The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Gerald Vogt <vogt AT dkrz.de>]

On 08.11.18 12:10, Divisão de Rede/DTI/UFTM wrote:
> Good Morning, Connections on TCP / 25 port are allowed, but the 
> recommendations are the use of TCP / 587 TLS. Our perimeter firewall is

That is just wrong. Port 587 is used for mail submission, i.e. how your 
own users for your own domain submit mails into your mail system. A mail 
client of your users will use Port 587 for submission.

Mail submission on Port 587 MUST be authenticated according to RFC 6409, 
chapter 4.3. For that reason, it is impossible for anyone else to use 
the submission port 587 to send e-mails to your users. It is impossible 
for anyone else's mail server to authenticate with your mail server on 
port 587.

Mail transfer agents (MTA) use port 25 and that port must be open if you 
want to receive e-mails from anyone else out there in the world. No mail 
transfer agent will ever use port 587 unless you configure it 
specifically to do so.

Your mail server on mail.uftm.edu.br seems to be broken or extremely 
slow at least. It takes a few seconds until the greeting appears. Any 
SMTP command I have tried simply hangs there for minutes, e.g.

$ nc -v mail.uftm.edu.br 25
Connection to mail.uftm.edu.br 25 port [tcp/smtp] succeeded!
220 mail.uftm.edu.br ESMTP
EHLO mail.uftm.edu.br
^C

Your mail server should respond with its capabilities to the EHLO 
command. So it looks very much that your mail server is hanging after 
the initial greeting. Thus fix your mail server or possibly your 
firewall in case that's interrupting the connection. (The submission 
port 587 isn't any different).

Regards,

Gerald








> implemented GeoIP control of connections from China, Russia, India and 
> United Arab Emirates, as recommended by the manufacturer of the 
> SonicWall firewall. Please report domains or LANs to add firewall rules 
> to ignore GeoIP. graciously
>
> ___________________________________
> Jihann Resende Marques Fernandes
> Diretor da Divisão de Rede, Portaria: 337
> DOU: 108, quarta-feira, 8 de junho de 2016
> Universidade Federal do Triangulo Mineiro
> Departamento: Tecnologia da Informação
> Rua do Carmo, 143 - Bairro Abadia
> CEP: 38025-000 - Uberaba-MG
> 34 3700 6432
>
>
> Em ter, 30 de out de 2018 às 11:18, Stefan Winter 
> <stefan.winter AT restena.lu <mailto:stefan.winter AT restena.lu>> escreveu:
>
>     Hello,
>
>      > we are using the security connection in the number  port 587 with the
>      > TLS protocol in our server (mail.uftm.edu.br
>     <http://mail.uftm.edu.br>) because it's one the best
>      > practics of security in computer networking.
>
>     As stated, that is incorrect.
>
>     Submission (TCP/587) is the best practice for connections from a MUA to
>     an MTA (in other words, for mails sent from a end user computer/device
>     to a server which is willing to send my mail onwards across the planet).
>
>     MTA to MTA connections continue to run on SMTP (TCP/25). This is a
>     worldwide standard and hasn't changed since the early days of the
>     internet.
>
>     An MX record in DNS indicates that you run a MTA which is willing to
>     receive mails as sent from other MTAs on behalf of their users. This has
>     to happen on port 25.
>
>     As of recent, these connections have a best practice of doing STARTTLS
>     on port 25 (opportunistic hop-by-hop encrpytion). That's something we
>     test for in CAT and warn the end user that the mail is not encrypted if
>     STARTTLS is not supported.
>
>     If you care about receiving mail for your users from arbitrary third
>     parties, please do set up an MTA that is capable of receiving mails on
>     TCP/25.
>
>     This is becoming an off-topic discussion for this list. Please do not
>     continue this thread here.
>
>      > Too, we aren't using protocol IPV6 ( AAAA) in our enviroment.
>
>     That's what I saw and it's not the root cause of the "mail could not be
>     sent" error.
>
>      > Please, use the informations mencioned for new tests.
>
>     There is nothing to test. Your mail server is not or only sporadically
>     listening on port TCP/25. You need to change that.
>
>     For reference, I dug out our mail server logs from the original off-list
>     mail I sent to you, and the one from this morning when I wrote the mail
>     to the list with you in cc:
>
>     Oct 26 13:42:44 smtprelay postfix/smtp[11026]: Untrusted TLS connection
>     established to mail.uftm.edu.br
>     <http://mail.uftm.edu.br>[200.131.62.18]:25: TLSv1.2 with cipher
>     DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>     Oct 26 13:42:47 smtprelay postfix/smtp[11026]: BAED640BFF:
>     to=<humberto.parreira AT uftm.edu.br
>     <mailto:humberto.parreira AT uftm.edu.br>>,
>     relay=mail.uftm.edu.br <http://mail.uftm.edu.br>[200.131.62.18]:25,
>     delay=5.8,
>     delays=0.03/0/3.4/2.4, dsn=2.0.0, status=sent (250 Ok.
>     000000005BD2FDB6.00001BF7)
>
>     As you can see, your server *was* listening on port 25 as it should, and
>     the mail got through.
>
>     888FC40D76    14692 Tue Oct 30 09:42:01 stefan.winter AT restena.lu
>     <mailto:stefan.winter AT restena.lu>
>               (connect to mail.uftm.edu.br
>     <http://mail.uftm.edu.br>[200.131.62.18]:25: Connection
>     timed out)
>
>     And this time it was not.
>
>     Greetings,
>
>     Stefan Winter
>
>     -- 
>     Stefan WINTER
>     Ingenieur de Recherche
>     Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>     de la Recherche
>     2, avenue de l'Université
>     L-4365 Esch-sur-Alzette
>
>     Tel: +352 424409 1
>     Fax: +352 422473
>
>     PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>     recipient's key is known to me
>
>     http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
>
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users

--
Gerald Vogt
Energiemanagement
Abteilung Systeme

Deutsches Klimarechenzentrum GmbH (DKRZ)
Bundesstrasse 45a • D-20146 Hamburg • Germany

Phone:  +49 40 460094-127
Fax:    +49 40 460094-270
Email:  vogt AT dkrz.de
URL:    https://www.dkrz.de/

Geschäftsführer: Prof. Dr. Thomas Ludwig
Sitz der Gesellschaft: Hamburg
Amtsgericht Hamburg HRB 39784

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature