Mailing List Archive

Apple + Outlook - Exim on 587 does not work - Solutions
Apple Maacbook running Microsoft Outlook can not connect to my exim
based mail relay system using port 587, authentication and TLS.

I've always had this problem, it just affects very few people....

A customer just asked again:-

> I am in the process of migrating to my Macbook – finally. We discussed
this last year and I had an issue, for which I would like to find out
whether there is a resolution.

 > The issue concerns my e-mail settings. The incoming mail works
perfectly, however the issue is with outgoing mail. If I set a fixed
SMTP setting (e.g. smtp.dsl.telkomsa.net) then there is no problem,
however this is not a workable solution as I travel extensively and thus
use relay.vweb.co.za. I cannot get this to work with my Macbook and MS
Outlook as there is no setting for TLS encryption in MS Outlook for Mac.
(believe you me, I have looked extensively).

> Have you encountered this problem recently and, more importantly, do
you have a suggestion for a workaround for me?

So, to reiterate - the mail server "relay.vweb.co.za" using Gentoo Linux
and running exim (Exim version 4.89 #1 built 05-Oct-2017 13:48:15)

Users are stored in a MySQL Database. The machine doesn't deal with any
local e-mail accounts (that users then "POP3/IMAP") - it only should
accept e-mail to relay onwards from my customers. I use a real "Let's
Encrypt" certificate. I'm wondering if there is a solution using port
465 - like gmail.com uses?
It works (perfectly?) for any other client mail sending system with
587/Authentication/TLS-STARTTLS. I use DNSSEC and there is a DANE (TLSA)
record in the DNS. I run local virus scanning - etc - so outgoing email
from my clients should be reasonably clean.

Other bits that may be relevant...

tls_certificate = /etc/exim/relay.vweb.co.za.cert
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465

begin acl
acl_check_rcpt:

  accept  authenticated = *
          control       = submission/sender_retain

(transport - I use outbound DNSSEC/DANE :-)
remote_smtp:
  driver = smtp
  dnssec_request_domains = *
  hosts_try_dane = *
  return_path = ${address:$reply_address}

(authenticators)
PLAIN:
  driver                     = plaintext
  public_name = PLAIN
  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}

  server_prompts             = :

  server_condition = "${if and { \
                      {!eq{$auth2}{}} \
                      {!eq{$auth3}{}} \
                      {crypteq{$auth3}{${lookup mysql{SELECT
encryptedpassword  FROM admin WHERE user='${quote_mysql:$auth2}' and
status>2 and usertype='m' and smtpauth='y' }{$value}fail}} }} {yes}{no}}"
  server_set_id              = $auth2

status>2 - the user is in good standing
usertype='m' = this is an e-mail user
smtpauth='y' = this user is allowed to use the mail relay system

--
Mark James ELKINS - Posix Systems - (South) Africa
mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Apple + Outlook - Exim on 587 does not work - Solutions [ In reply to ]
On 06/09/2018 12:58 PM, Mark Elkins via Exim-users wrote:
> Apple Maacbook running Microsoft Outlook can not connect to my exim
> based mail relay system using port 587, authentication and TLS.
>
[...]

> I cannot get this to work with my Macbook and MS
> Outlook as there is no setting for TLS encryption in MS Outlook for Mac.
> (believe you me, I have looked extensively).

https://support.office.com/en-us/article/IMAP-account-basic-settings-0A3F843D-D858-4527-BA0C-B57AEB83BF4E

mentions "Use SSL to connect" twice; once following "Incoming server"
and once following "Outgoing server".

It doesn't say whether it means STARTTLS or SSL-on-connect. In case
it's the latter, port 465 is the usual place for that; keep STARTTLS
on 587.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Apple + Outlook - Exim on 587 does not work - Solutions [ In reply to ]
> On Jun 9, 2018, at 10:01 AM, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
>
>> I cannot get this to work with my Macbook and MS
>> Outlook as there is no setting for TLS encryption in MS Outlook for Mac.
>> (believe you me, I have looked extensively).
>
> https://support.office.com/en-us/article/IMAP-account-basic-settings-0A3F843D-D858-4527-BA0C-B57AEB83BF4E

Likewise the MacOS-specific advice at:

https://support.office.com/en-us/article/set-up-email-in-outlook-for-mac-2011-d7b404a0-6e18-4d95-bed8-2de7661563ca

says:

If the Add Account button is unavailable [i.e. no built-in
provider profile for the email address domain]:

• Enter the information about your account, including
the following required fields: User name, Type,
Incoming server, and Outgoing server. If your email
service requires Secure Sockets Layer (SSL) for either
the incoming or outgoing server, select the "Use SSL
to connect" check box for that server.

> mentions "Use SSL to connect" twice; once following "Incoming server"
> and once following "Outgoing server".
>
> It doesn't say whether it means STARTTLS or SSL-on-connect. In case
> it's the latter, port 465 is the usual place for that; keep STARTTLS
> on 587.

I would expect the "simplified" interfaces offered by recent consumer
MUAs to infer STARTTLS vs. SSL from 587 vs. 465, or to try both and
see which works. What could help most to resolve this is some logs
of this customer connecting to your server.

--
Viktor.

P.S. off-topic:

By the way, the OP mentions DANE, and in the DANE survey I
am only able to connect to the primary MX for posix.co.za
and related domains. The secondary appears to always be down.
Is that intentional?

posix.co.za. IN MX 0 mail.vweb.co.za.
posix.co.za. IN MX 10 secdns1.posix.co.za.
_25._tcp.mail.vweb.co.za. IN TLSA ( 3 1 1
71d52e8979130ef2 551779cca9444109
3983c49920aaa2bb 1aa1802c501daca3 )
; mail.vweb.co.za[192.96.24.1]: pass:
; TLSA match: depth = 0, name = mail.vweb.co.za
_25._tcp.secdns1.posix.co.za. IN TLSA 3 1 1
a82d33d63d9c4ace a043007041c0c998
39f1805e5755e54c 9d32ced02cc790ea )
; secdns1.posix.co.za[192.96.24.81]: connection refused
; secdns1.posix.co.za[2001:42a0::81]: connection refused

wweb.co.za. IN MX 0 pop.co.za.
wweb.co.za. IN MX 10 secdns1.posix.co.za.
_25._tcp.pop.co.za. IN TLSA ( 3 1 1
d2f7f61108a02129 4c6343c0a24505a4
e38b830033d2f739 35734055f7c8e9d8 )
; pop.co.za[192.96.24.70]: pass:
; TLSA match: depth = 0, name = pop.co.za
; pop.co.za[2001:42a0::70]: pass:
; TLSA match: depth = 0, name = pop.co.za
_25._tcp.secdns1.posix.co.za. IN TLSA ( 3 1 1
a82d33d63d9c4ace a043007041c0c998
39f1805e5755e54c 9d32ced02cc790ea )
; secdns1.posix.co.za[192.96.24.81]: connection refused
; secdns1.posix.co.za[2001:42a0::81]: connection refused


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Apple + Outlook - Exim on 587 does not work - Solutions [ In reply to ]
If I remember rightly Outlook tends to want to connect to port 465
using Implicit TLS. (Which RFC 8314 now makes the preferred choice,
reversing the previous recommendation. So anyone running AuthSMTP on port
587 only might want to review their setup and add 465 to it.)

Cheers,
Mike B-)

On Sat, 9 Jun 2018 at 15:10, Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> It doesn't say whether it means STARTTLS or SSL-on-connect. In case
> it's the latter, port 465 is the usual place for that; keep STARTTLS
> on 587.
> --
> Cheers,
> Jeremy


--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/