Re: port 465 problems

From: Bill Cole (no email)
Date: Thu Nov 01 2007 - 03:04:14 EDT

  • Next message: Kevin Stevens: "Postfix local delivery stops after an hour."

    At 10:50 PM -0700 10/31/07, travel kid wrote:
    >hello folks,
    >
    >i found some users having troubles since their isp's
    >were blocking outbound 25. so i am attempting to get
    >smtp+ssl on port 465 working.

    Pure SSL+SMTP on port 465 had credibility as a standard for less than
    a year about a decade ago. You should try to avoid it. Unless you
    have a bunch of users with old Microsoft clients, you do not need to
    participate in the misuse of port 465.

    >i would appreciate some
    >help on the command not found error below. would
    >appreciate it.
    >
    >thank you
    >
    >
    >/etc/postfix/master.cf
    >smtps inet n - - - - smtpd

    You appear to be missing the operative part that actually makes it do SSL:

    smtps inet n - n - - smtpd
       -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

    You should really encourage your users to use port 587 instead, and
    set up a proper submission service:

    submission inet n - n - - smtpd
       -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

    That mandates the use of the STARTTLS command on the submission port,
    which provides a little more clarity when logging all traffic.

    [big snip of irrelevant log lines...]

    >Nov 1 01:25:00 li10-54 postfix/smtpd[2086]: >
    >dhcp-ip.isp.net[w.x.y.z]: 220 mail.foobar.com ESMTP

    That's your smtpd sending the initial banner.

    >Nov 1 01:25:00 li10-54 postfix/smtpd[2086]: <
    >dhcp-ip.isp.net[w.x.y.z]: ?=??

    That's the client sending garbage ('?=??') that it probably thought
    was a reasonable start at SSL negotiation. However, you are not
    talking SSL.

    >Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
    >match_string: ?=?? ~? CONNECT
    >Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
    >match_string: ?=?? ~? GET
    >Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
    >match_string: ?=?? ~? POST
    >Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
    >match_list_match: ?=??: no match

    That's Postfix checking the garbage against common broken spamware
    behavior of sending HTTP commands on a SMTP session. The garbage does
    not match.

    >Nov 1 01:25:00 li10-54 postfix/smtpd[2086]: >
    >dhcp-ip.isp.net[w.x.y.z]: 502 5.5.2 Error: command not
    >recognized

    Even though the garbage does not match the known list of poison
    strings, it still isn't a valid SMTP command. 

    -- 
Bill Cole
  • Next message: Kevin Stevens: "Postfix local delivery stops after an hour."





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD