1 Topic by marcelomartinatti

  • marcelomartinatti
  • Member
  • Offline
  • Registered: 2013-06-27
  • Posts: 30

Topic: SSL over 587 submission port

==== Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (iRedadmin-Pro)
- Linux/BSD distribution name and version: Debian 7
- Related log if you're reporting an issue:
====

I have a large number of external domains accounts and am having problems with the use of SSL over port 587 (including certification warn).

Many users are having configuration problems and incompatibility of their mail applications. I want to have in my servers the SSL option only on port 465 and keep the door 587 without the requirement for SSL. Where can I adjust this setting?

Users who already reconfigured for SSL will be affected, having to undo the settings?

Tks,

M Martinatti

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SSL over 587 submission port

*) Port 465 is configured for SSL, but deprecated, and disabled in iRedMail by default.
*) Port 587 is configured for TLS, all users should sent email through port 587.
*) If you want to send email without SSL/TLS, you should use port 25 instead.

Again, use port 587 to send email.

3 Reply by marcelomartinatti

  • marcelomartinatti
  • Member
  • Offline
  • Registered: 2013-06-27
  • Posts: 30

Re: SSL over 587 submission port

ZhangHuangbin wrote:

*) Port 465 is configured for SSL, but deprecated, and disabled in iRedMail by default.
*) Port 587 is configured for TLS, all users should sent email through port 587.
*) If you want to send email without SSL/TLS, you should use port 25 instead.

Again, use port 587 to send email.


How to solve the problem that some clients, namely old version of Outlook [OE], are always asking for confirmation certificate?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SSL over 587 submission port

marcelomartinatti wrote:

How to solve the problem that some clients, namely old version of Outlook [OE], are always asking for confirmation certificate?

To avoid this annoying confirm, you have to buy a SSL certificate. we have a detailed tutorial for you:
http://www.iredmail.org/docs/use.a.boug … icate.html

5 Reply by marcelomartinatti

  • marcelomartinatti
  • Member
  • Offline
  • Registered: 2013-06-27
  • Posts: 30

Re: SSL over 587 submission port

Hi Zhang,

I need urgent disable the requirement for SSL on port 587 SMTP. Please guide me how to proceed.

Tks

M Martinatti

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SSL over 587 submission port

The only way to get rid of this annoying message is buying a SSL certificate. And we have document for you to setup this bought SSL certificate:
http://www.iredmail.org/docs/use.a.boug … icate.html

7 Reply by marcelomartinatti

  • marcelomartinatti
  • Member
  • Offline
  • Registered: 2013-06-27
  • Posts: 30

Re: SSL over 587 submission port

Hi Zhang,

What I need is to disable SSL over SMTP/587 port.

Almost no provider in Brazil working with SSL on port 587 and I have lost clients because of it and can not continue.

Please show me how to keep the 587 free port SSL mandatory.

I await your return with urgency.

Tks.

M Martinatti

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SSL over 587 submission port

If you don't need SSL/TLS, just comment out 'smtpd_auth_tls_only = yes' in /etc/postfix/main.cf, then use port 25 to send email.
Port 587 (and deprecated 465) is used for secure connection, don't touch it.

9 Reply by camel1cz (edited by camel1cz 2015-05-26 15:41:22)

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: SSL over 587 submission port

From what I understand from the Internet standards:
- port 25 is for server to server communication,
- port 465 WAS for SMTP over SSL and MUST NOT be used for any mail communication,
- port 587 is for mail submission from client to server.

Port 587 MUST require authentication of client (most likely SMTP AUTH) but SSL is NOT required.

I would say the SSL should be optional -  after STARTTLS -  on 587?

See RFC 6409

To make SSL optional, change the file /etc/postfix/master.cf:

Original:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt

To new:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=may

10 Reply by marcelomartinatti

  • marcelomartinatti
  • Member
  • Offline
  • Registered: 2013-06-27
  • Posts: 30

Re: SSL over 587 submission port

It's just that camel1cz, keeping the optional STARTTLS to port 587.

Port 587 is the single port port for for mail submission from client to server and port 25 it´s not allowed.

Very tks,

M Martinatti

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SSL over 587 submission port

marcelomartinatti wrote:

Almost no provider in Brazil working with SSL on port 587 and I have lost clients because of it and can not continue.

This situation is really weird...