Outlook only connecting to smtp server if use TLS

Discussion in 'Installation/Configuration' started by Sheshman, Jun 2, 2020.

  1. Sheshman

    Sheshman Member

    Hi,
    I can only use SMTP if i enable the TLS authentication in outllok and this causes certificate error when i try the send an e-mail through outlook.
    Every other authentication methods returns "server does not support any of the available authentication methods", i found some topics that says if use port 25 instead of 587 this solves the problem but port 25 is blocked by all isps,when i try to use it returns "server not found"

    As far as i understand we are configuring server during installation with un-commenting below lines;
    submission inet n - y - - smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    and
    smtps inet n - y - - smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    i would like to disable TLS only authentication,or want to add plain authentication but couldn't be sure which line i should comment or -un-comment.
     

    Attached Files:

  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Sheshman likes this.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    It uses PLAIN authentication now, which is why tls is required - if you send passwords in the clear over the internet (particularly WiFi), they will be stolen and your server abused to send spam.
     
    Sheshman likes this.
  4. Sheshman

    Sheshman Member

    yes you are quite right, but the thing that i'm trying to understand when you buy a hosting package and configure mail client (outlook in my case),we are selecting Encryption Method as "NONE", and outlook doesn't show certificate pop-up and works, so is that mean that hosting companies doesn't provide crypted communication as default, if you want it you should buy as extra or something?
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    You don't get a certificate error on connections which are not encrypted, that's normal. I don't know what you refer to by "hosting companies" - an ISPConfig server (with a standard setup per a Perfect Server guide), or just in general, one of the thousands of companies which host internet email? The latter, of course, will vary a great deal in their configuration.

    As for your own setup, you "should" provide encrypted communication for email services with very limited exceptions (eg. clients connect over a vpn or something). Certificates are literally free nowadays, and as you have found you actually have to go out of your way to try reduce the security in order to not use one. As @Taleman said, you simply need to get a valid certificate on your server, eg. using the server's hostname (also make sure that is the hostname you are using as your smtp/pop/imap server) and then the errors will be gone.
     
  6. Sheshman

    Sheshman Member

    what i mean is, for example fscteknoloji.com is one of my personal domains. So until i decided to learn ispconfig i was subscribing yearly hosting packages from a Turkish hosting company (which was Radore Hosting),i was paying 100 TL(approx. 15 USD) for year subscription with 1TB Space,10 mail account,PHP support,1 MySQL Database.Now i'm hosting this domain from my ispconfig server.

    My mail settings for email client was : POP : pop.radorehosting.com & SMTP:smtp.radorehosting.com, so when configuring outlook i was configuring as attached. In last 20 years i've subscribed to many hosting company in Turkey and they all using the same settings for SMTP,i've never seen an hosting company says u need to use TLS or SSL for smtp encryption(maybe they are selling this option seperately i don't know,because they are requesting money for every upgrade/chanage you want,some of them even wants money for php version change).When outlook's certificate pop-up appears that makes me think that something wrong with my installation(i thought i did something wrong).
    As far as i understand from your explanations they are not using/providing any kind of secure connection,or maybe there is a trick that i don't know.
     

    Attached Files:

  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  8. Sheshman

    Sheshman Member

    yeah maybe, i'm not quite sure.
    Exactly.

    Well i'm not supporting local companies behavior (Turkish ones) but i can understand their approach due to high exchange rates, selling this kind of product (hosting) costs money, and almost everything you need to build is selling with USD, 1 USD is 6,70 TL, you need powerful servers, hard drives, UPS, generator, super fast internet connection, routers and so on, you need to buy all of them with usd so it costs a lot, on the other hand you are in a competitive market so you need to keep your prices low. Most of the users thinks that "they are hosting company, they are professionals, no way that they can do such mistakes" but seems they are.
     
  9. Sheshman

    Sheshman Member

    i did a mistake while following the tutorial:(, i missed the part "create a website with the same name with hostname -f",
    when i entered "cat ispserver.{key,crt} > ispserver.pem" it returned "cat: ispserver.key: No such file or directory" and when i try to login to server through "https://192.168.1.253:8080/" it returns "SSL_ERROR_RX_RECORD_TOO_LONG", if i try to login through "http://192.168.1.253:8080" login page shows but when i enter my username & password it redirect me to login page.

    Is there a fix for what i did?
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    The easiest way is to download the ISPConfig installer and run update.php, and answer yes to create a self-signed SSL certificate.
     
  11. Sheshman

    Sheshman Member

    i'm following this tutorial https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ which provided by @Taleman , server's hostname is server1.example.com -- domain : example.com -- subdomain : server1.example.com all is reachable through browser.

    when i run this command : cat ispserver.{key,crt} > ispserver.pem it returns ;
    cat: ispserver.key: No such file or directory
    cat: ispserver.crt: No such file or directory
    and can't go further.

    Edit : I realised when i'm checking Let's Encrypt SSL option, saving, when i go back to site options i see that it's unchecked.
     

    Attached Files:

    Last edited: Jun 4, 2020
  12. nhybgtvfr

    nhybgtvfr Active Member

    that's because the files /etc/letsencrypt/live/$(hostname -f)/fullchain.pem and privkey.pem don't exist.

    in your screenshot's your using example.com, and the ip 192.168.1.16
    is example.com the domain you're really using in that? or is that only in the screenshots to hide the real domain name?
    and the ip needs to be the real public ip that the server is reachable on. private ip's are not routable over the internet.
     
  13. Sheshman

    Sheshman Member

    oh i forgot to mention it, when i try this article on active server it crashing and not be able connect to admin panel again, i get server's image before i try this on active server and it saved me, to avoid any crash and data loss i've installed ispconfig under a virtual machine, defined example.com on it, set my host file to reach example.com and i'm working this tutorial on that, so that is not an server connected to internet directly.

    In the tutorial says Let's Encrypt needs to reach my server on WAN, but as i mentioned on both live & vm server,it's crashing after applying
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    it waits 2-3 minutes and after that it goes non-responsive on browser, shutting down port 21 & 22, after rebooting it's starting to return SSL ERROR - "SSL_ERROR_RX_RECORD_TOO_LONG", and creating self signed certificates with update.php doesn't solve.
     
  14. nhybgtvfr

    nhybgtvfr Active Member

    right, we'll that's not going to work. ever. when letsencrypt's server tries to connect to example.com it's never going to reach your server, because that domain name is already registered by someone else, and the dns points elsewhere.

    you need to use a valid domain name, that you own, and have it reachable on a public ip address.

    let's start with the basics, is your existing ispconfig control panel certificate from letsencrypt? self-signed? or a full, paid for certificate?
    what names currently exist on that certificate?

    you're trying to get certs you can use on postfix, what fqdn's are you going to use for mail?
    is there a vhost for them on the server that will host mail services?
    does the dns contain valid public ip addresses for them?
     
  15. Sheshman

    Sheshman Member

    ok;
    is your existing ispconfig control panel certificate from letsencrypt? self-signed? or a full, paid for certificate? -- using self signed certificates created during installation, i didn't add any other certificates after installation.

    what names currently exist on that certificate? -- FSC TEKNOLOJI

    you're trying to get certs you can use on postfix, what fqdn's are you going to use for mail? -- there are 3 domains installed on the server,but there is only one e-mail account which is [email protected]

    is there a vhost for them on the server that will host mail services? -- when i send mail from my gmail to [email protected] it reaches without any problem

    does the dns contain valid public ip addresses for them?--yes all 3 domains are accessible from all over the world.
     
  16. nhybgtvfr

    nhybgtvfr Active Member

    ok is mail.fscteknoloji.com a separate vhost to fscteknoloji.com, or an alias to it?
     
  17. Sheshman

    Sheshman Member

    is mail.fscteknoloji.com a separate vhost to fscteknoloji.com, or an alias to it? -- it's not an vhost i think, DNS wizard created that record and i didn't change anything since then.
     
  18. nhybgtvfr

    nhybgtvfr Active Member

    ok, but your mx record is set as mail.fscteknoloji.com, but unless you're configuring letsencrypt to use dns validation, you're not going to get a certificate for mail.fscteknoloji.com unless it exists within a working vhost configuration, either as the ServerName, or as a ServerAlias.
    and your server is displaying the default ispconfig home page for mail.fscteknoloji.com, it may be apache displaying another vhost's contents instead of the correct website.

    if it's an alias or subdomain of fscteknoloji.com then postfix can use the same certificate as the control panel, if it's a separate vhost, postfix and dovecot will have to use a separate certificate.

    on the live server, cd to /etc/apache2/sites-available

    run
    grep Servername *
    and
    grep ServerAlias *
    in there and post the contents of both here.
     
  19. Sheshman

    Sheshman Member

    grep Servername * -- returns nothing
    grep ServerAlias * -- returns;
    claribon.com.vhost: ServerAlias *.claribon.com
    fscteknoloji.com.vhost: ServerAlias *.fscteknoloji.com
    gorselpackaging.com.vhost: ServerAlias *.gorselpackaging.com
     
  20. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    ServerName should have an uppercase N. Running 'apachectl -S' should give the same info and a bit more.
     

Share This Page