Loading ...
Sorry, an error occurred while loading the content.
 

Re: Testing out SMTPS

Expand Messages
  • Noel Jones
    ... The smtps port should be reserved for authorized users only -- just like the submission port -- and never used for general-purpose email. Generally you
    Message 1 of 15 , Feb 4, 2013
      On 2/4/2013 12:27 PM, Robert Moskowitz wrote:
      > I am into final tuning of my mail server, and I greatly appreciate
      > all the help I have received from the many lists I have had to go to
      > for help. I am now at actual external testing, starting out with
      > some free mail test servers. Right now I am trying out:
      >
      > http://www.emailsecuritygrader.com
      >
      > And from there I became aware that I probably don't have SMTPS (port
      > 465) configured properly. Actually at first I did not even have it
      > set up! So I reread the readme:
      >
      > http://www.postfix.org/TLS_README.html
      >
      > And add:
      >
      > /etc/postfix/main.cf
      > smtpd_tls_security_level = may
      > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
      >
      > /etc/postfix/master.cf:
      > smtps inet n - n - - smtpd
      > -o smtpd_tls_wrappermode=yes
      > -o smtpd_sasl_auth_enable=yes

      The smtps port should be reserved for authorized users only -- just
      like the submission port -- and never used for general-purpose email.

      Generally you would add something like
      -o smtpd_recipient_restrictions=$submission_recipient_restrictions

      and then in main.cf add
      submission_recipient_restrictions =
      permit_sasl_authenticated
      reject


      >
      > and restarted postfix
      >
      > And tried to telnet into localhost 465. All I get is:


      This is an encrypted connection and can't be tested with telnet.
      You can test it with openssl:

      openssl s_client -connect server.example.com:465

      If you get the postfix greeting banner, it's working properly.

      But be aware that smtps is deprecated and you probably shouldn't
      bother enabling it unless you need it to support legacy clients.




      -- Noel Jones
    • Robert Moskowitz
      ... Well the online tester made me aware of it, and some of my clients are stuck with Outlook Express, thus my interest in it. The online tester is rather
      Message 2 of 15 , Feb 4, 2013
        On 02/04/2013 03:41 PM, Stan Hoeppner wrote:
        > On 2/4/2013 12:27 PM, Robert Moskowitz wrote:
        >
        >> And from there I became aware that I probably don't have SMTPS (port
        >> 465) configured properly. Actually at first I did not even have it set
        >> up! So I reread the readme:
        > Do you need SMTPS? If so, for what?
        >
        > I'm guessing you are blindly assuming you should have it because some
        > online mail server tester tests for it and told you yours wasn't
        > working. Correct?

        Well the online tester made me aware of it, and some of my clients are
        stuck with Outlook Express, thus my interest in it.

        The online tester is rather 'dumb' as it does not consider that starttls
        is available as well. Of course that means all of the POP clients are
        properly configured to use it for sending mail and thus not expose their
        identities.


        >
        > I've been using Postfix for ~8 years and I've never used SMTPS, simply
        > because I've never needed it. Only enable/configure what you need, no more.
        >
        I have to look some more at what I currently have and what my few OE
        users are doing.
      • btb
        ... as with most helpful websites like this, this one is perpetuating misinformation. smtps has long since been deprecated, having been superseded by
        Message 3 of 15 , Feb 4, 2013
          On 2013.02.04 13.27, Robert Moskowitz wrote:
          > http://www.emailsecuritygrader.com

          as with most "helpful" websites like this, this one is perpetuating
          misinformation. smtps has long since been deprecated, having been
          superseded by starttls. it also would appear to perpetuate the behavior
          of offering submission service via port 25, which is largely discouraged.

          > And from there I became aware that I probably don't have SMTPS (port
          > 465) configured properly.

          with reference to the above, instead, configure a proper
          submission+starttls service [port 587]. there is an example included in
          the master.cf config file which comes with postfix.

          these days, new implementation of smtps should be restricted to existing
          environments in which smtps is already in use by clients. even then, it
          really should be used only until clients have been converted to use
          proper submission+starttls.

          And tried to telnet into localhost 465.

          telnet is not suitable for testing things which employ this sort of
          encryption. instead, use something like openssl s_client or gnutls-cli

          > The one pointer I have found so far on telneting into 465 shows that I
          > should have also gotten a:
          >
          > 220 ________ ESMTP Postfix
          >
          > sending a 'ehlo' results in the connection closing.

          this is misinformation. with smtps, encryption must be established
          before any smtp related dialog can occur. telnet does not do this sort
          of encryption.

          -ben
        • Robert Moskowitz
          ... I will look into this. My setup uses virutal domains and mysql for the users, so a list may be contrived. But also the implication is that users would
          Message 4 of 15 , Feb 4, 2013
            On 02/04/2013 03:47 PM, Noel Jones wrote:
            > On 2/4/2013 12:27 PM, Robert Moskowitz wrote:
            >> I am into final tuning of my mail server, and I greatly appreciate
            >> all the help I have received from the many lists I have had to go to
            >> for help. I am now at actual external testing, starting out with
            >> some free mail test servers. Right now I am trying out:
            >>
            >> http://www.emailsecuritygrader.com
            >>
            >> And from there I became aware that I probably don't have SMTPS (port
            >> 465) configured properly. Actually at first I did not even have it
            >> set up! So I reread the readme:
            >>
            >> http://www.postfix.org/TLS_README.html
            >>
            >> And add:
            >>
            >> /etc/postfix/main.cf
            >> smtpd_tls_security_level = may
            >> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
            >>
            >> /etc/postfix/master.cf:
            >> smtps inet n - n - - smtpd
            >> -o smtpd_tls_wrappermode=yes
            >> -o smtpd_sasl_auth_enable=yes
            > The smtps port should be reserved for authorized users only -- just
            > like the submission port -- and never used for general-purpose email.
            >
            > Generally you would add something like
            > -o smtpd_recipient_restrictions=$submission_recipient_restrictions

            I will look into this. My setup uses virutal domains and mysql for the
            users, so a list may be contrived. But also the implication is that
            users would have to ask me for this method of connectivity which has its
            merits.

            >
            > and then in main.cf add
            > submission_recipient_restrictions =
            > permit_sasl_authenticated
            > reject

            thanks I will review this.

            >
            >
            >> and restarted postfix
            >>
            >> And tried to telnet into localhost 465. All I get is:
            >
            > This is an encrypted connection and can't be tested with telnet.
            > You can test it with openssl:
            >
            > openssl s_client -connect server.example.com:465

            Grumple. I did this to test out secure IMAP for dovecot. Obvious once
            my nose is stuck in it. Thanks.

            > If you get the postfix greeting banner, it's working properly.
            >
            > But be aware that smtps is deprecated and you probably shouldn't
            > bother enabling it unless you need it to support legacy clients.

            Good to know. I kind of got that feeling from the TLS_README that it
            was for older OE clients, and I have one of those. A reason for them to
            move up. Hopefully.
          • Reindl Harald
            ... no - if a client is not configured for using STARTTLS it does not mayn clients these days at the FIRST setup check this and try to use a encrypted
            Message 5 of 15 , Feb 4, 2013
              Am 04.02.2013 22:02, schrieb Robert Moskowitz:
              > The online tester is rather 'dumb' as it does not consider that starttls is available as well. Of course that
              > means all of the POP clients are properly configured to use it for sending mail and thus not expose their identities.

              no - if a client is not configured for using STARTTLS it does not

              mayn clients these days at the FIRST setup check this and try
              to use a encrypted connection - but there are way too much
              "plaintext without any encryption"-configs

              if i could i would tun off port 25 completly and enforce
              587 with encyryption - sadly this is not doable if you have
              hundrets of users with all sorts of clients
            • Robert Moskowitz
              ... And blocked at many hotspots. ... And I do have that configured. ... Got that. thanks. ... And I looked into my logs for the emailsecuritygrader
              Message 6 of 15 , Feb 4, 2013
                On 02/04/2013 04:03 PM, btb wrote:
                > On 2013.02.04 13.27, Robert Moskowitz wrote:
                >> http://www.emailsecuritygrader.com
                >
                > as with most "helpful" websites like this, this one is perpetuating
                > misinformation. smtps has long since been deprecated, having been
                > superseded by starttls. it also would appear to perpetuate the
                > behavior of offering submission service via port 25, which is largely
                > discouraged.

                And blocked at many hotspots.

                >
                >> And from there I became aware that I probably don't have SMTPS (port
                >> 465) configured properly.
                >
                > with reference to the above, instead, configure a proper
                > submission+starttls service [port 587]. there is an example included
                > in the master.cf config file which comes with postfix.

                And I do have that configured.

                >
                > these days, new implementation of smtps should be restricted to
                > existing environments in which smtps is already in use by clients.
                > even then, it really should be used only until clients have been
                > converted to use proper submission+starttls.
                >
                > And tried to telnet into localhost 465.
                >
                > telnet is not suitable for testing things which employ this sort of
                > encryption. instead, use something like openssl s_client or gnutls-cli

                Got that. thanks.

                >
                >> The one pointer I have found so far on telneting into 465 shows that I
                >> should have also gotten a:
                >>
                >> 220 ________ ESMTP Postfix
                >>
                >> sending a 'ehlo' results in the connection closing.
                >
                > this is misinformation. with smtps, encryption must be established
                > before any smtp related dialog can occur. telnet does not do this
                > sort of encryption.

                And I looked into my logs for the emailsecuritygrader connections and it
                sure seemed to be connecting with something equivalent to telnet! Well
                more testing will tell.
              • Geoff Shang
                ... Outlook Express can use port 587 quite happily. You just have to tell it to. Cheers, Geoff.
                Message 7 of 15 , Feb 5, 2013
                  On Mon, 4 Feb 2013, Robert Moskowitz wrote:

                  > Well the online tester made me aware of it, and some of my clients are stuck
                  > with Outlook Express, thus my interest in it.

                  Outlook Express can use port 587 quite happily. You just have to tell it
                  to.

                  Cheers,
                  Geoff.
                • Geoff Shang
                  ... I did also mean to say that you may need it for Outlook 2003 though. We ve got a few people using it and I forget what ended up working for them. Geoff.
                  Message 8 of 15 , Feb 5, 2013
                    On Tue, 5 Feb 2013, Geoff Shang wrote:

                    > Outlook Express can use port 587 quite happily. You just have to tell it to.

                    I did also mean to say that you may need it for Outlook 2003 though.
                    We've got a few people using it and I forget what ended up working for
                    them.

                    Geoff.
                  • Birta Levente
                    ... Of course, you can set up -o smtpd_tls_wrappermode=yes on 587. But other client than outlook express, with STARTTLS does not work.
                    Message 9 of 15 , Feb 5, 2013
                      On 05/02/2013 12:25, Geoff Shang wrote:
                      > On Mon, 4 Feb 2013, Robert Moskowitz wrote:
                      >
                      >> Well the online tester made me aware of it, and some of my clients are
                      >> stuck with Outlook Express, thus my interest in it.
                      >
                      > Outlook Express can use port 587 quite happily. You just have to tell
                      > it to.
                      >
                      > Cheers,
                      > Geoff.
                      >

                      Of course, you can set up -o smtpd_tls_wrappermode=yes on 587. But other
                      client than outlook express, with STARTTLS does not work.
                    • Bill Cole
                      ... The intrinsically bad idea of SMTPS died before ever being anything like a standard, and only survived as a zombie protocol because MS jumped on it without
                      Message 10 of 15 , Feb 5, 2013
                        On 4 Feb 2013, at 16:02, Robert Moskowitz wrote:

                        > Well the online tester made me aware of it, and some of my clients are
                        > stuck with Outlook Express, thus my interest in it.

                        The intrinsically bad idea of SMTPS died before ever being anything like
                        a standard, and only survived as a zombie protocol because MS jumped on
                        it without thinking. 9 years late, MS issued a patch in 2007 for OE that
                        enabled TLS on port 587 and that patch was rolled into Windows XP SP3 in
                        2008.

                        The bottom line is that anyone still running a version of OE that can't
                        handle standard submission is running a grossly insecure and obsolete
                        system. Rather than accommodating that irresponsible behavior, you would
                        do your clients and everyone else a service by making it untenable.
                      • Reindl Harald
                        ... what was so bad? that no single connection is unencrypted? that http://www.cvedetails.com/cve/CVE-2011-0411/ would not have been possible? sorry, but from
                        Message 11 of 15 , Feb 5, 2013
                          Am 05.02.2013 19:29, schrieb Bill Cole:
                          > On 4 Feb 2013, at 16:02, Robert Moskowitz wrote:
                          >
                          >> Well the online tester made me aware of it, and some of my clients are stuck with Outlook Express, thus my
                          >> interest in it.
                          >
                          > The intrinsically bad idea of SMTPS died before ever being anything like a standard

                          what was so bad?

                          that no single connection is unencrypted?
                          that http://www.cvedetails.com/cve/CVE-2011-0411/ would not have been possible?

                          sorry, but from point of design it is a intrinsically bad idea
                          start the connection unencrypted and after that look "hey, we
                          can switch to encryption"
                        • Noel Jones
                          ... That s a little harsh. There is nothing wrong with smtps, any more than https is wrong. And a zombie is a great metaphor -- it s dead, but still stumbles
                          Message 12 of 15 , Feb 5, 2013
                            On 2/5/2013 12:29 PM, Bill Cole wrote:
                            > The intrinsically bad idea of SMTPS died before ever being anything
                            > like a standard, and only survived as a zombie protocol because MS
                            > jumped on it without thinking.

                            That's a little harsh. There is nothing wrong with smtps, any more
                            than https is wrong.

                            And a zombie is a great metaphor -- it's dead, but still stumbles
                            around refusing to be buried. If you want to bury it, prepare to
                            defend yourself.

                            > The bottom line is that anyone still running a version of OE that
                            > can't handle standard submission

                            That's just one use case. Unfortunately, there is current software
                            that perpetuate the hoax.


                            -- Noel Jones
                          • Bill Cole
                            ... Rehashing the arguments that killed its standardization 16 years ago would be off-topic here.
                            Message 13 of 15 , Feb 5, 2013
                              On 5 Feb 2013, at 14:28, Noel Jones wrote:

                              > On 2/5/2013 12:29 PM, Bill Cole wrote:
                              >> The intrinsically bad idea of SMTPS died before ever being anything
                              >> like a standard, and only survived as a zombie protocol because MS
                              >> jumped on it without thinking.
                              >
                              > That's a little harsh. There is nothing wrong with smtps, any more
                              > than https is wrong.

                              Rehashing the arguments that killed its standardization 16 years ago
                              would be off-topic here.
                            Your message has been successfully submitted and would be delivered to recipients shortly.