/4/2013 12:27 PM, Robert Moskowitz wrote:

      > And from there I became aware that I probably don't have SMTPS (port
      > 465) configured properly. Actually at first I did not even have it set
      > up! So I reread the readme:

      Do you need SMTPS? If so, for what?

      I'm guessing you are blindly assuming you should have it because some
      online mail server tester tests for it and told you yours wasn't
      working. Correct?

      I've been using Postfix for ~8 years and I've never used SMTPS, simply
      because I've never needed it. Only enable/configure what you need, no more.

      --
      Stan
    • Noel Jones
      ... The smtps port should be reserved for authorized users only -- just like the submission port -- and never used for general-purpose email. Generally you
      Message 2 of 15 , Feb 4, 2013
      • 0 Attachment
        On 2/4/2013 12:27 PM, Robert Moskowitz wrote:
        > I am into final tuning of my mail server, and I greatly appreciate
        > all the help I have received from the many lists I have had to go to
        > for help. I am now at actual external testing, starting out with
        > some free mail test servers. Right now I am trying out:
        >
        > http://www.emailsecuritygrader.com
        >
        > And from there I became aware that I probably don't have SMTPS (port
        > 465) configured properly. Actually at first I did not even have it
        > set up! So I reread the readme:
        >
        > http://www.postfix.org/TLS_README.html
        >
        > And add:
        >
        > /etc/postfix/main.cf
        > smtpd_tls_security_level = may
        > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
        >
        > /etc/postfix/master.cf:
        > smtps inet n - n - - smtpd
        > -o smtpd_tls_wrappermode=yes
        > -o smtpd_sasl_auth_enable=yes

        The smtps port should be reserved for authorized users only -- just
        like the submission port -- and never used for general-purpose email.

        Generally you would add something like
        -o smtpd_recipient_restrictions=$submission_recipient_restrictions

        and then in main.cf add
        submission_recipient_restrictions =
        permit_sasl_authenticated
        reject


        >
        > and restarted postfix
        >
        > And tried to telnet into localhost 465. All I get is:


        This is an encrypted connection and can't be tested with telnet.
        You can test it with openssl:

        openssl s_client -connect server.example.com:465

        If you get the postfix greeting banner, it's working properly.

        But be aware that smtps is deprecated and you probably shouldn't
        bother enabling it unless you need it to support legacy clients.




        -- Noel Jones
      • Robert Moskowitz
        ... Well the online tester made me aware of it, and some of my clients are stuck with Outlook Express, thus my interest in it. The online tester is rather
        Message 3 of 15 , Feb 4, 2013
        • 0 Attachment
          On 02/04/2013 03:41 PM, Stan Hoeppner wrote:
          > On 2/4/2013 12:27 PM, Robert Moskowitz wrote:
          >
          >> And from there I became aware that I probably don't have SMTPS (port
          >> 465) configured properly. Actually at first I did not even have it set
          >> up! So I reread the readme:
          > Do you need SMTPS? If so, for what?
          >
          > I'm guessing you are blindly assuming you should have it because some
          > online mail server tester tests for it and told you yours wasn't
          > working. Correct?

          Well the online tester made me aware of it, and some of my clients are
          stuck with Outlook Express, thus my interest in it.

          The online tester is rather 'dumb' as it does not consider that starttls
          is available as well. Of course that means all of the POP clients are
          properly configured to use it for sending mail and thus not expose their
          identities.


          >
          > I've been using Postfix for ~8 years and I've never used SMTPS, simply
          > because I've never needed it. Only enable/configure what you need, no more.
          >
          I have to look some more at what I currently have and what my few OE
          users are doing.
        • btb
          ... as with most helpful websites like this, this one is perpetuating misinformation. smtps has long since been deprecated, having been superseded by
          Message 4 of 15 , Feb 4, 2013
          • 0 Attachment
            On 2013.02.04 13.27, Robert Moskowitz wrote:
            > http://www.emailsecuritygrader.com

            as with most "helpful" websites like this, this one is perpetuating
            misinformation. smtps has long since been deprecated, having been
            superseded by starttls. it also would appear to perpetuate the behavior
            of offering submission service via port 25, which is largely discouraged.

            > And from there I became aware that I probably don't have SMTPS (port
            > 465) configured properly.

            with reference to the above, instead, configure a proper
            submission+starttls service [port 587]. there is an example included in
            the master.cf config file which comes with postfix.

            these days, new implementation of smtps should be restricted to existing
            environments in which smtps is already in use by clients. even then, it
            really should be used only until clients have been converted to use
            proper submission+starttls.

            And tried to telnet into localhost 465.

            telnet is not suitable for testing things which employ this sort of
            encryption. instead, use something like openssl s_client or gnutls-cli

            > The one pointer I have found so far on telneting into 465 shows that I
            > should have also gotten a:
            >
            > 220 ________ ESMTP Postfix
            >
            > sending a 'ehlo' results in the connection closing.

            this is misinformation. with smtps, encryption must be established
            before any smtp related dialog can occur. telnet does not do this sort
            of encryption.

            -ben
          • Robert Moskowitz
            ... I will look into this. My setup uses virutal domains and mysql for the users, so a list may be contrived. But also the implication is that users would
            Message 5 of 15 , Feb 4, 2013
            • 0 Attachment
              On 02/04/2013 03:47 PM, Noel Jones wrote:
              > On 2/4/2013 12:27 PM, Robert Moskowitz wrote:
              >> I am into final tuning of my mail server, and I greatly appreciate
              >> all the help I have received from the many lists I have had to go to
              >> for help. I am now at actual external testing, starting out with
              >> some free mail test servers. Right now I am trying out:
              >>
              >> http://www.emailsecuritygrader.com
              >>
              >> And from there I became aware that I probably don't have SMTPS (port
              >> 465) configured properly. Actually at first I did not even have it
              >> set up! So I reread the readme:
              >>
              >> http://www.postfix.org/TLS_README.html
              >>
              >> And add:
              >>
              >> /etc/postfix/main.cf
              >> smtpd_tls_security_level = may
              >> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
              >>
              >> /etc/postfix/master.cf:
              >> smtps inet n - n - - smtpd
              >> -o smtpd_tls_wrappermode=yes
              >> -o smtpd_sasl_auth_enable=yes
              > The smtps port should be reserved for authorized users only -- just
              > like the submission port -- and never used for general-purpose email.
              >
              > Generally you would add something like
              > -o smtpd_recipient_restrictions=$submission_recipient_restrictions

              I will look into this. My setup uses virutal domains and mysql for the
              users, so a list may be contrived. But also the implication is that
              users would have to ask me for this method of connectivity which has its
              merits.

              >
              > and then in main.cf add
              > submission_recipient_restrictions =
              > permit_sasl_authenticated
              > reject

              thanks I will review this.

              >
              >
              >> and restarted postfix
              >>
              >> And tried to telnet into localhost 465. All I get is:
              >
              > This is an encrypted connection and can't be tested with telnet.
              > You can test it with openssl:
              >
              > openssl s_client -connect server.example.com:465

              Grumple. I did this to test out secure IMAP for dovecot. Obvious once
              my nose is stuck in it. Thanks.

              > If you get the postfix greeting banner, it's working properly.
              >
              > But be aware that smtps is deprecated and you probably shouldn't
              > bother enabling it unless you need it to support legacy clients.

              Good to know. I kind of got that feeling from the TLS_README that it
              was for older OE clients, and I have one of those. A reason for them to
              move up. Hopefully.
            • Reindl Harald
              ... no - if a client is not configured for using STARTTLS it does not mayn clients these days at the FIRST setup check this and try to use a encrypted
              Message 6 of 15 , Feb 4, 2013
              • 0 Attachment
                Am 04.02.2013 22:02, schrieb Robert Moskowitz:
                > The online tester is rather 'dumb' as it does not consider that starttls is available as well. Of course that
                > means all of the POP clients are properly configured to use it for sending mail and thus not expose their identities.

                no - if a client is not configured for using STARTTLS it does not

                mayn clients these days at the FIRST setup check this and try
                to use a encrypted connection - but there are way too much
                "plaintext without any encryption"-configs

                if i could i would tun off port 25 completly and enforce
                587 with encyryption - sadly this is not doable if you have
                hundrets of users with all sorts of clients
              • Robert Moskowitz
                ... And blocked at many hotspots. ... And I do have that configured. ... Got that. thanks. ... And I looked into my logs for the emailsecuritygrader
                Message 7 of 15 , Feb 4, 2013
                • 0 Attachment
                  On 02/04/2013 04:03 PM, btb wrote:
                  > On 2013.02.04 13.27, Robert Moskowitz wrote:
                  >> http://www.emailsecuritygrader.com
                  >
                  > as with most "helpful" websites like this, this one is perpetuating
                  > misinformation. smtps has long since been deprecated, having been
                  > superseded by starttls. it also would appear to perpetuate the
                  > behavior of offering submission service via port 25, which is largely
                  > discouraged.

                  And blocked at many hotspots.

                  >
                  >> And from there I became aware that I probably don't have SMTPS (port
                  >> 465) configured properly.
                  >
                  > with reference to the above, instead, configure a proper
                  > submission+starttls service [port 587]. there is an example included
                  > in the master.cf config file which comes with postfix.

                  And I do have that configured.

                  >
                  > these days, new implementation of smtps should be restricted to
                  > existing environments in which smtps is already in use by clients.
                  > even then, it really should be used only until clients have been
                  > converted to use proper submission+starttls.
                  >
                  > And tried to telnet into localhost 465.
                  >
                  > telnet is not suitable for testing things which employ this sort of
                  > encryption. instead, use something like openssl s_client or gnutls-cli

                  Got that. thanks.

                  >
                  >> The one pointer I have found so far on telneting into 465 shows that I
                  >> should have also gotten a:
                  >>
                  >> 220 ________ ESMTP Postfix
                  >>
                  >> sending a 'ehlo' results in the connection closing.
                  >
                  > this is misinformation. with smtps, encryption must be established
                  > before any smtp related dialog can occur. telnet does not do this
                  > sort of encryption.

                  And I looked into my logs for the emailsecuritygrader connections and it
                  sure seemed to be connecting with something equivalent to telnet! Well
                  more testing will tell.
                • Geoff Shang
                  ... Outlook Express can use port 587 quite happily. You just have to tell it to. Cheers, Geoff.
                  Message 8 of 15 , Feb 5, 2013
                  • 0 Attachment
                    On Mon, 4 Feb 2013, Robert Moskowitz wrote:

                    > Well the online tester made me aware of it, and some of my clients are stuck
                    > with Outlook Express, thus my interest in it.

                    Outlook Express can use port 587 quite happily. You just have to tell it
                    to.

                    Cheers,
                    Geoff.
                  • Geoff Shang
                    ... I did also mean to say that you may need it for Outlook 2003 though. We ve got a few people using it and I forget what ended up working for them. Geoff.
                    Message 9 of 15 , Feb 5, 2013
                    • 0 Attachment
                      On Tue, 5 Feb 2013, Geoff Shang wrote:

                      > Outlook Express can use port 587 quite happily. You just have to tell it to.

                      I did also mean to say that you may need it for Outlook 2003 though.
                      We've got a few people using it and I forget what ended up working for
                      them.

                      Geoff.
                    • Birta Levente
                      ... Of course, you can set up -o smtpd_tls_wrappermode=yes on 587. But other client than outlook express, with STARTTLS does not work.
                      Message 10 of 15 , Feb 5, 2013
                      • 0 Attachment
                        On 05/02/2013 12:25, Geoff Shang wrote:
                        > On Mon, 4 Feb 2013, Robert Moskowitz wrote:
                        >
                        >> Well the online tester made me aware of it, and some of my clients are
                        >> stuck with Outlook Express, thus my interest in it.
                        >
                        > Outlook Express can use port 587 quite happily. You just have to tell
                        > it to.
                        >
                        > Cheers,
                        > Geoff.
                        >

                        Of course, you can set up -o smtpd_tls_wrappermode=yes on 587. But other
                        client than outlook express, with STARTTLS does not work.
                      • Bill Cole
                        ... The intrinsically bad idea of SMTPS died before ever being anything like a standard, and only survived as a zombie protocol because MS jumped on it without
                        Message 11 of 15 , Feb 5, 2013
                        • 0 Attachment
                          On 4 Feb 2013, at 16:02, Robert Moskowitz wrote:

                          > Well the online tester made me aware of it, and some of my clients are
                          > stuck with Outlook Express, thus my interest in it.

                          The intrinsically bad idea of SMTPS died before ever being anything like
                          a standard, and only survived as a zombie protocol because MS jumped on
                          it without thinking. 9 years late, MS issued a patch in 2007 for OE that
                          enabled TLS on port 587 and that patch was rolled into Windows XP SP3 in
                          2008.

                          The bottom line is that anyone still running a version of OE that can't
                          handle standard submission is running a grossly insecure and obsolete
                          system. Rather than accommodating that irresponsible behavior, you would
                          do your clients and everyone else a service by making it untenable.
                        • Reindl Harald
                          ... what was so bad? that no single connection is unencrypted? that http://www.cvedetails.com/cve/CVE-2011-0411/ would not have been possible? sorry, but from
                          Message 12 of 15 , Feb 5, 2013
                          • 0 Attachment
                            Am 05.02.2013 19:29, schrieb Bill Cole:
                            > On 4 Feb 2013, at 16:02, Robert Moskowitz wrote:
                            >
                            >> Well the online tester made me aware of it, and some of my clients are stuck with Outlook Express, thus my
                            >> interest in it.
                            >
                            > The intrinsically bad idea of SMTPS died before ever being anything like a standard

                            what was so bad?

                            that no single connection is unencrypted?
                            that http://www.cvedetails.com/cve/CVE-2011-0411/ would not have been possible?

                            sorry, but from point of design it is a intrinsically bad idea
                            start the connection unencrypted and after that look "hey, we
                            can switch to encryption"
                          • Noel Jones
                            ... That s a little harsh. There is nothing wrong with smtps, any more than https is wrong. And a zombie is a great metaphor -- it s dead, but still stumbles
                            Message 13 of 15 , Feb 5, 2013
                            • 0 Attachment
                              On 2/5/2013 12:29 PM, Bill Cole wrote:
                              > The intrinsically bad idea of SMTPS died before ever being anything
                              > like a standard, and only survived as a zombie protocol because MS
                              > jumped on it without thinking.

                              That's a little harsh. There is nothing wrong with smtps, any more
                              than https is wrong.

                              And a zombie is a great metaphor -- it's dead, but still stumbles
                              around refusing to be buried. If you want to bury it, prepare to
                              defend yourself.

                              > The bottom line is that anyone still running a version of OE that
                              > can't handle standard submission

                              That's just one use case. Unfortunately, there is current software
                              that perpetuate the hoax.


                              -- Noel Jones
                            • Bill Cole
                              ... Rehashing the arguments that killed its standardization 16 years ago would be off-topic here.
                              Message 14 of 15 , Feb 5, 2013
                              • 0 Attachment
                                On 5 Feb 2013, at 14:28, Noel Jones wrote:

                                > On 2/5/2013 12:29 PM, Bill Cole wrote:
                                >> The intrinsically bad idea of SMTPS died before ever being anything
                                >> like a standard, and only survived as a zombie protocol because MS
                                >> jumped on it without thinking.
                                >
                                > That's a little harsh. There is nothing wrong with smtps, any more
                                > than https is wrong.

                                Rehashing the arguments that killed its standardization 16 years ago
                                would be off-topic here.
                              Your message has been successfully submitted and would be delivered to recipients shortly.