Outlook on Android, Dovecot, Postfix

So after a weekend of work at least Outlook on Windows doesn’t complain about an invalid certificate now that I’ve replaced my self-signed with lets encrypt. The main point of the effort was to try and get outlook for Android to connect, although it appears to have a lot less ability to control the connection.

Outlook Windows works when I use TLS on port 143, or SSL on 993, although 993 doesn’t work with TLS. I even got RPA (require password authentication) to work for the first time ever. By default, Outlook for Android tries to use 993, I found out, but forcing it to 143 by specifying the port after the fqdn of the imap server doesn’t work either, although the port it tries to connect on does indeed change. It just times out with an unhelpful error message, and the mail.log file shows that it logged in and then out within a single second.

Specifying port 567 on the smtp fqdn results in an invalid certificate error (the only reason I feel justified in posting on this forum, other than I think the people hear know what they’re talking about) and the mail log spews a lot of information that mentions my /etc/pam.d/smtp file might be missing. It is definitely not there, but I don’t know why I would need one for Android Outlook and not for Windows Outlook. I noticed that Windows Outlook used plain authentication while Android Outlook tried to use login authentication.

BTW, i also found out that despite the strong wi-fi connection on the same LAN as the server, the phone is connecting through the cellular network.

OS is Raspbian 9.1 stretch,

Here’s mail.log
’’‘
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: disconnect from unknown[52.184.163.226] unknown=0/3 commands=0/3
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: connect from unknown[52.184.163.226]
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: lost connection after UNKNOWN from unknown[52.184.163.226]
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: disconnect from unknown[52.184.163.226] unknown=0/3 commands=0/3
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: connect from unknown[52.184.163.226]
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: setting up TLS connection from unknown[52.184.163.226]
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: unknown[52.184.163.226]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:before SSL initialization
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:before SSL initialization
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS read client hello
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS write server hello
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS write certificate
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS write key exchange
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS write server done
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS write server done
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS read client key exchange
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS read change cipher spec
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS read finished
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS write change cipher spec
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: SSL_accept:SSLv3/TLS write finished
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: unknown[52.184.163.226]: save session 7455A8449A6FF7520DFFE560CFA2A5A82200F4C4280A369472AD851E0C3CDDD4&s=submission&l=269484143 to smtpd cache
Sep 24 20:32:54 mordor postfix/tlsmgr[4774]: put smtpd session id=7455A8449A6FF7520DFFE560CFA2A5A82200F4C4280A369472AD851E0C3CDDD4&s=submission&l=269484143 [data 147 bytes]
Sep 24 20:32:54 mordor postfix/tlsmgr[4774]: write smtpd TLS cache entry 7455A8449A6FF7520DFFE560CFA2A5A82200F4C4280A369472AD851E0C3CDDD4&s=submission&l=269484143: time=1506299574 [data 147 bytes]
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: Anonymous TLS connection established from unknown[52.184.163.226]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Sep 24 20:32:56 mordor dovecot: auth-worker(6289): Error: pam(chris,52.184.163.226): pam_authenticate() failed: Authentication failure (/etc/pam.d/smtp missing?)
Sep 24 20:32:58 mordor postfix/submission/smtpd[6294]: warning: unknown[52.184.163.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 24 20:32:58 mordor postfix/submission/smtpd[6294]: lost connection after AUTH from unknown[52.184.163.226]
Sep 24 20:32:58 mordor postfix/submission/smtpd[6294]: disconnect from unknown[52.184.163.226] ehlo=2 starttls=1 auth=0/1 commands=3/4
Sep 24 20:34:41 mordor postfix/anvil[6144]: statistics: max connection rate 8/60s for (submission:23.101.148.179) at Sep 24 20:27:38
Sep 24 20:34:41 mordor postfix/anvil[6144]: statistics: max connection count 1 for (smtp:37.189.246.168) at Sep 24 20:24:41
Sep 24 20:34:41 mordor postfix/anvil[6144]: statistics: max cache size 2 at Sep 24 20:28:26
Sep 24 20:35:36 mordor postfix/smtpd[6314]: initializing the server-side TLS engine
Sep 24 20:35:36 mordor postfix/smtpd[6314]: warning: hostname ip-213-135-227-140.static.luxdsl.pt.lu does not resolve to address 213.135.227.140: Name or service not known
Sep 24 20:35:36 mordor postfix/smtpd[6314]: connect from unknown[213.135.227.140]
Sep 24 20:35:37 mordor postfix/smtpd[6314]: disconnect from unknown[213.135.227.140] helo=1 auth=0/1 quit=1 commands=2/3
Sep 24 20:38:57 mordor postfix/anvil[6144]: statistics: max connection rate 1/60s for (smtp:213.135.227.140) at Sep 24 20:35:36
Sep 24 20:38:57 mordor postfix/anvil[6144]: statistics: max connection count 1 for (smtp:213.135.227.140) at Sep 24 20:35:36
Sep 24 20:38:57 mordor postfix/anvil[6144]: statistics: max cache size 1 at Sep 24 20:35:36
Sep 24 20:39:11 mordor postfix/smtpd[6327]: initializing the server-side TLS engine
Sep 24 20:39:11 mordor postfix/smtpd[6327]: warning: hostname ip-213-135-227-140.static.luxdsl.pt.lu does not resolve to address 213.135.227.140: Name or service not known
Sep 24 20:39:11 mordor postfix/smtpd[6327]: connect from unknown[213.135.227.140]
Sep 24 20:39:12 mordor postfix/smtpd[6327]: disconnect from unknown[213.135.227.140] helo=1 auth=0/1 quit=1 commands=2/3
Sep 24 20:42:04 mordor postfix/tlsmgr[4774]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
’’’

Can you provide the server name? That would allow people to help you by doing some manual investigation. Keep in mind that every certificate issued by Let’s Encrypt is logged publicly with the domain names, so hiding the domain won’t increase security much and only hurts with support.

Have a look at this chain as it's similar to what you have

I am going to assume your domain is: mail.ve3nrt.net as per your previous post

A) A gentle review of Port Numbers and how they should work

B) I can see you have port 587 and 993 open which are SMTP over SSL and IMAP over SSL

C) You should review the concept of STARTTLS as it will explain your observations below

Outlook Windows works when I use TLS on port 143, or SSL on 993, although 993 doesn’t work with TLS. I even got RPA (require password authentication) to work for the first time ever. By default, Outlook for Android tries to use 993, I found out, but forcing it to 143 by specifying the port after the fqdn of the imap server doesn’t work either, although the port it tries to connect on does indeed change

Your observations are what I would expect to see from a mail server. My testing is below

SMTP on Port 25: No SSL Handshake with No starttls

image943×277 10.5 KB

SMTP on Port 25 with STARTTLS: Handshake

image782×313 10.8 KB

IMAP on Port 143: No SSL Handshake with no STARTTLS

image799×304 9.58 KB

IMAP on Port 143: SSL Handshake with STARTTLS

SMTPS on port 587 - Handshake with STARTTLS

image706×341 17.4 KB

SMTPS on port 587 - No Handshake with no STARTTLS

image802×245 6.13 KB

IMAPS on Port 993 - handshake with no STARTTLS flag

so where to next from here

A) Have a look at advise here: https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
B) Confirm your Android client supports STARTTLS (your current configuration requires this on all SMTP ports https://mxtoolbox.com/SuperTool.aspx?action=smtp%3Amail.ve3nrt.net+&run=toolpage)
C) I believe your Secure protocols are working however you seem to have authentication issues

84143: time=1506299574 [data 147 bytes]
Sep 24 20:32:54 mordor postfix/submission/smtpd[6294]: Anonymous TLS connection established from unknown[52.184.163.226]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Sep 24 20:32:56 mordor dovecot: auth-worker(6289): Error: pam(chris,52.184.163.226): pam_authenticate() failed: Authentication failure (/etc/pam.d/smtp missing?)
Sep 24 20:32:58 mordor postfix/submission/smtpd[6294]: warning: unknown[52.184.163.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Sep 24 20:32:58 mordor postfix/submission/smtpd[6294]: lost connection after AUTH from unknown[52.184.163.226]

D) Check your Cipher Selection. You seem to opt for high ciphers (secure ones) which is good but may not work with your Android Client
E) Check what version of android you have and what ciphers it supports

Andrei

Thanks. As Andrei observed the server is ve3nrt.net. I will spend some time with the suggestions and replies here once I’ve exhausted all the possibilities or have it working. It’s the start of the work week so it will no doubt take several days.

Thank you everyone for your suggestions and pointers. The most painful part of this is every time I start testing the Android client makes me enter all the information again, including requiring the password to be entered 3 times.

Chris

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.