Outlook only connecting to smtp server if use TLS

Hi,
I can only use SMTP if i enable the TLS authentication in outllok and this causes certificate error when i try the send an e-mail through outlook.
Every other authentication methods returns "server does not support any of the available authentication methods", i found some topics that says if use port 25 instead of 587 this solves the problem but port 25 is blocked by all isps,when i try to use it returns "server not found"

As far as i understand we are configuring server during installation with un-commenting below lines;
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
and
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
i would like to disable TLS only authentication,or want to add plain authentication but couldn't be sure which line i should comment or -un-comment.

 

You should get a certificate for the e-mail server that is accepted by Outlook.
Info on how to do that on ISPConfig setup can be found on Howtoforge. For example this: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
https://www.howtoforge.com/communit...uested-string-in-incrontab.84513/#post-404146

 

yes you are quite right, but the thing that i'm trying to understand when you buy a hosting package and configure mail client (outlook in my case),we are selecting Encryption Method as "NONE", and outlook doesn't show certificate pop-up and works, so is that mean that hosting companies doesn't provide crypted communication as default, if you want it you should buy as extra or something?

 

what i mean is, for example fscteknoloji.com is one of my personal domains. So until i decided to learn ispconfig i was subscribing yearly hosting packages from a Turkish hosting company (which was Radore Hosting),i was paying 100 TL(approx. 15 USD) for year subscription with 1TB Space,10 mail account,PHP support,1 MySQL Database.Now i'm hosting this domain from my ispconfig server.

My mail settings for email client was : POP : pop.radorehosting.com & SMTP:smtp.radorehosting.com, so when configuring outlook i was configuring as attached. In last 20 years i've subscribed to many hosting company in Turkey and they all using the same settings for SMTP,i've never seen an hosting company says u need to use TLS or SSL for smtp encryption(maybe they are selling this option seperately i don't know,because they are requesting money for every upgrade/chanage you want,some of them even wants money for php version change).When outlook's certificate pop-up appears that makes me think that something wrong with my installation(i thought i did something wrong).
As far as i understand from your explanations they are not using/providing any kind of secure connection,or maybe there is a trick that i don't know.

 

This tutorial informs how to test the certificate e-mail server uses:
https://www.howtoforge.com/how-to-i...ispconfig-on-debian-10/#creating-certificates
20 years ago a certificate for e-mail server did not exist (?, or at least was not common). Now running e-mails without certicates is not a good idea.

 

yeah maybe, i'm not quite sure.

Exactly.

Well i'm not supporting local companies behavior (Turkish ones) but i can understand their approach due to high exchange rates, selling this kind of product (hosting) costs money, and almost everything you need to build is selling with USD, 1 USD is 6,70 TL, you need powerful servers, hard drives, UPS, generator, super fast internet connection, routers and so on, you need to buy all of them with usd so it costs a lot, on the other hand you are in a competitive market so you need to keep your prices low. Most of the users thinks that "they are hosting company, they are professionals, no way that they can do such mistakes" but seems they are.

 

i did a mistake while following the tutorial, i missed the part "create a website with the same name with hostname -f",
when i entered "cat ispserver.{key,crt} > ispserver.pem" it returned "cat: ispserver.key: No such file or directory" and when i try to login to server through "https://192.168.1.253:8080/" it returns "SSL_ERROR_RX_RECORD_TOO_LONG", if i try to login through "http://192.168.1.253:8080" login page shows but when i enter my username & password it redirect me to login page.

Is there a fix for what i did?

 

i'm following this tutorial https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ which provided by @Taleman , server's hostname is server1.example.com -- domain : example.com -- subdomain : server1.example.com all is reachable through browser.

when i run this command : cat ispserver.{key,crt} > ispserver.pem it returns ;
cat: ispserver.key: No such file or directory
cat: ispserver.crt: No such file or directory
and can't go further.

Edit : I realised when i'm checking Let's Encrypt SSL option, saving, when i go back to site options i see that it's unchecked.

 

that's because the files /etc/letsencrypt/live/$(hostname -f)/fullchain.pem and privkey.pem don't exist.

in your screenshot's your using example.com, and the ip 192.168.1.16
is example.com the domain you're really using in that? or is that only in the screenshots to hide the real domain name?
and the ip needs to be the real public ip that the server is reachable on. private ip's are not routable over the internet.

 

oh i forgot to mention it, when i try this article on active server it crashing and not be able connect to admin panel again, i get server's image before i try this on active server and it saved me, to avoid any crash and data loss i've installed ispconfig under a virtual machine, defined example.com on it, set my host file to reach example.com and i'm working this tutorial on that, so that is not an server connected to internet directly.

In the tutorial says Let's Encrypt needs to reach my server on WAN, but as i mentioned on both live & vm server,it's crashing after applying
cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
it waits 2-3 minutes and after that it goes non-responsive on browser, shutting down port 21 & 22, after rebooting it's starting to return SSL ERROR - "SSL_ERROR_RX_RECORD_TOO_LONG", and creating self signed certificates with update.php doesn't solve.

 

right, we'll that's not going to work. ever. when letsencrypt's server tries to connect to example.com it's never going to reach your server, because that domain name is already registered by someone else, and the dns points elsewhere.

you need to use a valid domain name, that you own, and have it reachable on a public ip address.

let's start with the basics, is your existing ispconfig control panel certificate from letsencrypt? self-signed? or a full, paid for certificate?
what names currently exist on that certificate?

you're trying to get certs you can use on postfix, what fqdn's are you going to use for mail?
is there a vhost for them on the server that will host mail services?
does the dns contain valid public ip addresses for them?

 

ok;
is your existing ispconfig control panel certificate from letsencrypt? self-signed? or a full, paid for certificate? -- using self signed certificates created during installation, i didn't add any other certificates after installation.

what names currently exist on that certificate? -- FSC TEKNOLOJI

you're trying to get certs you can use on postfix, what fqdn's are you going to use for mail? -- there are 3 domains installed on the server,but there is only one e-mail account which is [email protected]

is there a vhost for them on the server that will host mail services? -- when i send mail from my gmail to [email protected] it reaches without any problem

does the dns contain valid public ip addresses for them?--yes all 3 domains are accessible from all over the world.

 

ok is mail.fscteknoloji.com a separate vhost to fscteknoloji.com, or an alias to it?

 

is mail.fscteknoloji.com a separate vhost to fscteknoloji.com, or an alias to it? -- it's not an vhost i think, DNS wizard created that record and i didn't change anything since then.

 

ok, but your mx record is set as mail.fscteknoloji.com, but unless you're configuring letsencrypt to use dns validation, you're not going to get a certificate for mail.fscteknoloji.com unless it exists within a working vhost configuration, either as the ServerName, or as a ServerAlias.
and your server is displaying the default ispconfig home page for mail.fscteknoloji.com, it may be apache displaying another vhost's contents instead of the correct website.

if it's an alias or subdomain of fscteknoloji.com then postfix can use the same certificate as the control panel, if it's a separate vhost, postfix and dovecot will have to use a separate certificate.

on the live server, cd to /etc/apache2/sites-available

run
grep Servername *
and
grep ServerAlias *
in there and post the contents of both here.

 

grep Servername * -- returns nothing
grep ServerAlias * -- returns;
claribon.com.vhost: ServerAlias *.claribon.com
fscteknoloji.com.vhost: ServerAlias *.fscteknoloji.com
gorselpackaging.com.vhost: ServerAlias *.gorselpackaging.com