Hello, guys I have a problem after updating to the latest version of ISPConfig. Emails configured in Outlooks are no longer able to use TLS encryption and port 587. Only when configured on port 25 and with STARTTLS encryption do they work. However, I have many users with old Outlooks (they have no option to use STARTTLS, only SSL/TLS). Do I need to do some configuration add, so that all emails that were configured with TLS encryption and port 587 will work again with SMTP? The errors shown in Outlook are: None of the authentication methods supported by this client are supported by your server Try changing the encryption method. Contact your email server administrator or ISP for further assistance Thanks for any help guys
Could it be that they use a old version of Outlook that does not support TLSv1 and TLSv1.1, and you have those (or the ciphers that are needed) disabled?
I just upgraded to ISPConfig version 3.2 and all accounts set up in Outlook with port 587 and SSL/TLS encryption stopped working for sending. Receiving continues smoothly. When configuring a new account with SSL/TLS and port 587 in Outlook, Outlook rejects it warning that the server does not accept this encryption.
Yes, I understand your question. You didn't answer mine though, so I can't help you further with just the same question.
Code: /etc/postfix/master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o smtp_bind_address= 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10027 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtp_send_xforward_command=yes -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_dns_lookups=yes
Code: /etc/postfix/main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination myhostname = usve255032.serverprofi24.com alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases mydestination = usve255032.serverprofi24.com, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all myorigin = /etc/mailname html_directory = /usr/share/doc/postfix/html virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, ,reject_unknown_helo_hostname, permit smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated, reject_unauth_pipelining , permit smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = lmtp:unix:private/dovecot-lmtp header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = lmtp:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = no address_verify_negative_refresh_time = 60s enable_original_recipient = yes smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS address_verify_sender_ttl = 15686s
Your cipher list does not contain old ciphers (which is a good thing, but might break (very) old clients). For an orientation what to use (for which clients) have a look here: https://ssl-config.mozilla.org For example, for old clients use: https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=old&openssl=1.1.1d&guideline=5.6 Post the mail.log entries when a client failed to log in (in /var/log/mail.log or via ISPC interface)
I ran a tail -f /var/log/mail.log Code: Oct 19 22:09:36 usve255032 postfix/smtpd[28914]: warning: unknown[212.70.149.53]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Oct 19 22:09:36 usve255032 postfix/smtpd[28914]: disconnect from unknown[212.70.149.53] Oct 19 22:09:41 usve255032 postfix/smtpd[29728]: connect from unknown[212.70.149.53] Oct 19 22:09:46 usve255032 dovecot: imap([email protected]): Disconnected: Logged out in=1377 out=50817 Oct 19 22:09:50 usve255032 postfix/smtps/smtpd[27237]: warning: hostname ip-178-112-68-164.static.contabo.net does not resolve to address 164.68.112.178: Name or service not known Oct 19 22:09:50 usve255032 postfix/smtps/smtpd[27237]: connect from unknown[164.68.112.178] Oct 19 22:09:50 usve255032 postfix/smtpd[28094]: connect from unknown[212.70.149.53] Oct 19 22:09:51 usve255032 postfix/smtpd[28914]: connect from reverso.205.webpic.com.br[186.225.134.205] Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: SSL_accept error from unknown[164.68.112.178]: -1 Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: warning: TLS library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1427: Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: lost connection after CONNECT from unknown[164.68.112.178] Oct 19 22:09:52 usve255032 postfix/smtps/smtpd[27237]: disconnect from unknown[164.68.112.178] Oct 19 22:09:52 usve255032 postfix/smtpd[28914]: warning: 205.134.225.186.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=205.134.225.186.zen.spamhaus.org type=A: Host not found, try again I noticed this warning warning: TLS library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1427
Yes, as I said: Your server and your client do not find a common cipher ("no shared cipher"). So your client does not support the ciphers, that your server offers (in "tls_medium_cipherlist" parameter). Your clients are just too old. If you want to support these outdated clients, you have to offer more (vulnurable) ciphers. TLS1.0 and TLS1.1 are end of life since 2018: https://endoflife.software/protocols/encryption/tls TLS1.2 should be supported since 2008. If your clients are older you can make an exception for them. If not, deactivate TLS1.0 and 1.1 and update the clients. Use my link above to get the right settings: https://ssl-config.mozilla.org/#ser...fig=intermediate&openssl=1.1.1d&guideline=5.6 To enable TLS1.2 for end-of-life outlook on end-of-life windows see here: https://docs.microsoft.com/en-us/ar...bling-tls-1-1-and-1-2-in-outlook-on-windows-7
I think it's 2016 (I use Office 365, which comes with the latest version) and I forgot to thank you for the help you have given me in answering my questions. Thank you very much.
If they use 2016, I think the ciphers you currently have should work. Could it be that they logged in with a incorrect password and are banned by Fail2Ban? (shot in the dark btw) No problem
You have to add a cipher that they understand to the cipherlist. See my links before for old/medium/modern cipherlists. See Microsoft help for Office 365 updates: https://docs.microsoft.com/en-us/mi...eprecation-for-office-365?view=o365-worldwide An updated office should be able to use TLS1.2 (except if you run it at Windows7)
Thank you very much for your help, I did some tests this morning with some customers, but even using a newer office (Outlook 365) I still can't connect using the setting: port 587, TLS encryption, only STARTTLS encryption is accepted and whenever Outlook is opened, a warning that the security certificate cannot be confirmed. I performed a check on this site and the result is that the Cert certificate is missing, do you know how I can do that? https://www.checktls.com/TestReceiver?LEVEL=DETAIL&EMAIL=magistrisdobrasil.com.br