Loading ...
Sorry, an error occurred while loading the content.

Re: Investigating iPhone Compatibility

Expand Messages
  • Wietse Venema
    ... As documented ***DO NOT*** run postscreen on the server port that is used by mail client programs. Wietse
    Message 1 of 18 , Jun 17, 2013
    • 0 Attachment
      Asai:
      > After investigating this issue further, it looks like there might be
      > something I'm missing regarding postscreen. My reasoning for this is
      > yesterday a client said she couldn't send email. I looked at her phone
      > and the postfix logs and could see that her IP address was being
      > rejected by postscreen:

      As documented ***DO NOT*** run postscreen on the server port
      that is used by mail client programs.

      Wietse
    • Asai
      ... Thank you, Wietse. Please forgive my ignorance, but may I ask where I might find the instructions to make sure it s not operating on 587? --Asai
      Message 2 of 18 , Jun 17, 2013
      • 0 Attachment
        On 6/17/13 1:13 PM, Wietse Venema wrote:
        > Asai:
        >> After investigating this issue further, it looks like there might be
        >> something I'm missing regarding postscreen. My reasoning for this is
        >> yesterday a client said she couldn't send email. I looked at her phone
        >> and the postfix logs and could see that her IP address was being
        >> rejected by postscreen:
        > As documented ***DO NOT*** run postscreen on the server port
        > that is used by mail client programs.
        >
        > Wietse
        Thank you, Wietse. Please forgive my ignorance, but may I ask where I
        might find the instructions to make sure it's not operating on 587?

        --Asai
      • Asai
        ... I m wondering if I have something wrong in master.cf: 587 inet n - n - - smtpd smtp inet n - n
        Message 3 of 18 , Jun 17, 2013
        • 0 Attachment
          On 6/17/13 1:13 PM, Wietse Venema wrote:
          > Asai:
          >> After investigating this issue further, it looks like there might be
          >> something I'm missing regarding postscreen. My reasoning for this is
          >> yesterday a client said she couldn't send email. I looked at her phone
          >> and the postfix logs and could see that her IP address was being
          >> rejected by postscreen:
          > As documented ***DO NOT*** run postscreen on the server port
          > that is used by mail client programs.
          >
          > Wietse
          I'm wondering if I have something wrong in master.cf:

          587 inet n - n - - smtpd
          smtp inet n - n - 1 postscreen
          smtpd pass - - n - - smtpd
          dnsblog unix - - n - 0 dnsblog
          tlsproxy unix - - n - 0 tlsproxy
          submission inet n - n - - smtpd
        • Wietse Venema
          ... In that case one mistake is that the client connected to the wrong service: they connected to service smtp(=port 25) instead of service submission(=port
          Message 4 of 18 , Jun 17, 2013
          • 0 Attachment
            Asai:
            > After investigating this issue further, it looks like there might be
            > something I'm missing regarding postscreen. My reasoning for this is
            > yesterday a client said she couldn't send email. I looked at her phone
            > and the postfix logs and could see that her IP address was being
            > rejected by postscreen:

            Wietse:
            > As documented ***DO NOT*** run postscreen on the server port
            > that is used by mail client programs.

            Asai:
            > I'm wondering if I have something wrong in master.cf:
            >
            > 587 inet n - n - - smtpd
            > smtp inet n - n - 1 postscreen
            > smtpd pass - - n - - smtpd
            > dnsblog unix - - n - 0 dnsblog
            > tlsproxy unix - - n - 0 tlsproxy
            > submission inet n - n - - smtpd

            In that case one mistake is that the client connected to the wrong
            service: they connected to service smtp(=port 25) instead of service
            submission(=port 587). That's also why postscrfeen rejected the
            client: the client came from a IP address dynamic pool.

            Another mistake may be that you offer AUTH service on port 25.

            An unrelated mistake is that you have two submission service entries
            in master.cf: one called 587 and one called submission. Only the
            last entry will be used, so it is a good idea to remove the first
            one.

            Wietse
          • Asai
            ... Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf? Would that be causing clients to try to connect via port 25 even
            Message 5 of 18 , Jun 17, 2013
            • 0 Attachment
              > Asai:
              >> After investigating this issue further, it looks like there might be
              >> something I'm missing regarding postscreen. My reasoning for this is
              >> yesterday a client said she couldn't send email. I looked at her phone
              >> and the postfix logs and could see that her IP address was being
              >> rejected by postscreen:
              > Wietse:
              >> As documented ***DO NOT*** run postscreen on the server port
              >> that is used by mail client programs.
              > Asai:
              >> I'm wondering if I have something wrong in master.cf:
              >>
              >> 587 inet n - n - - smtpd
              >> smtp inet n - n - 1 postscreen
              >> smtpd pass - - n - - smtpd
              >> dnsblog unix - - n - 0 dnsblog
              >> tlsproxy unix - - n - 0 tlsproxy
              >> submission inet n - n - - smtpd
              > In that case one mistake is that the client connected to the wrong
              > service: they connected to service smtp(=port 25) instead of service
              > submission(=port 587). That's also why postscrfeen rejected the
              > client: the client came from a IP address dynamic pool.
              >
              > Another mistake may be that you offer AUTH service on port 25.
              >
              > An unrelated mistake is that you have two submission service entries
              > in master.cf: one called 587 and one called submission. Only the
              > last entry will be used, so it is a good idea to remove the first
              > one.
              >
              > Wietse
              Would it follow then that I should remove the smtp_sasl_mechanism_filter
              from main.cf? Would that be causing clients to try to connect via port
              25 even though they're set to connect to 587?

              [root@triata ~]# postconf -n | grep smtp_
              postscreen_non_smtp_command_action = enforce
              postscreen_non_smtp_command_enable = yes
              smtp_sasl_mechanism_filter = plain, login
              smtp_tls_loglevel = 2
            • Jeroen Geilman
              ... ...what makes you think these things are related in any way ? It is the *client* that decides where to connect to. -- J.
              Message 6 of 18 , Jun 17, 2013
              • 0 Attachment
                On 06/18/2013 12:15 AM, Asai wrote:
                > Would it follow then that I should remove the
                > smtp_sasl_mechanism_filter from main.cf? Would that be causing
                > clients to try to connect via port 25 even though they're set to
                > connect to 587?
                >

                ...what makes you think these things are related in any way ?

                It is the *client* that decides where to connect to.

                --
                J.
              • Asai
                ... So, it s the iPhone which is self-assertively trying to connect to port 25 regardless of what it s explicitly set to?
                Message 7 of 18 , Jun 17, 2013
                • 0 Attachment
                  > On 06/18/2013 12:15 AM, Asai wrote:
                  >> Would it follow then that I should remove the
                  >> smtp_sasl_mechanism_filter from main.cf? Would that be causing
                  >> clients to try to connect via port 25 even though they're set to
                  >> connect to 587?
                  >>
                  >
                  > ...what makes you think these things are related in any way ?
                  >
                  > It is the *client* that decides where to connect to.
                  >
                  So, it's the iPhone which is self-assertively trying to connect to port
                  25 regardless of what it's explicitly set to?
                • Asai
                  ... After doing a little more reading I enabled *smtpd_tls_auth_only. *Hopefully that will help.
                  Message 8 of 18 , Jun 17, 2013
                  • 0 Attachment
                    Asai:
                    
                    After investigating this issue further, it looks like there might be
                    something I'm missing regarding postscreen.  My reasoning for this is
                    yesterday a client said she couldn't send email.  I looked at her phone
                    and the postfix logs and could see that her IP address was being
                    rejected by postscreen:
                    
                    Wietse:
                    
                    As documented ***DO NOT*** run postscreen on the server port
                    that is used by mail client programs.
                    
                    Asai:
                    
                    I'm wondering if I have something wrong in master.cf:
                    
                    587       inet  n       -       n       -       -       smtpd
                    smtp      inet  n       -       n       -       1       postscreen
                    smtpd     pass  -       -       n       -       -       smtpd
                    dnsblog   unix  -       -       n       -       0       dnsblog
                    tlsproxy  unix  -       -       n       -       0       tlsproxy
                    submission inet  n       -       n       -       -       smtpd
                    
                    In that case one mistake is that the client connected to the wrong
                    service: they connected to service smtp(=port 25) instead of service
                    submission(=port 587). That's also why postscrfeen rejected the
                    client: the client came from a IP address dynamic pool.
                    
                    Another mistake may be that you offer AUTH service on port 25.
                    
                    An unrelated mistake is that you have two submission service entries
                    in master.cf: one called 587 and one called submission. Only the
                    last entry will be used, so it is a good idea to remove the first
                    one.
                    
                    	Wietse
                    
                    After doing a little more reading I enabled smtpd_tls_auth_only.  Hopefully that will help.
                  • Wietse Venema
                    ... No. The CLIENT connects to the WRONG Postfix port. Wietse
                    Message 9 of 18 , Jun 17, 2013
                    • 0 Attachment
                      Asai:
                      > Would it follow then that I should remove the smtp_sasl_mechanism_filter
                      > from main.cf? Would that be causing clients to try to connect via port

                      No. The CLIENT connects to the WRONG Postfix port.

                      Wietse
                    • Larry Stone
                      ... Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default. -- Larry Stone Sent from my
                      Message 10 of 18 , Jun 17, 2013
                      • 0 Attachment
                        On Jun 17, 2013, at 17:27, Asai <asai@...> wrote:

                        >> On 06/18/2013 12:15 AM, Asai wrote:
                        >>> Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf? Would that be causing clients to try to connect via port 25 even though they're set to connect to 587?
                        >>
                        >> ...what makes you think these things are related in any way ?
                        >>
                        >> It is the *client* that decides where to connect to.
                        > So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?

                        Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.

                        -- Larry Stone
                        Sent from my iPhone
                      • Asai
                        ... OK, so perhaps just refusing AUTH on port 25 will solve the problem. I ve set the Server Port in Outgoing mail settings on iPhone to 587, so I don t really
                        Message 11 of 18 , Jun 17, 2013
                        • 0 Attachment
                          >> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
                          > Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
                          >
                          > -- Larry Stone
                          > Sent from my iPhone
                          OK, so perhaps just refusing AUTH on port 25 will solve the problem.
                          I've set the Server Port in Outgoing mail settings on iPhone to 587, so
                          I don't really understand what's going on here...
                        • Larry Stone
                          ... I doubt it. Based on what you previously posted, Postscreen will reject it long before it gets to an smtpd process. I d suggest you double-check the iPhone
                          Message 12 of 18 , Jun 17, 2013
                          • 0 Attachment
                            On Jun 17, 2013, at 19:03, Asai <asai@...> wrote:

                            >>> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
                            >> Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
                            >>
                            >> -- Larry Stone
                            >> Sent from my iPhone
                            > OK, so perhaps just refusing AUTH on port 25 will solve the problem. I've set the Server Port in Outgoing mail settings on iPhone to 587, so I don't really understand what's going on here...

                            I doubt it. Based on what you previously posted, Postscreen will reject it long before it gets to an smtpd process.

                            I'd suggest you double-check the iPhone configuration. In particular, make sure the outgoing settings you're looking at are the ones actually bring used. You can configure multiple outgoing servers on an iOS device.

                            -- Larry Stone
                            Sent from my iPhone
                          Your message has been successfully submitted and would be delivered to recipients shortly.