Loading ...
Sorry, an error occurred while loading the content.

Investigating iPhone Compatibility

Expand Messages
  • Asai
    Greetings, We re starting to incorporate iPhone users into our email system. Sometimes we seem to be having trouble with mail being delayed for a long time
    Message 1 of 18 , Jun 7, 2013
    • 0 Attachment
      Greetings,

      We're starting to incorporate iPhone users into our email system.  Sometimes we seem to be having trouble with mail being delayed for a long time before the phone will connect to the server and send the mail.  I don't really have any idea what this is.  I've looked through the logs, but I'm not seeing anything really telling.  I have recently turned on TLS debugging and hope to glean something useful from that.  We have SSL turned on on the iPhone, but do not have the so-called wrapper mode turned on, and it seems to be working fine in most cases.  Does anyone have any experience with managing iPhones and Postfix who can share with me something of value?

      Thank you.

      [root@triata ~]# postconf -n
      alias_maps = hash:/etc/aliases
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      content_filter = amavisfeed:[127.0.0.1]:10024
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      html_directory = no
      mail_owner = postfix
      mailbox_size_limit = 0
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/local/man
      maximal_backoff_time = 600s
      maximal_queue_lifetime = 1d
      message_size_limit = 0
      minimal_backoff_time = 300s
      mydomain = globalchangemultimedia.net
      myhostname = triata.globalchangemultimedia.net
      newaliases_path = /usr/bin/newaliases
      postscreen_access_list = permit_mynetworks
      postscreen_bare_newline_action = enforce
      postscreen_bare_newline_enable = yes
      postscreen_dnsbl_action = enforce
      postscreen_dnsbl_sites = zen.spamhaus.org*2    bl.spamcop.net*1 b.barracudecentral.org*1
      postscreen_dnsbl_threshold = 2
      postscreen_greet_action = drop
      postscreen_non_smtp_command_action = enforce
      postscreen_non_smtp_command_enable = yes
      postscreen_pipelining_action = enforce
      postscreen_pipelining_enable = yes
      queue_directory = /var/spool/postfix
      queue_run_delay = 300s
      readme_directory = no
      sendmail_path = /usr/sbin/sendmail
      setgid_group = postdrop
      show_user_unknown_table_name = no
      smtp_sasl_mechanism_filter = plain, login
      smtp_tls_loglevel = 2
      smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql_blacklist,     permit_sasl_authenticated,    permit
      smtpd_data_restrictions = reject_unauth_pipelining, permit
      smtpd_delay_reject = yes
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks,     check_helo_access mysql:/etc/postfix/mysql_helo_restrictions.cf,    permit_sasl_authenticated,        reject_invalid_hostname,    permit
      smtpd_recipient_restrictions = permit_mynetworks,        permit_sasl_authenticated,        reject_invalid_hostname,        reject_non_fqdn_sender,        reject_non_fqdn_recipient,        reject_unknown_sender_domain,        reject_unauth_destination,        check_recipient_access mysql:/etc/postfix/mysql_restricted_recipients.cf,        permit
      smtpd_restriction_classes = webdev_only, gcmm_only, local_only, unrestricted
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_exceptions_networks = $mynetworks
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql_restricted_senders.cf,        permit_sasl_authenticated,    permit_mynetworks,            reject_non_fqdn_sender,     reject_unknown_sender_domain,    permit
      smtpd_tls_cert_file = /etc/postfix/ssl/triata.globalchangemultimedia.net.pem
      smtpd_tls_key_file = /etc/postfix/ssl/triata.key
      smtpd_tls_loglevel = 0
      smtpd_tls_received_header = no
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
      soft_bounce = yes
      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
      virtual_gid_maps = static:1001
      virtual_mailbox_base = /vmail
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
      virtual_mailbox_limit = 0
      virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 1001
      virtual_transport = dovecot
      virtual_uid_maps = static:1001

      -- 
      --Asai
    • Noel Jones
      ... I only have a dozen or so iPhone users and don t use one myself, so don t consider me an expert on this. It s also possible my users have these problems
      Message 2 of 18 , Jun 7, 2013
      • 0 Attachment
        On 6/7/2013 3:28 PM, Asai wrote:
        > Greetings,
        >
        > We're starting to incorporate iPhone users into our email system.
        > Sometimes we seem to be having trouble with mail being delayed for a
        > long time before the phone will connect to the server and send the
        > mail. I don't really have any idea what this is. I've looked
        > through the logs, but I'm not seeing anything really telling. I
        > have recently turned on TLS debugging and hope to glean something
        > useful from that. We have SSL turned on on the iPhone, but do not
        > have the so-called wrapper mode turned on, and it seems to be
        > working fine in most cases. Does anyone have any experience with
        > managing iPhones and Postfix who can share with me something of value?
        >
        > Thank you.

        I only have a dozen or so iPhone users and don't use one myself, so
        don't consider me an expert on this. It's also possible my users
        have these problems and just haven't said anything. Anyway, here's
        some random thoughts...

        - don't use tls debug higher than level 1 unless you are willing to
        dig into openssl source code.

        - make sure your master.cf submission entry has
        -o syslog_name=postfix/submission
        so you can tell what port they're connecting to.

        - if they're connecting to port 25, postscreen will interfere,
        causing significant delays or preventing it from working at all.

        - enable the wrappermode/smtps port if you haven't already. Seems
        some of my iPhone users connect on that port despite instructions
        that make no mention of it. I don't know why, and don't really care;
        there is no difference in security/speed/whatever. I always enable
        smtps because it reduces end-user frustration. The only downside is
        "it's not a standard". Use the same settings as submission except
        for the addition of
        -o smtpd_tls_wrappermode=yes
        -o syslog_name=postfix/smtps



        HTH, and have a good weekend.



        -- Noel Jones


        >
        > [root@triata ~]# postconf -n
        > alias_maps = hash:/etc/aliases
        > broken_sasl_auth_clients = yes
        > command_directory = /usr/sbin
        > config_directory = /etc/postfix
        > content_filter = amavisfeed:[127.0.0.1]:10024
        > daemon_directory = /usr/libexec/postfix
        > data_directory = /var/lib/postfix
        > html_directory = no
        > mail_owner = postfix
        > mailbox_size_limit = 0
        > mailq_path = /usr/bin/mailq
        > manpage_directory = /usr/local/man
        > maximal_backoff_time = 600s
        > maximal_queue_lifetime = 1d
        > message_size_limit = 0
        > minimal_backoff_time = 300s
        > mydomain = globalchangemultimedia.net
        > myhostname = triata.globalchangemultimedia.net
        > newaliases_path = /usr/bin/newaliases
        > postscreen_access_list = permit_mynetworks
        > postscreen_bare_newline_action = enforce
        > postscreen_bare_newline_enable = yes
        > postscreen_dnsbl_action = enforce
        > postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1
        > b.barracudecentral.org*1
        > postscreen_dnsbl_threshold = 2
        > postscreen_greet_action = drop
        > postscreen_non_smtp_command_action = enforce
        > postscreen_non_smtp_command_enable = yes
        > postscreen_pipelining_action = enforce
        > postscreen_pipelining_enable = yes
        > queue_directory = /var/spool/postfix
        > queue_run_delay = 300s
        > readme_directory = no
        > sendmail_path = /usr/sbin/sendmail
        > setgid_group = postdrop
        > show_user_unknown_table_name = no
        > smtp_sasl_mechanism_filter = plain, login
        > smtp_tls_loglevel = 2
        > smtpd_client_restrictions = check_client_access
        > mysql:/etc/postfix/mysql_blacklist,
        > permit_sasl_authenticated, permit
        > smtpd_data_restrictions = reject_unauth_pipelining, permit
        > smtpd_delay_reject = yes
        > smtpd_helo_required = yes
        > smtpd_helo_restrictions = permit_mynetworks, check_helo_access
        > mysql:/etc/postfix/mysql_helo_restrictions.cf,
        > permit_sasl_authenticated, reject_invalid_hostname, permit
        > smtpd_recipient_restrictions = permit_mynetworks,
        > permit_sasl_authenticated, reject_invalid_hostname,
        > reject_non_fqdn_sender, reject_non_fqdn_recipient,
        > reject_unknown_sender_domain,
        > reject_unauth_destination, check_recipient_access
        > mysql:/etc/postfix/mysql_restricted_recipients.cf, permit
        > smtpd_restriction_classes = webdev_only, gcmm_only, local_only,
        > unrestricted
        > smtpd_sasl_auth_enable = yes
        > smtpd_sasl_exceptions_networks = $mynetworks
        > smtpd_sasl_path = private/auth
        > smtpd_sasl_security_options = noanonymous
        > smtpd_sasl_type = dovecot
        > smtpd_sender_restrictions = check_sender_access
        > mysql:/etc/postfix/mysql_restricted_senders.cf,
        > permit_sasl_authenticated, permit_mynetworks,
        > reject_non_fqdn_sender, reject_unknown_sender_domain, permit
        > smtpd_tls_cert_file =
        > /etc/postfix/ssl/triata.globalchangemultimedia.net.pem
        > smtpd_tls_key_file = /etc/postfix/ssl/triata.key
        > smtpd_tls_loglevel = 0
        > smtpd_tls_received_header = no
        > smtpd_tls_security_level = may
        > smtpd_tls_session_cache_database =
        > btree:/var/spool/postfix/smtpd_tls_session_cache
        > soft_bounce = yes
        > unknown_local_recipient_reject_code = 550
        > virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
        > virtual_gid_maps = static:1001
        > virtual_mailbox_base = /vmail
        > virtual_mailbox_domains =
        > mysql:/etc/postfix/mysql_virtual_domains_maps.cf
        > virtual_mailbox_limit = 0
        > virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
        > virtual_minimum_uid = 1001
        > virtual_transport = dovecot
        > virtual_uid_maps = static:1001
        >
        > --
        > --Asai
        >
      • DTNX Postmaster
        ... The Mail.app applications on iOS (iPhones or iPads) or OS X will attempt to autodetect the port to connect to; 25, 465, and 587. It works just fine over
        Message 3 of 18 , Jun 7, 2013
        • 0 Attachment
          On Jun 8, 2013, at 00:47, Noel Jones <njones@...> wrote:

          > On 6/7/2013 3:28 PM, Asai wrote:
          >> Greetings,
          >>
          >> We're starting to incorporate iPhone users into our email system.
          >> Sometimes we seem to be having trouble with mail being delayed for a
          >> long time before the phone will connect to the server and send the
          >> mail. I don't really have any idea what this is. I've looked
          >> through the logs, but I'm not seeing anything really telling. I
          >> have recently turned on TLS debugging and hope to glean something
          >> useful from that. We have SSL turned on on the iPhone, but do not
          >> have the so-called wrapper mode turned on, and it seems to be
          >> working fine in most cases. Does anyone have any experience with
          >> managing iPhones and Postfix who can share with me something of value?
          >>
          >> Thank you.
          >
          > I only have a dozen or so iPhone users and don't use one myself, so
          > don't consider me an expert on this. It's also possible my users
          > have these problems and just haven't said anything. Anyway, here's
          > some random thoughts...
          >
          > - don't use tls debug higher than level 1 unless you are willing to
          > dig into openssl source code.
          >
          > - make sure your master.cf submission entry has
          > -o syslog_name=postfix/submission
          > so you can tell what port they're connecting to.
          >
          > - if they're connecting to port 25, postscreen will interfere,
          > causing significant delays or preventing it from working at all.
          >
          > - enable the wrappermode/smtps port if you haven't already. Seems
          > some of my iPhone users connect on that port despite instructions
          > that make no mention of it. I don't know why, and don't really care;
          > there is no difference in security/speed/whatever. I always enable
          > smtps because it reduces end-user frustration. The only downside is
          > "it's not a standard". Use the same settings as submission except
          > for the addition of
          > -o smtpd_tls_wrappermode=yes
          > -o syslog_name=postfix/smtps
          >
          >
          >
          > HTH, and have a good weekend.

          The Mail.app applications on iOS (iPhones or iPads) or OS X will
          attempt to autodetect the port to connect to; 25, 465, and 587. It
          works just fine over the submission port (587) without enabling the
          SMTPS port (465), and the autodetection can be overridden in the
          settings if needs be;

          Settings > Mail, Contacts, Calendars > [accountname] > Account >
          Outgoing Mail Server (SMTP) > Primary Server > Server Port

          That's the case on iOS 6; earlier versions might differ slightly in
          option names, but offer a similar override. Make sure your own SMTP
          server is in fact the primary server, by the way, and not one of the
          'Other SMTP Servers'.

          This is what the submission service definition on one of our servers
          looks like;

          ==
          # Submission service for use by our clients
          submission inet n - n - 128 smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o smtpd_data_restrictions=permit_sasl_authenticated,reject
          -o smtpd_proxy_filter=127.0.0.1:10025
          ==

          It is important to note that we have seperate relay servers; the
          mailbox servers clients connect to never open anything but the
          submission port (587), and there is therefore never a problem with
          clients trying to connect to postscreen on port 25. A similar setup can
          be achieved by moving the submission service to a seperate IP address,
          if possible.

          Do however make sure that it is in fact your Postfix configuration, and
          not a DNS issue of some sort. Test with an iPhone or iPad that has the
          server port set manually, and see if the problem disappears. If it does
          not, the problem might be elsewhere.

          Other than that, there should not really be any compatibility issues
          with iOS devices talking to Postfix, as long as your DNS and such is in
          order.

          HTH,
          Jona
        • Asai
          ... Thank you for your generous responses. I do have the client s iPhone set to port 587, however, I m still wondering if the iPhone is trying to connect via
          Message 4 of 18 , Jun 8, 2013
          • 0 Attachment
            On 6/7/2013 4:26 PM, DTNX Postmaster wrote:
            > On Jun 8, 2013, at 00:47, Noel Jones <njones@...> wrote:
            >
            >> On 6/7/2013 3:28 PM, Asai wrote:
            >>> Greetings,
            >>>
            >>> We're starting to incorporate iPhone users into our email system.
            >>> Sometimes we seem to be having trouble with mail being delayed for a
            >>> long time before the phone will connect to the server and send the
            >>> mail. I don't really have any idea what this is. I've looked
            >>> through the logs, but I'm not seeing anything really telling. I
            >>> have recently turned on TLS debugging and hope to glean something
            >>> useful from that. We have SSL turned on on the iPhone, but do not
            >>> have the so-called wrapper mode turned on, and it seems to be
            >>> working fine in most cases. Does anyone have any experience with
            >>> managing iPhones and Postfix who can share with me something of value?
            >>>
            >>> Thank you.
            >> I only have a dozen or so iPhone users and don't use one myself, so
            >> don't consider me an expert on this. It's also possible my users
            >> have these problems and just haven't said anything. Anyway, here's
            >> some random thoughts...
            >>
            >> - don't use tls debug higher than level 1 unless you are willing to
            >> dig into openssl source code.
            >>
            >> - make sure your master.cf submission entry has
            >> -o syslog_name=postfix/submission
            >> so you can tell what port they're connecting to.
            >>
            >> - if they're connecting to port 25, postscreen will interfere,
            >> causing significant delays or preventing it from working at all.
            >>
            >> - enable the wrappermode/smtps port if you haven't already. Seems
            >> some of my iPhone users connect on that port despite instructions
            >> that make no mention of it. I don't know why, and don't really care;
            >> there is no difference in security/speed/whatever. I always enable
            >> smtps because it reduces end-user frustration. The only downside is
            >> "it's not a standard". Use the same settings as submission except
            >> for the addition of
            >> -o smtpd_tls_wrappermode=yes
            >> -o syslog_name=postfix/smtps
            >>
            >>
            >>
            >> HTH, and have a good weekend.
            > The Mail.app applications on iOS (iPhones or iPads) or OS X will
            > attempt to autodetect the port to connect to; 25, 465, and 587. It
            > works just fine over the submission port (587) without enabling the
            > SMTPS port (465), and the autodetection can be overridden in the
            > settings if needs be;
            >
            > Settings > Mail, Contacts, Calendars > [accountname] > Account >
            > Outgoing Mail Server (SMTP) > Primary Server > Server Port
            >
            > That's the case on iOS 6; earlier versions might differ slightly in
            > option names, but offer a similar override. Make sure your own SMTP
            > server is in fact the primary server, by the way, and not one of the
            > 'Other SMTP Servers'.
            >
            > This is what the submission service definition on one of our servers
            > looks like;
            >
            > ==
            > # Submission service for use by our clients
            > submission inet n - n - 128 smtpd
            > -o smtpd_tls_security_level=encrypt
            > -o smtpd_sasl_auth_enable=yes
            > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
            > -o smtpd_data_restrictions=permit_sasl_authenticated,reject
            > -o smtpd_proxy_filter=127.0.0.1:10025
            > ==
            >
            > It is important to note that we have seperate relay servers; the
            > mailbox servers clients connect to never open anything but the
            > submission port (587), and there is therefore never a problem with
            > clients trying to connect to postscreen on port 25. A similar setup can
            > be achieved by moving the submission service to a seperate IP address,
            > if possible.
            >
            > Do however make sure that it is in fact your Postfix configuration, and
            > not a DNS issue of some sort. Test with an iPhone or iPad that has the
            > server port set manually, and see if the problem disappears. If it does
            > not, the problem might be elsewhere.
            >
            > Other than that, there should not really be any compatibility issues
            > with iOS devices talking to Postfix, as long as your DNS and such is in
            > order.
            >
            > HTH,
            > Jona
            >
            Thank you for your generous responses.

            I do have the client's iPhone set to port 587, however, I'm still
            wondering if the iPhone is trying to connect via SMTPS or port 25 (which
            is not available). I would like to try setting up SMTP wrapper mode,
            but does that in any way disable or interfere with the submission port
            and TLS? From reading the Postfix docs I was not sure whether it would
            override of TLS or not.

            Also, I will check in to the DNS situation.

            --Asai
          • DTNX Postmaster
            ... If the ports are not open, and nothing shows in the Postfix logs that is out of the ordinary, look for the cause elsewhere. Start with DNS. Also, if you
            Message 5 of 18 , Jun 8, 2013
            • 0 Attachment
              On Jun 8, 2013, at 17:16, Asai <asai@...> wrote:

              > On 6/7/2013 4:26 PM, DTNX Postmaster wrote:
              >> The Mail.app applications on iOS (iPhones or iPads) or OS X will
              >> attempt to autodetect the port to connect to; 25, 465, and 587. It
              >> works just fine over the submission port (587) without enabling the
              >> SMTPS port (465), and the autodetection can be overridden in the
              >> settings if needs be;
              >>
              >> Settings > Mail, Contacts, Calendars > [accountname] > Account >
              >> Outgoing Mail Server (SMTP) > Primary Server > Server Port
              >>
              >> That's the case on iOS 6; earlier versions might differ slightly in
              >> option names, but offer a similar override. Make sure your own SMTP
              >> server is in fact the primary server, by the way, and not one of the
              >> 'Other SMTP Servers'.
              >>
              >> This is what the submission service definition on one of our servers
              >> looks like;
              >>
              >> ==
              >> # Submission service for use by our clients
              >> submission inet n - n - 128 smtpd
              >> -o smtpd_tls_security_level=encrypt
              >> -o smtpd_sasl_auth_enable=yes
              >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
              >> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
              >> -o smtpd_proxy_filter=127.0.0.1:10025
              >> ==
              >>
              >> It is important to note that we have seperate relay servers; the
              >> mailbox servers clients connect to never open anything but the
              >> submission port (587), and there is therefore never a problem with
              >> clients trying to connect to postscreen on port 25. A similar setup can
              >> be achieved by moving the submission service to a seperate IP address,
              >> if possible.
              >>
              >> Do however make sure that it is in fact your Postfix configuration, and
              >> not a DNS issue of some sort. Test with an iPhone or iPad that has the
              >> server port set manually, and see if the problem disappears. If it does
              >> not, the problem might be elsewhere.
              >>
              >> Other than that, there should not really be any compatibility issues
              >> with iOS devices talking to Postfix, as long as your DNS and such is in
              >> order.
              >>
              >> HTH,
              >> Jona
              >>
              > Thank you for your generous responses.
              >
              > I do have the client's iPhone set to port 587, however, I'm still wondering if the iPhone is trying to connect via SMTPS or port 25 (which is not available). I would like to try setting up SMTP wrapper mode, but does that in any way disable or interfere with the submission port and TLS? From reading the Postfix docs I was not sure whether it would override of TLS or not.
              >
              > Also, I will check in to the DNS situation.

              If the ports are not open, and nothing shows in the Postfix logs that
              is out of the ordinary, look for the cause elsewhere. Start with DNS.

              Also, if you have a working submission service there is no reason
              whatsoever to set up a wrapper mode for SMTPS. It's not a standard, and
              its use is deprecated. It should however not interfere with your
              submission port setup, as they are seperate entries in your 'master.cf'
              file.

              But again, look closely at your logs. Verify your DNS settings. Test
              with telnet, see if you get a prompt from the client location on port
              587, and so on. See if the problem is in any way dependent on location,
              a specific device, etcetera, etcetera.

              Good luck :-)

              Mvg,
              Jona
            • Asai
              ... After investigating this issue further, it looks like there might be something I m missing regarding postscreen. My reasoning for this is yesterday a
              Message 6 of 18 , Jun 17, 2013
              • 0 Attachment
                On 6/8/13 9:09 AM, DTNX Postmaster wrote:
                > On Jun 8, 2013, at 17:16, Asai <asai@...> wrote:
                >
                >> On 6/7/2013 4:26 PM, DTNX Postmaster wrote:
                >>> The Mail.app applications on iOS (iPhones or iPads) or OS X will
                >>> attempt to autodetect the port to connect to; 25, 465, and 587. It
                >>> works just fine over the submission port (587) without enabling the
                >>> SMTPS port (465), and the autodetection can be overridden in the
                >>> settings if needs be;
                >>>
                >>> Settings > Mail, Contacts, Calendars > [accountname] > Account >
                >>> Outgoing Mail Server (SMTP) > Primary Server > Server Port
                >>>
                >>> That's the case on iOS 6; earlier versions might differ slightly in
                >>> option names, but offer a similar override. Make sure your own SMTP
                >>> server is in fact the primary server, by the way, and not one of the
                >>> 'Other SMTP Servers'.
                >>>
                >>> This is what the submission service definition on one of our servers
                >>> looks like;
                >>>
                >>> ==
                >>> # Submission service for use by our clients
                >>> submission inet n - n - 128 smtpd
                >>> -o smtpd_tls_security_level=encrypt
                >>> -o smtpd_sasl_auth_enable=yes
                >>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                >>> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
                >>> -o smtpd_proxy_filter=127.0.0.1:10025
                >>> ==
                >>>
                >>> It is important to note that we have seperate relay servers; the
                >>> mailbox servers clients connect to never open anything but the
                >>> submission port (587), and there is therefore never a problem with
                >>> clients trying to connect to postscreen on port 25. A similar setup can
                >>> be achieved by moving the submission service to a seperate IP address,
                >>> if possible.
                >>>
                >>> Do however make sure that it is in fact your Postfix configuration, and
                >>> not a DNS issue of some sort. Test with an iPhone or iPad that has the
                >>> server port set manually, and see if the problem disappears. If it does
                >>> not, the problem might be elsewhere.
                >>>
                >>> Other than that, there should not really be any compatibility issues
                >>> with iOS devices talking to Postfix, as long as your DNS and such is in
                >>> order.
                >>>
                >>> HTH,
                >>> Jona
                >>>
                >> T
                After investigating this issue further, it looks like there might be
                something I'm missing regarding postscreen. My reasoning for this is
                yesterday a client said she couldn't send email. I looked at her phone
                and the postfix logs and could see that her IP address was being
                rejected by postscreen:

                Jun 16 16:39:41 triata postfix/postscreen[6187]: CONNECT from
                [70.199.201.175]:11120
                Jun 16 16:39:41 triata postfix/dnsblog[6241]: addr 70.199.201.175 listed
                by domain zen.spamhaus.org as 127.0.0.11
                Jun 16 16:39:47 triata postfix/postscreen[6187]: DNSBL rank 2 for
                [70.199.201.175]:11120
                Jun 16 16:39:48 triata postfix/tlsproxy[6276]: CONNECT from
                [70.199.201.175]:11120
                Jun 16 16:39:49 triata postfix/tlsproxy[6276]: DISCONNECT
                [70.199.201.175]:11120
                Jun 16 16:39:49 triata postfix/postscreen[6187]: HANGUP after 1.4 from
                [70.199.201.175]:11120 in tests after SMTP handshake
                Jun 16 16:39:49 triata postfix/postscreen[6187]: DISCONNECT
                [70.199.201.175]:11120

                I checked Spamhaus and this IP is listed as one which users must be
                authenticated first. This is our standard operating procedure, users
                have to be authenticated before sending mail. But it seems like
                something is happening where the authentication process isn't allowed
                to happen.

                Strangely enough, once we rebooted her phone, and she got a different IP
                address, the emails started going through.

                I'm sure this is a simple problem to some of you. I would appreciate
                very much any assistance.

                --Asai
              • Wietse Venema
                ... As documented ***DO NOT*** run postscreen on the server port that is used by mail client programs. Wietse
                Message 7 of 18 , Jun 17, 2013
                • 0 Attachment
                  Asai:
                  > After investigating this issue further, it looks like there might be
                  > something I'm missing regarding postscreen. My reasoning for this is
                  > yesterday a client said she couldn't send email. I looked at her phone
                  > and the postfix logs and could see that her IP address was being
                  > rejected by postscreen:

                  As documented ***DO NOT*** run postscreen on the server port
                  that is used by mail client programs.

                  Wietse
                • Asai
                  ... Thank you, Wietse. Please forgive my ignorance, but may I ask where I might find the instructions to make sure it s not operating on 587? --Asai
                  Message 8 of 18 , Jun 17, 2013
                  • 0 Attachment
                    On 6/17/13 1:13 PM, Wietse Venema wrote:
                    > Asai:
                    >> After investigating this issue further, it looks like there might be
                    >> something I'm missing regarding postscreen. My reasoning for this is
                    >> yesterday a client said she couldn't send email. I looked at her phone
                    >> and the postfix logs and could see that her IP address was being
                    >> rejected by postscreen:
                    > As documented ***DO NOT*** run postscreen on the server port
                    > that is used by mail client programs.
                    >
                    > Wietse
                    Thank you, Wietse. Please forgive my ignorance, but may I ask where I
                    might find the instructions to make sure it's not operating on 587?

                    --Asai
                  • Asai
                    ... I m wondering if I have something wrong in master.cf: 587 inet n - n - - smtpd smtp inet n - n
                    Message 9 of 18 , Jun 17, 2013
                    • 0 Attachment
                      On 6/17/13 1:13 PM, Wietse Venema wrote:
                      > Asai:
                      >> After investigating this issue further, it looks like there might be
                      >> something I'm missing regarding postscreen. My reasoning for this is
                      >> yesterday a client said she couldn't send email. I looked at her phone
                      >> and the postfix logs and could see that her IP address was being
                      >> rejected by postscreen:
                      > As documented ***DO NOT*** run postscreen on the server port
                      > that is used by mail client programs.
                      >
                      > Wietse
                      I'm wondering if I have something wrong in master.cf:

                      587 inet n - n - - smtpd
                      smtp inet n - n - 1 postscreen
                      smtpd pass - - n - - smtpd
                      dnsblog unix - - n - 0 dnsblog
                      tlsproxy unix - - n - 0 tlsproxy
                      submission inet n - n - - smtpd
                    • Wietse Venema
                      ... In that case one mistake is that the client connected to the wrong service: they connected to service smtp(=port 25) instead of service submission(=port
                      Message 10 of 18 , Jun 17, 2013
                      • 0 Attachment
                        Asai:
                        > After investigating this issue further, it looks like there might be
                        > something I'm missing regarding postscreen. My reasoning for this is
                        > yesterday a client said she couldn't send email. I looked at her phone
                        > and the postfix logs and could see that her IP address was being
                        > rejected by postscreen:

                        Wietse:
                        > As documented ***DO NOT*** run postscreen on the server port
                        > that is used by mail client programs.

                        Asai:
                        > I'm wondering if I have something wrong in master.cf:
                        >
                        > 587 inet n - n - - smtpd
                        > smtp inet n - n - 1 postscreen
                        > smtpd pass - - n - - smtpd
                        > dnsblog unix - - n - 0 dnsblog
                        > tlsproxy unix - - n - 0 tlsproxy
                        > submission inet n - n - - smtpd

                        In that case one mistake is that the client connected to the wrong
                        service: they connected to service smtp(=port 25) instead of service
                        submission(=port 587). That's also why postscrfeen rejected the
                        client: the client came from a IP address dynamic pool.

                        Another mistake may be that you offer AUTH service on port 25.

                        An unrelated mistake is that you have two submission service entries
                        in master.cf: one called 587 and one called submission. Only the
                        last entry will be used, so it is a good idea to remove the first
                        one.

                        Wietse
                      • Asai
                        ... Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf? Would that be causing clients to try to connect via port 25 even
                        Message 11 of 18 , Jun 17, 2013
                        • 0 Attachment
                          > Asai:
                          >> After investigating this issue further, it looks like there might be
                          >> something I'm missing regarding postscreen. My reasoning for this is
                          >> yesterday a client said she couldn't send email. I looked at her phone
                          >> and the postfix logs and could see that her IP address was being
                          >> rejected by postscreen:
                          > Wietse:
                          >> As documented ***DO NOT*** run postscreen on the server port
                          >> that is used by mail client programs.
                          > Asai:
                          >> I'm wondering if I have something wrong in master.cf:
                          >>
                          >> 587 inet n - n - - smtpd
                          >> smtp inet n - n - 1 postscreen
                          >> smtpd pass - - n - - smtpd
                          >> dnsblog unix - - n - 0 dnsblog
                          >> tlsproxy unix - - n - 0 tlsproxy
                          >> submission inet n - n - - smtpd
                          > In that case one mistake is that the client connected to the wrong
                          > service: they connected to service smtp(=port 25) instead of service
                          > submission(=port 587). That's also why postscrfeen rejected the
                          > client: the client came from a IP address dynamic pool.
                          >
                          > Another mistake may be that you offer AUTH service on port 25.
                          >
                          > An unrelated mistake is that you have two submission service entries
                          > in master.cf: one called 587 and one called submission. Only the
                          > last entry will be used, so it is a good idea to remove the first
                          > one.
                          >
                          > Wietse
                          Would it follow then that I should remove the smtp_sasl_mechanism_filter
                          from main.cf? Would that be causing clients to try to connect via port
                          25 even though they're set to connect to 587?

                          [root@triata ~]# postconf -n | grep smtp_
                          postscreen_non_smtp_command_action = enforce
                          postscreen_non_smtp_command_enable = yes
                          smtp_sasl_mechanism_filter = plain, login
                          smtp_tls_loglevel = 2
                        • Jeroen Geilman
                          ... ...what makes you think these things are related in any way ? It is the *client* that decides where to connect to. -- J.
                          Message 12 of 18 , Jun 17, 2013
                          • 0 Attachment
                            On 06/18/2013 12:15 AM, Asai wrote:
                            > Would it follow then that I should remove the
                            > smtp_sasl_mechanism_filter from main.cf? Would that be causing
                            > clients to try to connect via port 25 even though they're set to
                            > connect to 587?
                            >

                            ...what makes you think these things are related in any way ?

                            It is the *client* that decides where to connect to.

                            --
                            J.
                          • Asai
                            ... So, it s the iPhone which is self-assertively trying to connect to port 25 regardless of what it s explicitly set to?
                            Message 13 of 18 , Jun 17, 2013
                            • 0 Attachment
                              > On 06/18/2013 12:15 AM, Asai wrote:
                              >> Would it follow then that I should remove the
                              >> smtp_sasl_mechanism_filter from main.cf? Would that be causing
                              >> clients to try to connect via port 25 even though they're set to
                              >> connect to 587?
                              >>
                              >
                              > ...what makes you think these things are related in any way ?
                              >
                              > It is the *client* that decides where to connect to.
                              >
                              So, it's the iPhone which is self-assertively trying to connect to port
                              25 regardless of what it's explicitly set to?
                            • Asai
                              ... After doing a little more reading I enabled *smtpd_tls_auth_only. *Hopefully that will help.
                              Message 14 of 18 , Jun 17, 2013
                              • 0 Attachment
                                Asai:
                                
                                After investigating this issue further, it looks like there might be
                                something I'm missing regarding postscreen.  My reasoning for this is
                                yesterday a client said she couldn't send email.  I looked at her phone
                                and the postfix logs and could see that her IP address was being
                                rejected by postscreen:
                                
                                Wietse:
                                
                                As documented ***DO NOT*** run postscreen on the server port
                                that is used by mail client programs.
                                
                                Asai:
                                
                                I'm wondering if I have something wrong in master.cf:
                                
                                587       inet  n       -       n       -       -       smtpd
                                smtp      inet  n       -       n       -       1       postscreen
                                smtpd     pass  -       -       n       -       -       smtpd
                                dnsblog   unix  -       -       n       -       0       dnsblog
                                tlsproxy  unix  -       -       n       -       0       tlsproxy
                                submission inet  n       -       n       -       -       smtpd
                                
                                In that case one mistake is that the client connected to the wrong
                                service: they connected to service smtp(=port 25) instead of service
                                submission(=port 587). That's also why postscrfeen rejected the
                                client: the client came from a IP address dynamic pool.
                                
                                Another mistake may be that you offer AUTH service on port 25.
                                
                                An unrelated mistake is that you have two submission service entries
                                in master.cf: one called 587 and one called submission. Only the
                                last entry will be used, so it is a good idea to remove the first
                                one.
                                
                                	Wietse
                                
                                After doing a little more reading I enabled smtpd_tls_auth_only.  Hopefully that will help.
                              • Wietse Venema
                                ... No. The CLIENT connects to the WRONG Postfix port. Wietse
                                Message 15 of 18 , Jun 17, 2013
                                • 0 Attachment
                                  Asai:
                                  > Would it follow then that I should remove the smtp_sasl_mechanism_filter
                                  > from main.cf? Would that be causing clients to try to connect via port

                                  No. The CLIENT connects to the WRONG Postfix port.

                                  Wietse
                                • Larry Stone
                                  ... Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default. -- Larry Stone Sent from my
                                  Message 16 of 18 , Jun 17, 2013
                                  • 0 Attachment
                                    On Jun 17, 2013, at 17:27, Asai <asai@...> wrote:

                                    >> On 06/18/2013 12:15 AM, Asai wrote:
                                    >>> Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf? Would that be causing clients to try to connect via port 25 even though they're set to connect to 587?
                                    >>
                                    >> ...what makes you think these things are related in any way ?
                                    >>
                                    >> It is the *client* that decides where to connect to.
                                    > So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?

                                    Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.

                                    -- Larry Stone
                                    Sent from my iPhone
                                  • Asai
                                    ... OK, so perhaps just refusing AUTH on port 25 will solve the problem. I ve set the Server Port in Outgoing mail settings on iPhone to 587, so I don t really
                                    Message 17 of 18 , Jun 17, 2013
                                    • 0 Attachment
                                      >> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
                                      > Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
                                      >
                                      > -- Larry Stone
                                      > Sent from my iPhone
                                      OK, so perhaps just refusing AUTH on port 25 will solve the problem.
                                      I've set the Server Port in Outgoing mail settings on iPhone to 587, so
                                      I don't really understand what's going on here...
                                    • Larry Stone
                                      ... I doubt it. Based on what you previously posted, Postscreen will reject it long before it gets to an smtpd process. I d suggest you double-check the iPhone
                                      Message 18 of 18 , Jun 17, 2013
                                      • 0 Attachment
                                        On Jun 17, 2013, at 19:03, Asai <asai@...> wrote:

                                        >>> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
                                        >> Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
                                        >>
                                        >> -- Larry Stone
                                        >> Sent from my iPhone
                                        > OK, so perhaps just refusing AUTH on port 25 will solve the problem. I've set the Server Port in Outgoing mail settings on iPhone to 587, so I don't really understand what's going on here...

                                        I doubt it. Based on what you previously posted, Postscreen will reject it long before it gets to an smtpd process.

                                        I'd suggest you double-check the iPhone configuration. In particular, make sure the outgoing settings you're looking at are the ones actually bring used. You can configure multiple outgoing servers on an iOS device.

                                        -- Larry Stone
                                        Sent from my iPhone
                                      Your message has been successfully submitted and would be delivered to recipients shortly.