Loading ...
Sorry, an error occurred while loading the content.

Re: Investigating iPhone Compatibility

Expand Messages
  • Asai
    ... Thank you, Wietse. Please forgive my ignorance, but may I ask where I might find the instructions to make sure it s not operating on 587? --Asai
    Message 1 of 18 , Jun 17, 2013
    • 0 Attachment
      On 6/17/13 1:13 PM, Wietse Venema wrote:
      > Asai:
      >> After investigating this issue further, it looks like there might be
      >> something I'm missing regarding postscreen. My reasoning for this is
      >> yesterday a client said she couldn't send email. I looked at her phone
      >> and the postfix logs and could see that her IP address was being
      >> rejected by postscreen:
      > As documented ***DO NOT*** run postscreen on the server port
      > that is used by mail client programs.
      >
      > Wietse
      Thank you, Wietse. Please forgive my ignorance, but may I ask where I
      might find the instructions to make sure it's not operating on 587?

      --Asai
    • Asai
      ... I m wondering if I have something wrong in master.cf: 587 inet n - n - - smtpd smtp inet n - n
      Message 2 of 18 , Jun 17, 2013
      • 0 Attachment
        On 6/17/13 1:13 PM, Wietse Venema wrote:
        > Asai:
        >> After investigating this issue further, it looks like there might be
        >> something I'm missing regarding postscreen. My reasoning for this is
        >> yesterday a client said she couldn't send email. I looked at her phone
        >> and the postfix logs and could see that her IP address was being
        >> rejected by postscreen:
        > As documented ***DO NOT*** run postscreen on the server port
        > that is used by mail client programs.
        >
        > Wietse
        I'm wondering if I have something wrong in master.cf:

        587 inet n - n - - smtpd
        smtp inet n - n - 1 postscreen
        smtpd pass - - n - - smtpd
        dnsblog unix - - n - 0 dnsblog
        tlsproxy unix - - n - 0 tlsproxy
        submission inet n - n - - smtpd
      • Wietse Venema
        ... In that case one mistake is that the client connected to the wrong service: they connected to service smtp(=port 25) instead of service submission(=port
        Message 3 of 18 , Jun 17, 2013
        • 0 Attachment
          Asai:
          > After investigating this issue further, it looks like there might be
          > something I'm missing regarding postscreen. My reasoning for this is
          > yesterday a client said she couldn't send email. I looked at her phone
          > and the postfix logs and could see that her IP address was being
          > rejected by postscreen:

          Wietse:
          > As documented ***DO NOT*** run postscreen on the server port
          > that is used by mail client programs.

          Asai:
          > I'm wondering if I have something wrong in master.cf:
          >
          > 587 inet n - n - - smtpd
          > smtp inet n - n - 1 postscreen
          > smtpd pass - - n - - smtpd
          > dnsblog unix - - n - 0 dnsblog
          > tlsproxy unix - - n - 0 tlsproxy
          > submission inet n - n - - smtpd

          In that case one mistake is that the client connected to the wrong
          service: they connected to service smtp(=port 25) instead of service
          submission(=port 587). That's also why postscrfeen rejected the
          client: the client came from a IP address dynamic pool.

          Another mistake may be that you offer AUTH service on port 25.

          An unrelated mistake is that you have two submission service entries
          in master.cf: one called 587 and one called submission. Only the
          last entry will be used, so it is a good idea to remove the first
          one.

          Wietse
        • Asai
          ... Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf? Would that be causing clients to try to connect via port 25 even
          Message 4 of 18 , Jun 17, 2013
          • 0 Attachment
            > Asai:
            >> After investigating this issue further, it looks like there might be
            >> something I'm missing regarding postscreen. My reasoning for this is
            >> yesterday a client said she couldn't send email. I looked at her phone
            >> and the postfix logs and could see that her IP address was being
            >> rejected by postscreen:
            > Wietse:
            >> As documented ***DO NOT*** run postscreen on the server port
            >> that is used by mail client programs.
            > Asai:
            >> I'm wondering if I have something wrong in master.cf:
            >>
            >> 587 inet n - n - - smtpd
            >> smtp inet n - n - 1 postscreen
            >> smtpd pass - - n - - smtpd
            >> dnsblog unix - - n - 0 dnsblog
            >> tlsproxy unix - - n - 0 tlsproxy
            >> submission inet n - n - - smtpd
            > In that case one mistake is that the client connected to the wrong
            > service: they connected to service smtp(=port 25) instead of service
            > submission(=port 587). That's also why postscrfeen rejected the
            > client: the client came from a IP address dynamic pool.
            >
            > Another mistake may be that you offer AUTH service on port 25.
            >
            > An unrelated mistake is that you have two submission service entries
            > in master.cf: one called 587 and one called submission. Only the
            > last entry will be used, so it is a good idea to remove the first
            > one.
            >
            > Wietse
            Would it follow then that I should remove the smtp_sasl_mechanism_filter
            from main.cf? Would that be causing clients to try to connect via port
            25 even though they're set to connect to 587?

            [root@triata ~]# postconf -n | grep smtp_
            postscreen_non_smtp_command_action = enforce
            postscreen_non_smtp_command_enable = yes
            smtp_sasl_mechanism_filter = plain, login
            smtp_tls_loglevel = 2
          • Jeroen Geilman
            ... ...what makes you think these things are related in any way ? It is the *client* that decides where to connect to. -- J.
            Message 5 of 18 , Jun 17, 2013
            • 0 Attachment
              On 06/18/2013 12:15 AM, Asai wrote:
              > Would it follow then that I should remove the
              > smtp_sasl_mechanism_filter from main.cf? Would that be causing
              > clients to try to connect via port 25 even though they're set to
              > connect to 587?
              >

              ...what makes you think these things are related in any way ?

              It is the *client* that decides where to connect to.

              --
              J.
            • Asai
              ... So, it s the iPhone which is self-assertively trying to connect to port 25 regardless of what it s explicitly set to?
              Message 6 of 18 , Jun 17, 2013
              • 0 Attachment
                > On 06/18/2013 12:15 AM, Asai wrote:
                >> Would it follow then that I should remove the
                >> smtp_sasl_mechanism_filter from main.cf? Would that be causing
                >> clients to try to connect via port 25 even though they're set to
                >> connect to 587?
                >>
                >
                > ...what makes you think these things are related in any way ?
                >
                > It is the *client* that decides where to connect to.
                >
                So, it's the iPhone which is self-assertively trying to connect to port
                25 regardless of what it's explicitly set to?
              • Asai
                ... After doing a little more reading I enabled *smtpd_tls_auth_only. *Hopefully that will help.
                Message 7 of 18 , Jun 17, 2013
                • 0 Attachment
                  Asai:
                  
                  After investigating this issue further, it looks like there might be
                  something I'm missing regarding postscreen.  My reasoning for this is
                  yesterday a client said she couldn't send email.  I looked at her phone
                  and the postfix logs and could see that her IP address was being
                  rejected by postscreen:
                  
                  Wietse:
                  
                  As documented ***DO NOT*** run postscreen on the server port
                  that is used by mail client programs.
                  
                  Asai:
                  
                  I'm wondering if I have something wrong in master.cf:
                  
                  587       inet  n       -       n       -       -       smtpd
                  smtp      inet  n       -       n       -       1       postscreen
                  smtpd     pass  -       -       n       -       -       smtpd
                  dnsblog   unix  -       -       n       -       0       dnsblog
                  tlsproxy  unix  -       -       n       -       0       tlsproxy
                  submission inet  n       -       n       -       -       smtpd
                  
                  In that case one mistake is that the client connected to the wrong
                  service: they connected to service smtp(=port 25) instead of service
                  submission(=port 587). That's also why postscrfeen rejected the
                  client: the client came from a IP address dynamic pool.
                  
                  Another mistake may be that you offer AUTH service on port 25.
                  
                  An unrelated mistake is that you have two submission service entries
                  in master.cf: one called 587 and one called submission. Only the
                  last entry will be used, so it is a good idea to remove the first
                  one.
                  
                  	Wietse
                  
                  After doing a little more reading I enabled smtpd_tls_auth_only.  Hopefully that will help.
                • Wietse Venema
                  ... No. The CLIENT connects to the WRONG Postfix port. Wietse
                  Message 8 of 18 , Jun 17, 2013
                  • 0 Attachment
                    Asai:
                    > Would it follow then that I should remove the smtp_sasl_mechanism_filter
                    > from main.cf? Would that be causing clients to try to connect via port

                    No. The CLIENT connects to the WRONG Postfix port.

                    Wietse
                  • Larry Stone
                    ... Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default. -- Larry Stone Sent from my
                    Message 9 of 18 , Jun 17, 2013
                    • 0 Attachment
                      On Jun 17, 2013, at 17:27, Asai <asai@...> wrote:

                      >> On 06/18/2013 12:15 AM, Asai wrote:
                      >>> Would it follow then that I should remove the smtp_sasl_mechanism_filter from main.cf? Would that be causing clients to try to connect via port 25 even though they're set to connect to 587?
                      >>
                      >> ...what makes you think these things are related in any way ?
                      >>
                      >> It is the *client* that decides where to connect to.
                      > So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?

                      Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.

                      -- Larry Stone
                      Sent from my iPhone
                    • Asai
                      ... OK, so perhaps just refusing AUTH on port 25 will solve the problem. I ve set the Server Port in Outgoing mail settings on iPhone to 587, so I don t really
                      Message 10 of 18 , Jun 17, 2013
                      • 0 Attachment
                        >> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
                        > Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
                        >
                        > -- Larry Stone
                        > Sent from my iPhone
                        OK, so perhaps just refusing AUTH on port 25 will solve the problem.
                        I've set the Server Port in Outgoing mail settings on iPhone to 587, so
                        I don't really understand what's going on here...
                      • Larry Stone
                        ... I doubt it. Based on what you previously posted, Postscreen will reject it long before it gets to an smtpd process. I d suggest you double-check the iPhone
                        Message 11 of 18 , Jun 17, 2013
                        • 0 Attachment
                          On Jun 17, 2013, at 19:03, Asai <asai@...> wrote:

                          >>> So, it's the iPhone which is self-assertively trying to connect to port 25 regardless of what it's explicitly set to?
                          >> Works fine for me. I very much doubt your iPhone in question is actually set to use 587 only. IIRC, that is not the default.
                          >>
                          >> -- Larry Stone
                          >> Sent from my iPhone
                          > OK, so perhaps just refusing AUTH on port 25 will solve the problem. I've set the Server Port in Outgoing mail settings on iPhone to 587, so I don't really understand what's going on here...

                          I doubt it. Based on what you previously posted, Postscreen will reject it long before it gets to an smtpd process.

                          I'd suggest you double-check the iPhone configuration. In particular, make sure the outgoing settings you're looking at are the ones actually bring used. You can configure multiple outgoing servers on an iOS device.

                          -- Larry Stone
                          Sent from my iPhone
                        Your message has been successfully submitted and would be delivered to recipients shortly.