On 19/09/2018 14.43, Andrei Borzenkov wrote:

19.09.2018 21:28, Carlos E. R. пишет:

...

Hi,

I can no longer send email "normally", I get:

status=deferred (connect to mail.gmx.es[212.227.17.174]:25: Connection timed out)

on all mail accounts. My guess that suddenly Bell figured out it should block me or port 25 outgoing. Stupid! :-(

So I told Thunderbird to send without using postfix, and that apparently works (if you see this, it works), but I want to keep using postfix. TH is using port 465, SSL/TLS, and password.

So, in "/etc/postfix/sender_relayhost" I change this entry:

robin.listas@gmx.es [mail.gmx.es]

to this:

robin.listas@gmx.es [mail.gmx.es]:submission

submission is port 587, not 465.

I know. But look at the log entry below:

...

And then I get this on the log:

#<2.6> 2018-09-19 19:55:09 Legolas postfix 2044 - - SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

I read that as it is in fact using port 465. However, you are right: If I edit the config to :465, it works. :-o -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

19.09.2018 22:47, Carlos E. R. пишет:

On 19/09/2018 14.43, Andrei Borzenkov wrote:

...

19.09.2018 21:28, Carlos E. R. пишет:

...

Hi,

I can no longer send email "normally", I get:

status=deferred (connect to mail.gmx.es[212.227.17.174]:25: Connection timed out)

on all mail accounts. My guess that suddenly Bell figured out it should block me or port 25 outgoing. Stupid! :-(

So I told Thunderbird to send without using postfix, and that apparently works (if you see this, it works), but I want to keep using postfix. TH is using port 465, SSL/TLS, and password.

So, in "/etc/postfix/sender_relayhost" I change this entry:

robin.listas@gmx.es [mail.gmx.es]

to this:

robin.listas@gmx.es [mail.gmx.es]:submission

submission is port 587, not 465.

I know.

But look at the log entry below:

...

...

And then I get this on the log:

#<2.6> 2018-09-19 19:55:09 Legolas postfix 2044 - - SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

I read that as it is in fact using port 465.

However, you are right: If I edit the config to :465, it works. :-o

[...]

Well, it works to send the mails in the queue, it is halting with mails send from Thunderbird to Postfix:

<2.6> 2018-09-19 21:30:13 Legolas postfix 11876 - - connect from localhost[::1]

<2.6> 2018-09-19 21:30:14 Legolas postfix 11876 - - 8DAC5E309C: client=localhost[::1]

<2.6> 2018-09-19 21:30:14 Legolas postfix 11879 - - 8DAC5E309C: message-id=<21341d87-6961-3985-fb3d-c792bd369ea1@gmx.es>

<2.6> 2018-09-19 21:30:14 Legolas postfix 11715 - - 8DAC5E309C: from=<robin.listas@gmx.es>, size=2146, nrcpt=1 (queue active)

<2.6> 2018-09-19 21:30:14 Legolas postfix 11876 - - disconnect from localhost[::1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

<2.6> 2018-09-19 21:30:15 Legolas postfix 11880 - - SSL_connect error to 127.0.0.1[127.0.0.1]:10024: -1

<2.4> 2018-09-19 21:30:15 Legolas postfix 11880 - - warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252:

<2.6> 2018-09-19 21:30:15 Legolas postfix 11880 - - 8DAC5E309C: to=<opensuse@opensuse.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.49, delays=0.08/0.19/0.22/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Well, you configured postfix SMTP client to use SMTPS which presumably also applies to internal connection. So you need to also enable SMTPS in server internally or configure postfix to use SMTPS only for outgoing relay.

<2.6> 2018-09-19 21:30:15 Legolas dovecot - - - imap(cer)<10969><z7PQHj52zKwAAAAAAAAAAAAAAAAAAAAB>: Connection closed (noop finished 0.444 secs ago) in=2984 out=823237 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=290 body_count=0 body_bytes=0

<2.6> 2018-09-19 21:30:26 Legolas dovecot - - - imap-login: Login: user=<cer>, method=PLAIN, rip=::1, lip=::1, mpid=11889, TLS, session=<BrYxcD52cq0AAAAAAAAAAAAAAAAAAAAB>

These settings are needed:

smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_tls_wrappermode = yes

Otherwise I get:

#<2.6> 2018-09-19 19:55:09 Legolas postfix 2044 - - SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

But if I do, then I get the errors above.

If I change the settings one or the other way, and restart postfix each time, I can get mail to get sent. Ie, edit, change, restart, sendmail -q, edit, change, restart, sendmail -q.

So the current problem is:

<2.6> 2018-09-19 21:42:09 Legolas postfix 12405 - - connect from localhost[::1] <2.6> 2018-09-19 21:42:09 Legolas postfix 12405 - - 45851E309C: client=localhost[::1] <2.6> 2018-09-19 21:42:09 Legolas postfix 12407 - - 45851E309C: message-id=<2c3b1602-518a-f788-b8c2-ef49d43b57c8@gmx.es> <2.6> 2018-09-19 21:42:09 Legolas postfix 12331 - - 45851E309C: from=<robin.listas@gmx.es>, size=680, nrcpt=1 (queue active) <2.6> 2018-09-19 21:42:09 Legolas postfix 12405 - - disconnect from localhost[::1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 <2.6> 2018-09-19 21:42:09 Legolas postfix 12408 - - SSL_connect error to 127.0.0.1[127.0.0.1]:10024: -1 <2.4> 2018-09-19 21:42:09 Legolas postfix 12408 - - warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252: <2.6> 2018-09-19 21:42:09 Legolas postfix 12408 - - 45851E309C: to=<opensuse-test@opensuse.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.21, delays=0.1/0.1/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) <2.6> 2018-09-19 21:42:10 Legolas dovecot - - - imap(cer)<11889><BrYxcD52cq0AAAAAAAAAAAAAAAAAAAAB>: Connection closed (noop fini inished 0.532 secs ago) in=1247 out=824289 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=480 body_count=1 body_bytes=1965

using:

smtptp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_tls_wrappermode = yes

robin.listas@gmx.es [mail.gmx.es]:465

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

19.09.2018 23:36, Carlos E. R. пишет:

On 19/09/2018 16.10, Andrei Borzenkov wrote:

...

19.09.2018 22:47, Carlos E. R. пишет:

...

...

...

<2.6> 2018-09-19 21:30:13 Legolas postfix 11876 - - connect from localhost[::1]

<2.6> 2018-09-19 21:30:14 Legolas postfix 11876 - - 8DAC5E309C: client=localhost[::1]

<2.6> 2018-09-19 21:30:14 Legolas postfix 11879 - - 8DAC5E309C: message-id=<21341d87-6961-3985-fb3d-c792bd369ea1@gmx.es>

<2.6> 2018-09-19 21:30:14 Legolas postfix 11715 - - 8DAC5E309C: from=<robin.listas@gmx.es>, size=2146, nrcpt=1 (queue active)

<2.6> 2018-09-19 21:30:14 Legolas postfix 11876 - - disconnect from localhost[::1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

<2.6> 2018-09-19 21:30:15 Legolas postfix 11880 - - SSL_connect error to 127.0.0.1[127.0.0.1]:10024: -1

<2.4> 2018-09-19 21:30:15 Legolas postfix 11880 - - warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252:

<2.6> 2018-09-19 21:30:15 Legolas postfix 11880 - - 8DAC5E309C: to=<opensuse@opensuse.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.49, delays=0.08/0.19/0.22/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Well, you configured postfix SMTP client to use SMTPS which presumably also applies to internal connection. So you need to also enable SMTPS in server internally or configure postfix to use SMTPS only for outgoing relay.

"postfix SMTP client" is Thunderbird?

"postfix SMTP client" is exactly what it is - "postfix SMTP client". TB has no problems submitting mail to postfix because it talks to server, not client.

No, it is configured to use port 25.

I only told it to connect to [mail.gmx.es] using port 465, I did not tell it to change anything else.

Oh, really? So you did not set these options below?

Then the thing demanded I do:

smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_tls_wrappermode = yes

which I did,

So you did say that postfix must use explicit SSL when initiating SMTP connection, did not you?

then it complained about a library version problem:

SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252:

Where the hell do you see *LIBRARY* version here? It says that it got wrong SSL version which is of course true because it did not get SSL reply in the first place.

This entry in the log "relay=127.0.0.1[127.0.0.1]:10024" is related to amavis. Amavis is listening on that port:

/etc/amavisd.conf:

$inet_socket_port = 10024; # listen on this local TCP port(s)

I presume postfix is using SMTP to speak with amavis.

Why on earth are the changes needed for the external ISP GMX.ES affecting the internal amavis handling?

Why on earth do not you even try to understand the meaning of what you do? You change global postfix behavior and then you are surprised that it strikes back?

Otherwise, how on earth do I configure postfix to send to gmx.es using port 465 properly without affecting the rest?

You may define additional transport with explicit SMTPS and use it instead of "relay" for outgoing mail. Something like (untested) /etc/postfix/master.cf: relay-smtps unix - - n - - smtp # Client-side SMTPS requires "encrypt" or stronger. -o smtp_tls_security_level=encrypt -o smtp_tls_wrappermode=yes /etc/postfix/main.cf: relay_transport = relay-smtps There are likely a lot of different ways how it can be achieved depending on how complicated your configuration is.

Surely people on this continent using the daft Bell network must do something?

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 20/09/2018 02.48, Per Jessen wrote:

Carlos E. R. wrote:

...

I only told it to connect to [mail.gmx.es] using port 465, I did not tell it to change anything else.

Then the thing demanded I do:

smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_tls_wrappermode = yes

which I did, then it complained about a library version problem:

As Andrei has explained, you have changed the global settings for the postfix smtp client. These will also be applied internally, e.g. for amavisd.

...

Why on earth are the changes needed for the external ISP GMX.ES affecting the internal amavis handling?

Well, you changed it globally, so they affect everything.

...

Otherwise, how on earth do I configure postfix to send to gmx.es using port 465 properly without affecting the rest? Surely people on this continent using the daft Bell network must do something?

Restricting port 25 and asking people to use port 587 for mail submission has been standard ISP practice for years and years.

Not in Spain. They don't block anything. Freedom, you know? ;-p

I would suggest you forget about SMTPS and port 465, and instead use port 587 with STARTTLS.

I tried submission first, and it failed. The automatic configuration with Thunderbird uses 465, and Andrei said submission is not 465. So I did what he said, which provoked other worse errors :-( Anyway, I got it working, see my previous post :-) Except on Telefonica, they do not allow submission, use 25 instead. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 20/09/2018 09.37, Per Jessen wrote:

Carlos E. R. wrote:

...

On 20/09/2018 02.48, Per Jessen wrote:

...

Carlos E. R. wrote:

...

...

Restricting port 25 and asking people to use port 587 for mail submission has been standard ISP practice for years and years.

Not in Spain. They don't block anything. Freedom, you know? ;-p

Do they not block port 25 to other than their own networks? That is what usually happens - outbound port 25 to other networks in blocked, and the standard support answer is 'use port 587'.

Telefonica blocks nothing, and their standard support answer is to use 25. The 587 is not supported, which is why I can not post now from Canada using Telefonica: <2.6> 2018-09-20 15:27:18 Legolas postfix 7791 - - connect to smtp.telefonica.net[86.109.99.70]:587: Connection timed out <2.6> 2018-09-20 15:27:18 Legolas postfix 7791 - - B3DBCE7AFA: to=<opensuse-test@opensuse.org>, relay=none, delay=30, delays=0.01/0.1 2/30/0, dsn=4.4.1, status=deferred (connect to smtp.telefonica.net[86.109.99.70]:587: Connection timed out) (and they use postfix now) For years I have been sending mail on port 25 to any provider, like gmail.

...

I tried submission first, and it failed.

The automatic configuration with Thunderbird uses 465, and Andrei said submission is not 465.

Except on Telefonica, they do not allow submission, use 25 instead.

If they don't do any hosting and only service their own customers on their own networks, that is a safe setup.

Except when their customers travel. They tell people to use webmail instead, which breaks smartphones and tablets. Fortunately, T-Mobile, which is my phone data provider (for the trip) doesn't block 25, either. I bought a prepaid SIM via Amazon before departing, data roaming with an European SIM here is prohibitive. Notice that this email /seems/ to be sent from Telefonica. I'm using sender_canonical to change the "from" to make things easier. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 10.28, Per Jessen wrote:

Carlos E. R. wrote:

...

On 20/09/2018 09.37, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 02.48, Per Jessen wrote:

...

Carlos E. R. wrote:

...

...

...

Restricting port 25 and asking people to use port 587 for mail submission has been standard ISP practice for years and years.

Not in Spain. They don't block anything. Freedom, you know? ;-p

Do they not block port 25 to other than their own networks? That is what usually happens - outbound port 25 to other networks in blocked, and the standard support answer is 'use port 587'.

Telefonica blocks nothing, and their standard support answer is to use 25. The 587 is not supported, which is why I can not post now from Canada using Telefonica:

That is not what I meant.

A typical scenario would be - Carlos Shop S.A. has an access provider for the office. They also have an email provider for carlos-shop-sa.es. The access provider blocks port 25 outbound to other networks than their own. Carlos Shop S.A. uses port 587 to submit mails via their email provider.

...

For years I have been sending mail on port 25 to any provider, like gmail.

Okay, I'm surprised they don't block that. It's usually the very first anti-spam measure access providers use.

Well, that's the thing, they don't block any port that I know. You may be able to browse windows computers shares across internet here. I remember that I got such attempts when I was using a modem, not a router with NAT. And I like they don't block anything! I find disgusting that Bell is blocking my access to Telefonica. If someone is using the net to spam, kill that person full access, not everybody access to some port. It is simple, if someone uses port 25, investigate. Or allow a simple manner for a client to request open port 25. I'm a good guy and such. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 11.14, James Knott wrote:

On 09/20/2018 10:47 AM, Carlos E. R. wrote:

...

And I like they don't block anything! I find disgusting that Bell is blocking my access to Telefonica. If someone is using the net to spam, kill that person full access, not everybody access to some port.

It is simple, if someone uses port 25, investigate.

This has long been the practice, to block spammers.  I use port 465 with SSL/TLS and have for years.  It's just normal operation here.  Are you saying your ISP will not allow you to use 465?

That is so, Telefonica does not provide it, connections to that port timeout.

One benefit of using SSL/TLS is your traffic is encrypted to the server. Port 25 traffic can also be encrypted.

  Likewise, I use IMAPS to receive my email, as it's encrypted.

That one is different thing. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 09/20/2018 11:39 AM, Per Jessen wrote:

A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended.

Or better, 465, as it uses SSL/TLS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2018 11:50 AM, Per Jessen wrote:

James Knott wrote:

...

On 09/20/2018 11:39 AM, Per Jessen wrote:

...

A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended. Or better, 465, as it uses SSL/TLS Port 587 with STARTTLS is the standard:

https://tools.ietf.org/html/rfc6409

Then again we have: And just to add extra confusion, in 2018 it was decided to change yet again, and recommend using implicit TLS over port 465 to "encourage more widespread use of TLS and to also encourage greater consistency regarding how TLS is used, this specification now recommends the use of Implicit TLS for POP, IMAP, SMTP Submission, and all other protocols used between an MUA and an MSP." https://www.fastmail.com/help/technical/ssltlsstarttls.html However, either is better than port 25. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 20/09/2018 11.39, Per Jessen wrote:

Carlos E. R. wrote:

...

On 20/09/2018 10.28, Per Jessen wrote:

...

Okay, I'm surprised [Telefonica] doen't block that. It's usually the very first anti-spam measure access providers use.

Well, that's the thing, they don't block any port that I know. You may be able to browse windows computers shares across internet here. I remember that I got such attempts when I was using a modem, not a router with NAT.

I have not heard of anyone blocking outbound traffic on anything but port 25.

...

And I like they don't block anything! I find disgusting that Bell is blocking my access to Telefonica. If someone is using the net to spam, kill that person full access, not everybody access to some port.

It is simple, if someone uses port 25, investigate.

A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended. Port 25 is for MTA-to-MTA transfers.

I find blocking 25 intrusive on my freedom. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 12.57, Knurpht-openSUSE wrote:

Op donderdag 20 september 2018 18:50:21 CEST schreef Carlos E. R.:

...

On 20/09/2018 11.39, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 10.28, Per Jessen wrote:

...

Okay, I'm surprised [Telefonica] doen't block that. It's usually the very first anti-spam measure access providers use.

Well, that's the thing, they don't block any port that I know. You may be able to browse windows computers shares across internet here. I remember that I got such attempts when I was using a modem, not a router with NAT.

I have not heard of anyone blocking outbound traffic on anything but port 25.

...

And I like they don't block anything! I find disgusting that Bell is blocking my access to Telefonica. If someone is using the net to spam, kill that person full access, not everybody access to some port.

It is simple, if someone uses port 25, investigate.

A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended. Port 25 is for MTA-to-MTA transfers.

I find blocking 25 intrusive on my freedom. Well, don't blame the ISPs, blame the spammers that made them block 25. Years ago when my ISP started blocking they sent out a nice letter, explaining why. I could live with that. FWIW, their Enterprise programs do have 25 open.

Well, Telefonica did not, and there are spammers everywere. T-Mobile (USA) doesn't. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 15.09, Per Jessen wrote:

Carlos E. R. wrote:

...

On 20/09/2018 12.57, Knurpht-openSUSE wrote:

...

Op donderdag 20 september 2018 18:50:21 CEST schreef Carlos E. R.:

...

On 20/09/2018 11.39, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 10.28, Per Jessen wrote: > Okay, I'm surprised [Telefonica] doen't block that. It's usually > the very first anti-spam measure access providers use.

Well, that's the thing, they don't block any port that I know. You may be able to browse windows computers shares across internet here. I remember that I got such attempts when I was using a modem, not a router with NAT.

I have not heard of anyone blocking outbound traffic on anything but port 25.

...

And I like they don't block anything! I find disgusting that Bell is blocking my access to Telefonica. If someone is using the net to spam, kill that person full access, not everybody access to some port.

It is simple, if someone uses port 25, investigate.

A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended. Port 25 is for MTA-to-MTA transfers.

I find blocking 25 intrusive on my freedom.

Well, don't blame the ISPs, blame the spammers that made them block 25. Years ago when my ISP started blocking they sent out a nice letter, explaining why. I could live with that. FWIW, their Enterprise programs do have 25 open.

Well, Telefonica did not, and there are spammers everywere.

T-Mobile (USA) doesn't.

Mobile operators, tmk, don't really have any significant problem with mobile phones being hijacked and abused. (trojans).

Then it is not a real policy issue. T-Mobile also allows tethering, no problem (they said so in the brochure). Bell does not. We were shopping for a mobile plan here for another person and they said it was not allowed. Good grief! T-Mobile wants clients, Bell does not care, it is predominant. Bell simply takes the easy route and blocks 25. Obviously some Spanish travellers will use tether and send emails normally. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 21/09/2018 02.10, Per Jessen wrote:

Carlos E. R. wrote:

...

On 20/09/2018 15.09, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 12.57, Knurpht-openSUSE wrote:

...

Op donderdag 20 september 2018 18:50:21 CEST schreef Carlos E. R.:

...

On 20/09/2018 11.39, Per Jessen wrote: > Carlos E. R. wrote: >> On 20/09/2018 10.28, Per Jessen wrote: > [snip] I find blocking 25 intrusive on my freedom.

Well, don't blame the ISPs, blame the spammers that made them block 25. Years ago when my ISP started blocking they sent out a nice letter, explaining why. I could live with that. FWIW, their Enterprise programs do have 25 open.

Well, Telefonica did not, and there are spammers everywere.

T-Mobile (USA) doesn't.

Mobile operators, tmk, don't really have any significant problem with mobile phones being hijacked and abused. (trojans).

Then it is not a real policy issue.

Policy? No, I don't think it is a policy issue, it's simply about an easy and practical way to prevent lots of spam being sent.

You only need to block relay use. Ie, nobody can relay without a password, no matter the port. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 21/09/2018 15.34, Per Jessen wrote:

Carlos E. R. wrote:

...

On 21/09/2018 02.10, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 15.09, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 12.57, Knurpht-openSUSE wrote: > Op donderdag 20 september 2018 18:50:21 CEST schreef Carlos E. > R.: >> On 20/09/2018 11.39, Per Jessen wrote: >>> Carlos E. R. wrote: >>>> On 20/09/2018 10.28, Per Jessen wrote: >>> [snip] >> I find blocking 25 intrusive on my freedom. > > Well, don't blame the ISPs, blame the spammers that made them > block 25. Years ago when my ISP started blocking they sent out a > nice letter, explaining why. I could live with that. FWIW, their > Enterprise programs do have 25 open.

Well, Telefonica did not, and there are spammers everywere.

T-Mobile (USA) doesn't.

Mobile operators, tmk, don't really have any significant problem with mobile phones being hijacked and abused. (trojans).

Then it is not a real policy issue.

Policy? No, I don't think it is a policy issue, it's simply about an easy and practical way to prevent lots of spam being sent.

You only need to block relay use. Ie, nobody can relay without a password, no matter the port.

Public mail servers, such as those receiving mails for "jessen.ch", "gmx.es", "opensuse.org" etcetera, have a port 25 open, for everyone. They cannot tell who is going to want to transfer some mail to them, they _must_ accept everyone, also a script-kiddie or a hijacked PC behind a Telefonica ADSL line. There is _no_ authentication involved, there is _no_ open relaying involved.

In your case, by Bell blocking _outgoing_ port 25, they are putting a very effective stop to the script-kiddies and the hijacked PCs. As does Bluewin and numerous other Swiss and European providers.

No, not quite. :-) opensuse.org, for instance, will only accept email which destination is mail list, employers, or whoever holds an @opensuse.org address. Or maybe others for which this is the handling server. Without authentication. But it will refuse to accept an email which destination is carlos@tlefonica.net, because that would be acting as a relay for improper usage. gmx.es will accept without authentication emails for *@gmx.es, but if someone attempts to send to carlos@telefonica.net will ask for authentication; if this fails, the post will be denied. It is quite simple, actually. The port used has no relevance, the behaviour is basically the same. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 21/09/2018 22.48, Patrick Shanahan wrote:

* Carlos E. R. <robin.listas@gmx.es> [09-21-18 22:30]: [...]

...

No, not quite. :-)

opensuse.org, for instance, will only accept email which destination is mail list, employers, or whoever holds an @opensuse.org address. Or maybe others for which this is the handling server. Without authentication.

But it will refuse to accept an email which destination is carlos@tlefonica.net, because that would be acting as a relay for improper usage.

gmx.es will accept without authentication emails for *@gmx.es, but if someone attempts to send to carlos@telefonica.net will ask for authentication; if this fails, the post will be denied.

It is quite simple, actually. The port used has no relevance, the behaviour is basically the same.

what is the point of extending this conversation? what result or solution are you trying to reach aside from argument?

The purpose is to get understood... It seems that I speak greek or chineese. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 21/09/2018 22.58, Patrick Shanahan wrote:

* Carlos E. R. <robin.listas@gmx.es> [09-21-18 22:54]:

...

On 21/09/2018 22.48, Patrick Shanahan wrote:

...

* Carlos E. R. <robin.listas@gmx.es> [09-21-18 22:30]: [...]

...

No, not quite. :-)

opensuse.org, for instance, will only accept email which destination is mail list, employers, or whoever holds an @opensuse.org address. Or maybe others for which this is the handling server. Without authentication.

But it will refuse to accept an email which destination is carlos@tlefonica.net, because that would be acting as a relay for improper usage.

gmx.es will accept without authentication emails for *@gmx.es, but if someone attempts to send to carlos@telefonica.net will ask for authentication; if this fails, the post will be denied.

It is quite simple, actually. The port used has no relevance, the behaviour is basically the same.

what is the point of extending this conversation? what result or solution are you trying to reach aside from argument?

The purpose is to get understood... It seems that I speak greek or chineese.

then perhaps it is time to take it to "off-topic" as being understood does not quite match the purpose of this forum. it was already suggested by the list admin who also continues here :(

Yes, when talking about history. This is a technical issue. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

22.09.2018 05:53, Carlos E. R. пишет:

The purpose is to get understood... It seems that I speak greek or chineese.

You had question, your question was answered. About hundred mails ago. What you want us to understand now?

22.09.2018 16:12, Carlos E. R. пишет:

On 22/09/2018 00.02, Andrei Borzenkov wrote:

...

22.09.2018 05:53, Carlos E. R. пишет:

...

The purpose is to get understood... It seems that I speak greek or chineese.

You had question, your question was answered. About hundred mails ago. What you want us to understand now?

That 25 is not an open relay hole anywhere, because auth is required to relay, for instance. Which posts are accepted by a server without auth. We are saying the same thing, yet we fail to understand one another.

OK we understand that. Are you satisfied now? Can this finally stop?

On 23/09/2018 07.19, Per Jessen wrote:

Carlos E. R. wrote:

...

On 21/09/2018 15.34, Per Jessen wrote:

...

...

It is quite simple, actually.

The length of this thread suggests the contrary :-)

...

The port used has no relevance, the behaviour is basically the same.

It may perhaps be set up like that, but that is not typical. Mail server operators generally use port 25 for mail exchange, and 587/465 for mail submission. As per current standards and conventions. Not all of them, just most.

Agreed :-) -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 13.05, James Knott wrote:

On 09/20/2018 12:50 PM, Carlos E. R. wrote:

...

I find blocking 25 intrusive on my freedom.

You find it intrusive on your freedom to do something you shouldn't be doing? 

I'm not doing anything I shouldn't.

SMTP was created way back in the dark ages, when people used terminals to connect to computers and programs on that computer to read/write mail.  Back then, SMPT was used to transfer mail between computers.  There was no concept of email clients back then.  When those clients started appearing, they used POP and SMTP to provide email to personal computers.  That situation resulted in port 25 being used for spam, as there was nothing to stop that.  Then ISPs stopped passing port 25 on to other servers, just to block that spam.  As mentioned, there are other ports for sending email from clients and they should be used.  If your ISP doesn't support that, then they are part of the problem.

Well, Telefónica is apparently managing to block spam without blocking 25. For instance, by requesting authorization on connect to 25. Everybody does that, even gmail.

BTW, I recently started re-reading "The Cuckoo's Egg" about a security attack that was enabled by a flaw in the way Emacs handled sending email.  This let the attackers bypass normal system security to get access to the system.  I first read it almost 30 years ago.  It's a good read.

:-) When I developed software, security was not a concern. Oh, those were the days... ;-p -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 13.51, James Knott wrote:

On 09/20/2018 01:45 PM, Carlos E. R. wrote:

...

Well, Telefónica is apparently managing to block spam without blocking 25. For instance, by requesting authorization on connect to 25. Everybody does that, even gmail.

Not according to the instructions I just found for GMail: "Connect to smtp.gmail.com on port 465, if you're using *SSL*. (Connect on port 587 if you're using TLS.) Sign in with a Google *username* and password for authentication to connect with *SSL* or TLS."

Everything that turns up on a search for GMail configuration says the same thing.

I have been using port 25 with gmail for years. With Telefonica network: <2.6> 2018-07-15 23:19:48 Legolas postfix 892 - - Trusted TLS connection established to smtp.gmail.com[108.177.15.109]:25: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits) With Bell's network, few days ago: <2.6> 2018-09-13 02:25:03 Legolas postfix 11968 - - Trusted TLS connection established to smtp.gmail.com[173.194.208.108]:25: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits) And as you can see, it goes with TLS. And it asks my postfix for login/password. Maybe they do not recommend it, but they accept 25 just fine. I don't have here access to my log term logs to show it. And Telefónica only accepts port 25. Also with TLS. <2.6> 2018-07-15 23:12:30 Legolas postfix 32003 - - Anonymous TLS connection established to smtp.telefonica.net[86.109.99.70]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits) <2.6> 2018-09-08 20:31:28 Legolas postfix 9925 - - Anonymous TLS connection established to smtp.telefonica.net[86.109.99.70]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits) But not submission: <2.6> 2018-09-20 14:56:38 Legolas postfix 6958 - - connect to smtp.telefonica.net[86.109.99.70]:587: Connection timed out -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 15.07, Per Jessen wrote:

Carlos E. R. wrote:

...

On 20/09/2018 13.05, James Knott wrote:

...

On 09/20/2018 12:50 PM, Carlos E. R. wrote:

...

I find blocking 25 intrusive on my freedom.

You find it intrusive on your freedom to do something you shouldn't be doing?

I'm not doing anything I shouldn't.

...

SMTP was created way back in the dark ages, when people used terminals to connect to computers and programs on that computer to read/write mail.  Back then, SMPT was used to transfer mail between computers.  There was no concept of email clients back then.  When those clients started appearing, they used POP and SMTP to provide email to personal computers.  That situation resulted in port 25 being used for spam, as there was nothing to stop that.  Then ISPs stopped passing port 25 on to other servers, just to block that spam. As mentioned, there are other ports for sending email from clients and they should be used. If your ISP doesn't support that, then they are part of the problem.

Well, Telefónica is apparently managing to block spam without blocking 25. For instance, by requesting authorization on connect to 25. Everybody does that, even gmail.

s/everybody/somebody/

Anyway, I think maybe you are missing the point. It is not about connecting to Telefonicas smarthost, it is about connecting to some other mailhost out there. See my example from earlier, Carlos Shop SA.

Well, if I want to send email directly to my friends using Linux servers without intermediaries, I can: no problem. Using port 25, of course, the default port for sending. As long as those servers are not relays there is no issue - and if they relay, they have to ask for login/password.

...

When I developed software, security was not a concern. Oh, those were the days... ;-p

Since around 1989, when a penetration team went into my workplace, spent a couple of hours and then handed the head of RACF security a brown envelope with all userids and passwords, security has alway been present in my mind.

Our software had no userids and no passwords. No network, either. :-) -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 13.38, Lew Wolfgang wrote:

On 9/20/18 9:50 AM, Carlos E. R. wrote:

...

...

A waste of time and effort.  It is even simpler, block 25, let everyone use 587, as it was always intended.  Port 25 is for MTA-to-MTA transfers. I find blocking 25 intrusive on my freedom.

I get around the port 25 block by remapping to a higher numbered port.  Of course, I control the smtp server on the outside and listen on that port for SMTP connections.

Well, I don't control it. Telefónica listens on 25, not on the submission port -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 13.54, Lew Wolfgang wrote:

On 9/20/18 10:46 AM, Carlos E. R. wrote:

...

On 20/09/2018 13.38, Lew Wolfgang wrote:

...

...

...

A waste of time and effort.  It is even simpler, block 25, let everyone use 587, as it was always intended.  Port 25 is for MTA-to-MTA transfers. I find blocking 25 intrusive on my freedom. I get around the port 25 block by remapping to a higher numbered

On 9/20/18 9:50 AM, Carlos E. R. wrote: port.  Of course, I control the smtp server on the outside and listen on that port for SMTP connections. Well, I don't control it. Telefónica listens on 25, not on the submission port

Right, use another non-Telefónica SMTP server then.

Then I can not send using any of my several Telefónica addresses. Tell me which SMTP server I can use to send email from: xxx@telefonica.net - notice that any other smtp server will not be in the list of authorized servers to send telefonica.net email in the DNS - I forgot the name of the protocol. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

Lew Wolfgang wrote:

On 9/20/18 9:50 AM, Carlos E. R. wrote:

...

...

A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended. Port 25 is for MTA-to-MTA transfers. I find blocking 25 intrusive on my freedom.

I get around the port 25 block by remapping to a higher numbered port. Of course, I control the smtp server on the outside and listen on that port for SMTP connections.

This is about blocking both ingoing and outgoing traffic. -- Per Jessen, Zürich (19.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 20/09/2018 13.53, Liam Proven wrote:

On 20/09/2018 18:50, Carlos E. R. wrote:

...

I find blocking 25 intrusive on my freedom.

One doesn't always get a choice.

E.g. many years ago, I used AOL for connectivity, as they gave me toll-free dialup pretty much anywhere in the world.

AOL let you send on port 25 -- but it silently redirected your mail through AOL's SMTP servers, regardless of whatever the setting in your email client.

This meant that emails didn't come from where they claimed to come from, which triggered some recipients' anti-spam protection.

Even when I used AOL broadband for a while, it still did this.

Silent port redirection, transparent proxies, DNS filtering and redirection, stuff like that can remain an issue even today.

I'm fortunate that Telefónica doesn't do any of that, to my knowledge. They tried transparent proxies some years ago and had to remove them because of the huge clamour against them. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 21.17, James Knott wrote:

On 09/20/2018 09:06 PM, Carlos E. R. wrote:

...

They tried transparent proxies some years ago and had to remove them because of the huge clamour against them.

Have you ever tried using port 25 from other than Telefónica before this?  Years ago, I used to use port 25, which worked well from home, but not at work, which was on a different ISP.  After moving to 465, there was no longer a problem.

Certainly. In Spain sometimes I also use ONO, now owned by Vodaphone. No issues using 25. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

Try using telnet to Bell's smtp servers with the different port numbers and see what happens. On 09/20/2018 09:33 PM, James Knott wrote:

On 09/20/2018 09:19 PM, Carlos E. R. wrote:

...

Certainly. In Spain sometimes I also use ONO, now owned by Vodaphone. No issues using 25. Were you able to use port 25 between ISPs?  IIRC, my ISP no longer even allows clients to connect on 25.  Only on 465.  I don't know if they'll allow 587, but suspect they may.

I just tried using telnet to connect to the ports.  465 & 587 connect, but 25 doesn't.

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2018 09:48 PM, Carlos E. R. wrote:

I don't have a Bell account. What host?

When you mentioned Bell, I thought you might have an account with them.  Or are you just roaming?

And I don't have telnet installed!

Yeah.  I discovered I had to install it to do that test.  I guess everyone is moving to that new fangled ssh.  ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 20/09/2018 21.33, James Knott wrote:

On 09/20/2018 09:19 PM, Carlos E. R. wrote:

...

Certainly. In Spain sometimes I also use ONO, now owned by Vodaphone. No issues using 25.

Were you able to use port 25 between ISPs?  IIRC, my ISP no longer even allows clients to connect on 25.  Only on 465.  I don't know if they'll allow 587, but suspect they may.

Certainly. I sometimes use ONO network sending telefonica.net mail, I have been doing it for years. The reverse I have not tried, because ONO does not provide mail accounts for new clients. For a few months I also used another temporary provider via mobile dongle, I don't remember which name. Years before I used Tiscali email in the same manner, port 25 with postfix (I can see it because the config file still exists) via modem from Telefonica network. I have other mail providers which I have used via 25, one for years and another since this summer, from Telefónica network. Oh, three, gmail is another. Postfix by default uses 25, so... Certainly, when doing autoconfiguration with Thunderbird it chooses submission ports. But as on postfix I have never specified ports, it has always used 25.

I just tried using telnet to connect to the ports.  465 & 587 connect, but 25 doesn't.

As you can see in my log entries, I can't connect to submission ports on telefonica.net servers. They do not support them, and have not answered my query on the support forum. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 09/20/2018 03:13 PM, Per Jessen wrote:

...

I find blocking 25 intrusive on my freedom. I expect the provider's answer to your complaint will be "you're free to vote with your feet".

Perhaps he should find another ISP.  That one he has in Spain doesn't seem to be competent in a few ways. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2018 09:18 PM, Carlos E. R. wrote:

I have issues with Bell

So do I, but  for other reasons.  I refuse to do business with them, though I sometimes have to deal with them through work. Regardless, according to RFC 8314, the standard is to use port 465 & SSL/TLS.  Port 25 was never intended to be used by email clients. https://tools.ietf.org/html/rfc8314 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/20/2018 10:50 PM, Anton Aylward wrote:

Well, yes it was, back in 1982; see RFC821 and /etc/services but that was "simple" and 'unauthenticated' and "insecure" and hence it was hacked and abused, so we don't use that any more. We use TLS instead.

1982 was before most people had access to the Internet or email and smtp was used between host computers using smtp only.  There weren't a lot of PCs doing email in those days.  At work, back then, we did email on a VAX 11/780, using terminals to connect to the VAX.  The pop rfc is over 2 years newer than smtp.  So, back in those days, email generally meant people using terminals to a shared Unix system, with smtp transfering mail between systems.  Mail with a system didn't need smtp or pop.  There were also commercial networks such as Compuserve, Telenet, etc. that did email, but they were all proprietary.  The company I worked for provided Telenet in Canada.  Even then, it wasn't until 1989 that I used a PC for email. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 21/09/2018 05:06, James Knott wrote:

So, back in those days, email generally meant people using terminals to a shared Unix system, with smtp transfering mail between systems. 

Hey, whoah! Don't assume Unix. I was doing it on VAX-VMS in 1985. There was a lot more OS diversity back then. -- Liam Proven - Technical Writer, SUSE Linux s.r.o. Corso II, Křižíkova 148/34, 186-00 Praha 8 - Karlín, Czechia Email: lproven@suse.com - Office telephone: +420 284 241 084 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 21/09/2018 14:00, James Knott wrote:

Notice I said generally.

Fair point. I didn't get to touch Unix until 1988 or 1989, though.

As I mentioned in another message, I first used email on a VAX 11/780.  However, I have no idea if it used smtp or whatever. 

If it ran Unix, and it did Internet email, it probably did, I think.

My emails were only with co-workers and never left the VAX.

Ah, if it was via a VMS box and internal-only, then it would probably have been some form of DEC All-In-1 or something like that, probably not talking any standard protocols. TBH I don't know how well DEC's proprietary email solutions ran on/worked with Unix back then. Quite possibly, not very.

Later on, I got an account on the Telenet system and also Microsoft mail.  I don't know that either of them used smtp/pop for email.  This was late 80s, early 90s.

I don't know "Telenet" at all. MS Mail didn't. I administrated several internal company MS Mail systems in the early to mid 1990s. It was bought in, not an internal product -- previously it was known as "Courier" IIRC. The bog-standard Windows for Workgroups freebie implementation of MS Mail just had an M: drive mapped on every workstation, and dropped files in a very complex directory hierarchy on that network drive. The proper server version did have an actual API, MS MAPI, and although it retained an M: drive it was a primitive form of groupware shared storage. My memories are a little unclear after nearly 25 years. At the magazine I worked on, we upgraded to the full server version so that we could add a bolt-on Internet connectivity module, which meant everyone in the company got their own Internet address. But clients talked MS MAPI to the MS Mail server on the office NT Server, which then talked some MS protocol to the Internet Email gateway, and _that_ talked POP3 and SMTP to the big scary world of The Internet on their behalf. Layers within layers. In the mid-1990s, everything I met on Windows and Mac worked that way. MS Mail, Lotus CC:Mail, Lotus Notes (not the same thing, they had 2 unrelated products), Frontier, etc. And on minis and mainframes, IBM PROFS, DEC All-In-1, etc. Proprietary inside the LAN, then gatewayed through to Internet protocols on an internal server. SCO boxes, if they did inter-machine email, which was rare in my experience, used UUCP. The basic SCO Xenix package didn't include fancy optional extras like a C compiler, networking, X.11 and so on, so it was never normally connected to the Internet, but a serial line could dial another SCO box and send/receive email over UUCP. -- Liam Proven - Technical Writer, SUSE Linux s.r.o. Corso II, Křižíkova 148/34, 186-00 Praha 8 - Karlín, Czechia Email: lproven@suse.com - Office telephone: +420 284 241 084 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 21/09/2018 08.00, James Knott wrote:

On 09/21/2018 06:52 AM, Liam Proven wrote:

...

...

So, back in those days, email generally meant people using terminals to a shared Unix system, with smtp transfering mail between systems.  Hey, whoah! Don't assume Unix. I was doing it on VAX-VMS in 1985. There was a lot more OS diversity back then.

Notice I said generally.  As I mentioned in another message, I first used email on a VAX 11/780.  However, I have no idea if it used smtp or whatever.  My emails were only with co-workers and never left the VAX.  Later on, I got an account on the Telenet system and also Microsoft mail.  I don't know that either of them used smtp/pop for email.  This was late 80s, early 90s.

You were lucky. To have email at that year I would need to justify the need for it at the university or somewhere. Only during the 90's I got a shared phone and a modem: thus Fidonet. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 09/21/2018 08:24 AM, Anton Aylward wrote:

...

On 09/20/2018 10:50 PM, Anton Aylward wrote:

...

Well, yes it was, back in 1982; see RFC821 and /etc/services but that was "simple" and 'unauthenticated' and "insecure" and hence it was hacked and abused, so we don't use that any more. We use TLS instead. 1982 was before most people had access to the Internet or email Compared to today that is true but the time-line is that IBM released the PC 19 1980, Apple the MAC in 1984 (remember the advert?). IBM officially released the Ethernet card in what? 1984/5, I was at one of the release presentations in Toronto. Apple had Ethernet long before IBM officially had it. The saw networking, even in only in their own way, about the time that the PC third

On 2018-09-20 11:06 p.m., James Knott wrote: parties did.

Actually, the IBM PC was released in Aug. 1981, though there were other personal computers before that.  However, email wasn't used on them.  I also remember BBS systems, which had email, but I don't know that they initially used smtp, though they later provided email through a gateway.  Also, we're not talking about network technology, but email.  I worked for a telecommunications company back then and a large part of the business was something called Private Wire Services, where a customer paid for message switching between their office.  They'd have a terminal, usually a Teletype machine and could send messages among their office.  This sort of email had been in place for decades before there was an Internet.  My first experience working with a LAN was in 1978 (Air Canada reservation system), but that was for moving data between devices, not sending messages.  All the terminals, scattered around the world at air ports, travel agents etc., used modems to connect to the system and I don't think it supported email.  Later on, we had Ethernet between the VAX computers, which would have supported email.  Again, this would have not been smtp/pop as the system predated them.  So, the first email I saw at work was the Telenet system and later Microsoft mail. There was certainly email for many years before the Internet became popular, but it was generally proprietary systems that couldn't communicate with each other. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2018-09-20 11:06 p.m., James Knott wrote:

1982 was before most people had access to the Internet or email

I'm not commenting on other closed systems but from V6 to my personal knowledge onwards, UNIX supported internal-n=the-machine email and inter-machine email via UUCP. Actually UUCP was more than just email, it could support a limited form of remote execution, as in "upload this file and then execute a command on it", the command being one of a set that was agreed on. Most often it was ONLY to forward email. I was using a UUCP relay at the start of the 1980s and early UNIX-on-a-PC and UUCP for DOC by the mid 1980s, SCO UIC on the PC by then. Certainly at the beginning of the 1980s many universities in the USA and Canada were tied into ARPANET and were flooded with students using email and enews (that became nntp) both before and after The Great Renaming and the Spenser-Colyer C-News. And the listserves! While enews was fractious and full of "opinions", the listserves I knew of were rather more sane, usually because they were quite technical. But well before the end of the 1980s there were so many because of the growth of listserv software variants that it also a jungle. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 21/09/2018 10.48, James Knott wrote:

On 09/21/2018 10:39 AM, Anton Aylward wrote:

...

I was using a UUCP relay at the start of the 1980s and early UNIX-on-a-PC and UUCP for DOC by the mid 1980s, SCO UIC on the PC by then.

Yep, but that was not smtp, which is what I thought we were talking about.  Smtp came about to connect servers, so that users could send email to those on other systems.

smtp was intended to connect machines (servers or not). And the machines would have several (many?) users, using the program "mail" on unix or something similar. The users could mail one another inside the same machine, or users of another machine. Then came machines that were not reachable by name on the internet, or not permanently connected. These used smtp to send email to another machine that was, and acted as a mail server. Initially, those mail servers were working as open relays, abuse had not started. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 09/20/2018 11:52 PM, Carlos E. R. wrote:

...

Well, yes it was, back in 1982; see RFC821 and /etc/services but that was "simple" and 'unauthenticated' and "insecure" and hence it was hacked and abused, so we don't use that any more. We use TLS instead. Notice that port 25 also can use TLS. The use of submission ports can not be justified because of need to use TLS.

TLS or STARTTLS?  I would expect STARTTLS as it has to be able to handle servers that don't support TLS. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/21/2018 11:14 AM, Carlos E. R. wrote:

...

TLS or STARTTLS?  I would expect STARTTLS as it has to be able to handle servers that don't support TLS. <2.6> 2018-07-15 23:12:30 Legolas postfix 32003 - - Anonymous TLS connection established to smtp.telefonica.net[86.109.99.70]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)

It says TLSv1.2 there.

STARTTLS is just the means of determining whether a connection can support TLS or just plain text.  If it supports TLS, it would look exactly like regular TLS after the connection is established. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 21/09/2018 11.33, I wrote:

On 21/09/2018 11.17, James Knott wrote:

...

On 09/21/2018 11:14 AM, Carlos E. R. wrote:

...

...

TLS or STARTTLS?  I would expect STARTTLS as it has to be able to handle servers that don't support TLS. <2.6> 2018-07-15 23:12:30 Legolas postfix 32003 - - Anonymous TLS connection established to smtp.telefonica.net[86.109.99.70]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)

It says TLSv1.2 there.

STARTTLS is just the means of determining whether a connection can support TLS or just plain text.  If it supports TLS, it would look exactly like regular TLS after the connection is established.

Understood.

Then I do not see how I can find out if it is STARTTLS. Maybe by increasing verbosity of the log.

Now that I remember, I had to implement TLS support on postfix at some point or I was unable to send (on :25). But IIRC it was gmail who insisted, not Telefonica at that point. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 15.13, Per Jessen wrote:

Carlos E. R. wrote:

...

On 20/09/2018 11.39, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 10.28, Per Jessen wrote:

...

Okay, I'm surprised [Telefonica] doen't block that. It's usually the very first anti-spam measure access providers use.

Well, that's the thing, they don't block any port that I know. You may be able to browse windows computers shares across internet here. I remember that I got such attempts when I was using a modem, not a router with NAT.

I have not heard of anyone blocking outbound traffic on anything but port 25.

...

And I like they don't block anything! I find disgusting that Bell is blocking my access to Telefonica. If someone is using the net to spam, kill that person full access, not everybody access to some port.

It is simple, if someone uses port 25, investigate.

A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended. Port 25 is for MTA-to-MTA transfers.

I find blocking 25 intrusive on my freedom.

I expect the provider's answer to your complaint will be "you're free to vote with your feet".

Well, I prefer Telefónica's method of not blocking anything. My complaint would be towards Bell, but I'm not their client. If I were to reside here I would try to seek a better provider. And I have asked Telefónica to implement submission support. I also find Bell's service very expensive compared to Telefónica. Others providers here similarly expensive. USA gets better pricing, I'm told. My host is paying more than 130(?) CAN for an ADSL, no TV. For a similar price in Spain I get fibre, phone, TV, Internet (300Mb/S), and mobile. Unlimited calls, flat rate, mostly. It is also about impossible to purchase non-blocked mobile phones here, except on Amazon or similar. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 21.23, James Knott wrote:

On 09/20/2018 09:16 PM, Carlos E. R. wrote:

...

It is also about impossible to purchase non-blocked mobile phones here, except on Amazon or similar.

????

IIRC, phones are no longer locked here.  And some, such as iPhones and phones from Google have never been locked.  I currently have a Google Pixel 2 and previously used a Nexus 1.  Neither were locked.  However, I'm on Rogers, not Bell.  Also, under a recent law, phones are supposed to be unlocked.

All the mobile phones I have seen on several shops (Ottawa) are tied to a plan with some provider: Koodo, Rogers, Bell, etc. At the last place (Walmart) there were just three ancient or mid-range free models. The dealer said there was more money to obtain on the locked phones. At some other place the dealer said that unlocking is forbidden, but that some shops do it. For example, I have a Motorola G6 plus (bought in Spain), that I find a very good mid-range phone (Android 8 and 64 GB internal space). An analysis site agrees with me in a recent article. I looked at the motorola.ca site (https://www.motorola.ca/products/moto-g-gen-6): they do not offer the "plus" version, and when asked where to purchase it, they send me to Videotron, which is a Quebec ISP, I understand. Not a free phone (and I will not recommend an international version to a local). What? :-o Motorola not offering to sell a free phone, and no direct (online) purchases either? So my two friends finally purchased two Samsung Galaxy A8 on two plans. Best they could do on the circumstances, I believe. But we are going OT, I'm afraid O:-) -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 20/09/2018 22.59, Anton Aylward wrote:

On 2018-09-20 9:16 p.m., Carlos E. R. wrote:

...

Carlos E. R. wrote:

...

...

On 20/09/2018 11.39, Per Jessen wrote:

...

Carlos E. R. wrote:

...

...

Okay, I'm surprised [Telefonica] doen't block that. It's usually the very first anti-spam measure access providers use. Well, that's the thing, they don't block any port that I know. You may be able to browse windows computers shares across internet here. I remember that I got such attempts when I was using a modem, not a router with NAT. I have not heard of anyone blocking outbound traffic on anything but

On 20/09/2018 10.28, Per Jessen wrote: port 25.

...

And I like they don't block anything! I find disgusting that Bell is blocking my access to Telefonica. If someone is using the net to spam, kill that person full access, not everybody access to some port.

It is simple, if someone uses port 25, investigate. A waste of time and effort. It is even simpler, block 25, let everyone use 587, as it was always intended. Port 25 is for MTA-to-MTA transfers. I find blocking 25 intrusive on my freedom.

Tough! Post 25 is unencrypted, unverified SMTP, aka free for anyone to use, including hackers, spammer broadcasters and scam artists who use it as an open relay. That is why port 465 &SSL/TLS are used, and why many ISPs also restrict, in various ways, access to known customers.

Again, not true! Port 25 uses TLS if available. See my logs posted earlier. I repost: <2.6> 2018-07-15 23:12:30 Legolas postfix 32003 - - Anonymous TLS connection established to smtp.telefonica.net[86.109.99.70]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits) And you could set postfix to always demand TLS. Using port 25 as open relay is not related to it being 25, but to the daemon being set as an open relay! In order for me to send an email via port 25 to anybody that is not also on that machine, all my mail providers require that I identify with login and password! Thus I do not see any advantage on the submission ports over the 25 port. Both are encrypted, both are not open relays, both are safe! The reasons are others. For instance, they decided to block 25 because many bad admins had set open relays, and then they had to create a new service on another different port to allow people to send email... Maybe. That's my tentative interpretation. The only case in which using the smtp port does not require authentication, per the rules, is that the destination resides on that server. For example, sending to anton@anton.org should be done directly to port 25 on machine anton.org, which would probably want other verifications (like a fixed IP and a proper domain), but never login/pass. Probably sloppy admins could set open relays using the 465 port. Probably mail server software do not come with that port open and set as open relay, but I don't see why they could not do it if wished... Then what, also block 465? -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 2018-09-21 2:40 a.m., Per Jessen wrote:

...

...

Tough! Post 25 is unencrypted, unverified SMTP, aka free for anyone to use, including hackers, spammer broadcasters and scam artists who use it as an open relay. That is why port 465 &SSL/TLS are used, and why many ISPs also restrict, in various ways, access to known customers. Again, not true!

Well, people should stop thinking that a port number has any strict tie-in with encryption. It's just TCP/IP. Some port numbers have implicit encryption and every port number has optional encryption, period.

*sigh* yes, you can configure Postfix to listen on any port and use any port on a remote site via the Transport table. But just because you CAN doesn't mean you SHOULD.

It's not really about any _advantage_ of one port over another, it's about standards compliance.

And convention.

Port 587 and 465 are standardized

The whole RFC thing is a set of ongoing conventions, much of it came about by experiment. Along the way there were a few people trying to force their own proprietary 'standards' on the community, rather, than 'convention'. "Standards" emerge because they work for the community and are accepted. This is an ongoing process. Of course there are always mavericks ...

for email submission, port 25 is standardized for email exchange. You can do either over any other port, of course.

The whole point of things like Postfix's transport table is that it is not just port 25 for email EXCHANGE. While restricting an ISP's clients so that rouges cannot get past the firewall's restriction on using port 25 either at the ISP or past it, ISPs also need to do proper certified identification and authentication *between themselves*. Hence TLS and certificates and X.509 etc etc. BY CONVENTION, poet 25 is not encrypted and so it not used for this. And it is not just email in its various forms that uses TLS/X.509 for identification and authentication: https 443/tcp # http protocol over TLS/SSL [Kipp_E_B_Hickman] nntps 563/tcp # nntp protocol over TLS/SSL ldaps 636/tcp # ldap protocol over TLS/SSL domain-s 853/tcp # DNS query-response protocol run over TLS/DTLS ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL telnets 992/tcp # telnet protocol over TLS/SSL tftps 3713/tcp # TFTP over TLS syslog-tls 6514/tcp # Syslog over TLS [RFC5425] ircs-u 6697/tcp # Internet Relay Chat via TLS/SSL [RFC7194] davsrcs 9802/tcp # WebDAV Source TLS/SSL [Rob_Isaac] snmptls 10161/tcp # SNMP-TLS [RFC6353] snmptls-trap 10162/tcp # SNMP-Trap-TLS [RFC6353] heads up! How many sites do you access that use HTTP rather than HTTPS? Would you full in a form, registration, submit password or make payment via one of the former rather than the latter? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 21/09/2018 10.25, Anton Aylward wrote:

On 2018-09-21 2:40 a.m., Per Jessen wrote:

The whole point of things like Postfix's transport table is that it is not just port 25 for email EXCHANGE. While restricting an ISP's clients so that rouges cannot get past the firewall's restriction on using port 25 either at the ISP or past it, ISPs also need to do proper certified identification and authentication *between themselves*. Hence TLS and certificates and X.509 etc etc. BY CONVENTION, poet 25 is not encrypted and so it not used for this.

No; port 25 must also be used with encryption. Google (gmail) I suspect does not allow talking on :25 without encryption, or the email can be easily read on transit. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On 09/21/2018 01:38 PM, Per Jessen wrote:

...

Google (gmail) I suspect does not allow talking on :25 without encryption, or the email can be easily read on transit. No, Google does not require TLS.

Actually, it does.  I just tried setting my smtp server to port 25 & no security.  I got this error message: An error occurred while sending mail. The mail server responded: 5.7.0 Must issue a STARTTLS command first. i26-v6sm9327158ioj.33 - gsmtp. Please verify that your email address is correct in your account settings and try again. So, it would appear STARTTLS is mandatory, so that encryption can be used.  I also seem to recall Google saying SSL/TLS would be required to connect to their servers.  They are heavily promoting encryption in general, even preferring https sites to http in web searches. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

On 21/09/2018 13.48, James Knott wrote:

...

On 09/21/2018 01:38 PM, Per Jessen wrote:

...

...

Google (gmail) I suspect does not allow talking on :25 without encryption, or the email can be easily read on transit. No, Google does not require TLS.

Actually, it does.  I just tried setting my smtp server to port 25 & no security.  I got this error message:

An error occurred while sending mail. The mail server responded: 5.7.0 Must issue a STARTTLS command first. i26-v6sm9327158ioj.33 - gsmtp. Please verify that your email address is correct in your account settings and try again.

So, it would appear STARTTLS is mandatory, so that encryption can be used.  I also seem to recall Google saying SSL/TLS would be required to connect to their servers.  They are heavily promoting encryption in general, even preferring https sites to http in web searches.

Yep :-)

Okay, let me post some output so you can both see: per@io64:~/Documents> dig gmail.com mx ; <<>> DiG 9.4.1-P1 <<>> gmail.com mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43936 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 8 ;; QUESTION SECTION: ;gmail.com. IN MX ;; ANSWER SECTION: gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 10 alt1.gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 20 alt2.gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 30 alt3.gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 40 alt4.gmail-smtp-in.l.google.com. per@io64:~/Documents> host gmail-smtp-in.l.google.com. gmail-smtp-in.l.google.com has address 173.194.79.27 gmail-smtp-in.l.google.com has IPv6 address 2a00:1450:4013:c05::1a per@io64:~/Documents> telnet 173.194.79.27 25 Trying 173.194.79.27... Connected to 173.194.79.27. Escape character is '^]'. 220 mx.google.com ESMTP x2-v6si4659966edq.366 - gsmtp EHLO klop99.example.com 250-mx.google.com at your service, [185.85.248.1] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 MAIL FROM: <per@jessen.ch> 250 2.1.0 OK x2-v6si4659966edq.366 - gsmtp RCPT TO: <pjessen55@gmail.com> 250 2.1.5 OK x2-v6si4659966edq.366 - gsmtp DATA 354 Go ahead x2-v6si4659966edq.366 - gsmtp From: per@jessen.ch To: pjessen55@gmail.com Subject: testing 6667 . 250 2.0.0 OK 1537551453 x2-v6si4659966edq.366 - gsmtp quit 221 2.0.0 closing connection x2-v6si4659966edq.366 - gsmtp Connection closed by foreign host. -- Per Jessen, Zürich (15.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott wrote:

On 09/21/2018 02:54 PM, Per Jessen wrote:

...

MAIL FROM: <per@jessen.ch> 250 2.1.0 OK x2-v6si4659966edq.366 - gsmtp

I get

MAIL FROM: jknott@jknott.net 530 5.7.0 Must issue a STARTTLS command first. y25-v6sm2342232ita.3 - gsmtp

So, I can't send on port 25 without TLS.

Which address did you use? Do a lookup of the MXes for gmail.com and posyt it here, please. -- Per Jessen, Zürich (14.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott wrote:

On 09/21/2018 03:45 PM, Per Jessen wrote:

...

James Knott wrote:

...

On 09/21/2018 02:54 PM, Per Jessen wrote:

...

MAIL FROM: <per@jessen.ch> 250 2.1.0 OK x2-v6si4659966edq.366 - gsmtp I get

MAIL FROM: jknott@jknott.net 530 5.7.0 Must issue a STARTTLS command first. y25-v6sm2342232ita.3 - gsmtp

So, I can't send on port 25 without TLS. Which address did you use?

Do a lookup of the MXes for gmail.com and posyt it here, please.

I used both smtp.gmail.com and smtp.googlemail.com, not the MX addresses.  When I try an MX address, such as 173.194.218.27, I can't connect at all.

Do a lookup of the MXes for gmail.com and post it here, please. It would be interesting to see if Google uses location-dependent servers/addresses. -- Per Jessen, Zürich (14.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott wrote:

On 09/21/2018 04:49 PM, Per Jessen wrote:

...

...

I used both smtp.gmail.com and smtp.googlemail.com, not the MX addresses.  When I try an MX address, such as 173.194.218.27, I can't connect at all. Do a lookup of the MXes for gmail.com and post it here, please. It would be interesting to see if Google uses location-dependent servers/addresses.

$ host googlemail.com

gmail.com ? -- Per Jessen, Zürich (13.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott wrote:

On 09/21/2018 05:00 PM, Per Jessen wrote:

...

...

$ host googlemail.com gmail.com ?

Both resolve to the same IP addresses.

per@io64:~/Documents> host googlemail.com googlemail.com has address 172.217.168.69 googlemail.com has IPv6 address 2a00:1450:400a:803::2005 googlemail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 5 gmail-smtp-in.l.google.com.

From here,

per@io64:~/Documents> host gmail-smtp-in.l.google.com gmail-smtp-in.l.google.com has address 74.125.143.27 gmail-smtp-in.l.google.com has IPv6 address 2a00:1450:4013:c03::1b -- Per Jessen, Zürich (13.8°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2018-09-21 2:54 p.m., Per Jessen wrote:

Carlos E. R. wrote:

...

On 21/09/2018 13.48, James Knott wrote:

...

On 09/21/2018 01:38 PM, Per Jessen wrote:

...

...

Google (gmail) I suspect does not allow talking on :25 without encryption, or the email can be easily read on transit. No, Google does not require TLS.

Actually, it does.  I just tried setting my smtp server to port 25 & no security.  I got this error message:

An error occurred while sending mail. The mail server responded: 5.7.0 Must issue a STARTTLS command first. i26-v6sm9327158ioj.33 - gsmtp. Please verify that your email address is correct in your account settings and try again.

So, it would appear STARTTLS is mandatory, so that encryption can be used.  I also seem to recall Google saying SSL/TLS would be required to connect to their servers.  They are heavily promoting encryption in general, even preferring https sites to http in web searches.

Yep :-)

Okay, let me post some output so you can both see:

per@io64:~/Documents> dig gmail.com mx

; <<>> DiG 9.4.1-P1 <<>> gmail.com mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43936 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 8

;; QUESTION SECTION: ;gmail.com. IN MX

;; ANSWER SECTION: gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com.

Hmm. My setup uses smtp.gmail.com which DNS resolves to gmail-smtp-msa.l.google.com (173.194.197.108) And I use port 465 with OAuth and SSL/TLS

per@io64:~/Documents> host gmail-smtp-in.l.google.com. gmail-smtp-in.l.google.com has address 173.194.79.27

per@io64:~/Documents> telnet 173.194.79.27 25 Trying 173.194.79.27... Connected to 173.194.79.27. Escape character is '^]'. 220 mx.google.com ESMTP x2-v6si4659966edq.366 - gsmtp EHLO klop99.example.com 250-mx.google.com at your service, [185.85.248.1] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8

# telnet 173.194.197.108 25 Trying 173.194.197.108... Connected to 173.194.197.108. Escape character is '^]'. 220 smtp.gmail.com ESMTP i129-v6sm3101801ita.12 - gsmtp EHLO antonaylward.com 250-smtp.gmail.com at your service, [104.234.132.2] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 MAIL FROM: <anton@antonaylward.com> 530 5.7.0 Must issue a STARTTLS command first. i129-v6sm3101801ita.12 - gsmtp

MAIL FROM: <per@jessen.ch> 250 2.1.0 OK x2-v6si4659966edq.366 - gsmtp

-- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Fri, 21 Sep 2018 20:54:52 +0200 Per Jessen <per@computer.org> wrote:

Okay, let me post some output so you can both see:

per@io64:~/Documents> host gmail-smtp-in.l.google.com. gmail-smtp-in.l.google.com has address 173.194.79.27 gmail-smtp-in.l.google.com has IPv6 address 2a00:1450:4013:c05::1a

per@io64:~/Documents> telnet 173.194.79.27 25 Trying 173.194.79.27... Connected to 173.194.79.27. Escape character is '^]'. 220 mx.google.com ESMTP x2-v6si4659966edq.366 - gsmtp EHLO klop99.example.com 250-mx.google.com at your service, [185.85.248.1] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 MAIL FROM: <per@jessen.ch> 250 2.1.0 OK x2-v6si4659966edq.366 - gsmtp RCPT TO: <pjessen55@gmail.com> 250 2.1.5 OK x2-v6si4659966edq.366 - gsmtp DATA 354 Go ahead x2-v6si4659966edq.366 - gsmtp From: per@jessen.ch To: pjessen55@gmail.com Subject: testing 6667

. 250 2.0.0 OK 1537551453 x2-v6si4659966edq.366 - gsmtp quit 221 2.0.0 closing connection x2-v6si4659966edq.366 - gsmtp Connection closed by foreign host.

Sorry, I've lost track of where exactly in the thread we are now, but this is a good one to reply to. From here in the UK: $ host googlemail.com googlemail.com has address 216.58.204.69 googlemail.com has IPv6 address 2a00:1450:4009:80c::2005 googlemail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 5 gmail-smtp-in.l.google.com. googlemail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com. so we start off with a different address for googlemail. :) $ host gmail.com gmail.com has address 216.58.198.165 gmail.com has IPv6 address 2a00:1450:4009:80c::2005 gmail.com mail is handled by 20 alt2.gmail-smtp-in.l.google.com. gmail.com mail is handled by 30 alt3.gmail-smtp-in.l.google.com. gmail.com mail is handled by 40 alt4.gmail-smtp-in.l.google.com. gmail.com mail is handled by 5 gmail-smtp-in.l.google.com. gmail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com. gmail has the same different address $ telnet gmail-smtp-in.l.google.com 25 Trying 173.194.76.27... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP l1-v6si122118wra.6 - gsmtp EHLO howorth.org.uk 250-mx.google.com at your service, [88.97.62.77] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 MAIL FROM: <dave@howorth.org.uk> 250 2.1.0 OK l1-v6si122118wra.6 - gsmtp RCPT TO: <pjessen55@gmail.com> 250 2.1.5 OK l1-v6si122118wra.6 - gsmtp DATA 354 Go ahead l1-v6si122118wra.6 - gsmtp From: dave@howorth.org.uk To: pjessen55@gmail.com Subject: testing sorry I don't have a gmailaddress :) . 250 2.0.0 OK 1537608788 l1-v6si122118wra.6 - gsmtp quit 221 2.0.0 closing connection l1-v6si122118wra.6 - gsmtp Connection closed by foreign host. And I get to telnet to a different host as well, but it seems to behave like Per's one, not like the North American one(s). Or maybe it knows that Per and my domains are run by fine upstanding people who don't send spam? :) So trusts us to send plaintext. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

cer@Isengard:~> telnet gmail-smtp-in.l.google.com 25 Trying 64.233.166.27... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP n81-v6si8524156wma.25 - gsmtp MAIL FROM: robin.listas@telefonica.net 503 5.5.1 EHLO/HELO first. n81-v6si8524156wma.25 - gsmtp RCPT TO: pjessen55@gmail.com 503 5.5.1 EHLO/HELO first. n81-v6si8524156wma.25 - gsmtp DATA 503 5.5.1 EHLO/HELO first. n81-v6si8524156wma.25 - gsmtp subject: hello test 502 5.5.1 Unrecognized command. n81-v6si8524156wma.25 - gsmtp quit 221 2.0.0 closing connection n81-v6si8524156wma.25 - gsmtp Connection closed by foreign host. cer@Isengard:~>

I'm missing some command. A EHLO, but I don't have a domain. Well, I do, but...

For the EHLO, you can use a dummy - carlos.example.com should do fine.

...

Or maybe it knows that Per and my domains are run by fine upstanding people who don't send spam? :) So trusts us to send plaintext.

Or that you have a properly defined domain with reverse dns.

Yes, this is a possible factor, but not a reason to bounce. For inbound traffic, we also look at the DNS config, and ask servers with poor configs to try again later (greylisting). Unfortunately, there are more mail servers than there are good admins, so refusing a mail delivery due to poor DNS config is most often wrong. -- Per Jessen, Zürich (18.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

21.09.2018 21:51, Per Jessen пишет:

James Knott wrote:

...

On 09/21/2018 01:38 PM, Per Jessen wrote:

...

...

Google (gmail) I suspect does not allow talking on :25 without encryption, or the email can be easily read on transit. No, Google does not require TLS.

Actually, it does. 

Actually, it does _not_. I _did_ test it before I wrote it, James.

Just try it with telnet.

To try it one needs to understand the difference between mail submission and mail transfer ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott wrote:

On 09/21/2018 02:51 PM, Per Jessen wrote:

...

Actually, it does _not_. I _did_ test it before I wrote it, James.

Just try it with telnet.

I tried telnet yesterday too, to my own ISP as well as google.

Here's my result with port 25 on Google.

Trying 2607:f8b0:4001:c12::10... Connected to smtp.googlemail.com. Escape character is '^]'. 220 smtp.googlemail.com ESMTP 68-v6sm985342iou.88 - gsmtp

So, it accepts this part.  I can use HELO or EHLO and then STARTTLS

I then do HELP and get:

s/HELP/EHLO/ I presume ?

250-smtp.googlemail.com at your service, [2607:fea8:4cdf:abcd::abcd] (dummy address to hide my real IP) 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8

Hmmm...  I don't see the MAIL command listed. 

If I enter it, I get a message to use STARTTLS first.  If TLS wasn't needed, shouldn't I be able to use that command?

I think Andrei said it very well - "... one needs to understand the difference between mail submission and mail transfer ..." You're talking submission (not port 25), I'm talking transfer/exchange (port 25) -- Per Jessen, Zürich (15.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott wrote:

On 09/21/2018 03:27 PM, Per Jessen wrote:

...

I think Andrei said it very well - "... one needs to understand the difference between mail submission and mail transfer ..."

You're talking submission (not port 25), I'm talking transfer/exchange (port 25)

And that brings us back to why we have different port numbers for different purposes.  What happens if you use the servers smtp.gmail.com or smtp.googlemail.com?

Dunno, it is not really interesting in this context (mail transfer), but I presume those servers will require authentication. -- Per Jessen, Zürich (14.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/21/2018 03:05 PM, Andrei Borzenkov wrote:

...

So, it would appear STARTTLS is mandatory, bor@bor-Latitude-E5450:~/src/systemd$ telnet gmail-smtp-in.l.google.com. 25 Trying 108.177.14.27... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP g25-v6si21473003lfl.47 - gsmtp HELO mail.example.com 250 mx.google.com at your service MAIL FROM:<test@example.com> 250 2.1.0 OK g25-v6si21473003lfl.47 - gsmtp

I just noticed something different.  I'm connecting to smtp.googlemail.com, but you're using gmail-smtp-in.l.google.com.  Per is using 173.194.79.27 which is different again.  How are these different from the smtp.googlemail.com that I use?  I get the same results if I use smtp.gmail.com. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 09/21/2018 03:37 PM, Per Jessen wrote:

...

I just noticed something different.  I'm connecting to smtp.googlemail.com, but you're using gmail-smtp-in.l.google.com.  Per is using 173.194.79.27 which is different again.  How are these different from the smtp.googlemail.com that I use?  I get the same results if I use smtp.gmail.com. You are trying to submit a mail from your google account, I'm trying to send a mail to my google address. I used '173.194.79.27' because Google didn't want to receive mail from my IPv6 without reverse mapping (very sensibly) and telnet didn't accept my '-4' option. (old telnet).

I just tried sending using my Rogers address and I get the same thing, I have to use STARTTLS.  This makes me wonder if there is a difference in the servers specified for users and the ones listed in the MX record.  Do you get the same if you use smtp.gmail.com or smtp.googlemail.com? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Fri, 21 Sep 2018 22:05:17 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:

21.09.2018 20:48, James Knott пишет:

...

On 09/21/2018 01:38 PM, Per Jessen wrote:

...

...

Google (gmail) I suspect does not allow talking on :25 without encryption, or the email can be easily read on transit. No, Google does not require TLS.

Actually, it does.  I just tried setting my smtp server to port 25 & no security.  I got this error message:

An error occurred while sending mail. The mail server responded: 5.7.0 Must issue a STARTTLS command first. i26-v6sm9327158ioj.33 - gsmtp. Please verify that your email address is correct in your account settings and try again.

So, it would appear STARTTLS is mandatory,

bor@bor-Latitude-E5450:~/src/systemd$ telnet gmail-smtp-in.l.google.com. 25 Trying 108.177.14.27... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP g25-v6si21473003lfl.47 - gsmtp HELO mail.example.com 250 mx.google.com at your service MAIL FROM:<test@example.com> 250 2.1.0 OK g25-v6si21473003lfl.47 - gsmtp

You and Per have noticed that gmail-smtp-in.l.google.com resolves to different addresses for each of you, I presume? James used a different address again. So apparently google has inconsistent policies or has different policies at different locations. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

James Knott wrote:

On 09/21/2018 03:32 PM, Dave Howorth wrote:

...

You and Per have noticed that gmail-smtp-in.l.google.com resolves to different addresses for each of you, I presume? James used a different address again. So apparently google has inconsistent policies or has different policies at different locations.

I use the published addresses for email clients.  Currently if you search for gmail configuration, it'll show smtp.gmail.com.  I picked up smtp.googlemail.com somewhere along the way, but I don't recall where. Are the servers that Per and Andrei using intended for clients?

No, they are the Mail eXchangers, for transferring/exchanging emails. -- Per Jessen, Zürich (14.8°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Fri, 21 Sep 2018 21:42:19 +0200 Per Jessen <per@computer.org> wrote:

Dave Howorth wrote:

...

On Fri, 21 Sep 2018 22:05:17 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:

...

21.09.2018 20:48, James Knott пишет:

...

On 09/21/2018 01:38 PM, Per Jessen wrote:

...

...

Google (gmail) I suspect does not allow talking on :25 without encryption, or the email can be easily read on transit. No, Google does not require TLS.

Actually, it does.  I just tried setting my smtp server to port 25 & no security.  I got this error message:

An error occurred while sending mail. The mail server responded: 5.7.0 Must issue a STARTTLS command first. i26-v6sm9327158ioj.33 - gsmtp. Please verify that your email address is correct in your account settings and try again.

So, it would appear STARTTLS is mandatory,

bor@bor-Latitude-E5450:~/src/systemd$ telnet gmail-smtp-in.l.google.com. 25 Trying 108.177.14.27... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP g25-v6si21473003lfl.47 - gsmtp HELO mail.example.com 250 mx.google.com at your service MAIL FROM:<test@example.com> 250 2.1.0 OK g25-v6si21473003lfl.47 - gsmtp

You and Per have noticed that gmail-smtp-in.l.google.com resolves to different addresses for each of you, I presume?

I had not, but that's not unusual. With the size of gmail, I would only expect it.

...

James used a different address again. So apparently google has inconsistent policies or has different policies at different locations.

submission vs. transfer,

Well perhaps for James, but you and Andrei used the same name and got different addresses. So that's not submission vs. transfer but perhaps location-dependent with different settings on the equivalent machines. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Dave Howorth wrote:

On Fri, 21 Sep 2018 21:42:19 +0200 Per Jessen <per@computer.org> wrote:

...

Dave Howorth wrote:

...

On Fri, 21 Sep 2018 22:05:17 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:

...

21.09.2018 20:48, James Knott пишет:

...

On 09/21/2018 01:38 PM, Per Jessen wrote:

...

> Google (gmail) I suspect does not allow talking on :25 without > encryption, or the email can be easily read on transit. No, Google does not require TLS.

Actually, it does.  I just tried setting my smtp server to port 25 & no security.  I got this error message:

An error occurred while sending mail. The mail server responded: 5.7.0 Must issue a STARTTLS command first. i26-v6sm9327158ioj.33 - gsmtp. Please verify that your email address is correct in your account settings and try again.

So, it would appear STARTTLS is mandatory,

bor@bor-Latitude-E5450:~/src/systemd$ telnet gmail-smtp-in.l.google.com. 25 Trying 108.177.14.27... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP g25-v6si21473003lfl.47 - gsmtp HELO mail.example.com 250 mx.google.com at your service MAIL FROM:<test@example.com> 250 2.1.0 OK g25-v6si21473003lfl.47 - gsmtp

You and Per have noticed that gmail-smtp-in.l.google.com resolves to different addresses for each of you, I presume?

I had not, but that's not unusual. With the size of gmail, I would only expect it.

...

James used a different address again. So apparently google has inconsistent policies or has different policies at different locations.

submission vs. transfer,

Well perhaps for James, but you and Andrei used the same name and got different addresses. So that's not submission vs. transfer but perhaps location-dependent with different settings on the equivalent machines.

I apologise for being a bit obtuse - yes, that is what I meant, location-dependent. -- Per Jessen, Zürich (14.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

On 21/09/2018 02.40, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 22.59, Anton Aylward wrote:

...

On 2018-09-20 9:16 p.m., Carlos E. R. wrote:

...

Carlos E. R. wrote:

...

...

On 20/09/2018 11.39, Per Jessen wrote: > Carlos E. R. wrote: [snip] The reasons are others.

For instance, they decided to block 25 because many bad admins had set open relays, and then they had to create a new service on another different port to allow people to send email... Maybe. That's my tentative interpretation.

The 'open relay' story is long gone, default setups have improved, mail admins have smartened up. Projects such as SORBS have closed up shop, they are not needed.

When an access provider blocks outgoing port 25, he prevents all his customers talking directly to any and all mail servers out there. This prevents hijacked PCs bombarding other mailservers and it prevents the access provider getting blacklisted left, right and centre.

They can be bombarded on submission port the same way.

Nope. Attempts are rejected when authentication isn't successful. I'm not talking about a DDoS attack, just loads of mails.

They were bombarded on port 25 because they had it wide open.

Carlos, it is a mailserver, it is supposed to be "wide open".

...

...

The only case in which using the smtp port does not require authentication, per the rules, is that the destination resides on that server.

Which rules are you referring to here? When other mailservers deliver mails to my customers, they talk to 'inbound.example.com', without authentication. We filter the emails and pass the clean ones to our customers. This is a widespread practice in my business.

well, exactly.

If a mail relay server wants to send mail to someone@example.com, it connects to inbound.example.com:25 without authentication.

If it wants to send email to someone@otherexample.com and connects to inbound.example.com:25, authentication will be requested.

No, never. Provided 'example.com' and 'otherexample.com' both belong to customers of ours, there is no authentication required. Why do you think so? It would never work. How would GMX deliver any mails to 'otherexample.com' if they needed to know a userid/password ?? I think we must have some wires crossed here. Remember, we're talking email _exchange_ on port 25, not submission on 587/465. -- Per Jessen, Zürich (18.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

On 21/09/2018 13.48, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 21/09/2018 02.40, Per Jessen wrote:

...

Carlos E. R. wrote:

...

On 20/09/2018 22.59, Anton Aylward wrote:

...

On 2018-09-20 9:16 p.m., Carlos E. R. wrote: > Carlos E. R. wrote:

>> On 20/09/2018 11.39, Per Jessen wrote: >>> Carlos E. R. wrote: [snip] The reasons are others.

For instance, they decided to block 25 because many bad admins had set open relays, and then they had to create a new service on another different port to allow people to send email... Maybe. That's my tentative interpretation.

The 'open relay' story is long gone, default setups have improved, mail admins have smartened up. Projects such as SORBS have closed up shop, they are not needed.

When an access provider blocks outgoing port 25, he prevents all his customers talking directly to any and all mail servers out there. This prevents hijacked PCs bombarding other mailservers and it prevents the access provider getting blacklisted left, right and centre.

They can be bombarded on submission port the same way.

Nope. Attempts are rejected when authentication isn't successful. I'm not talking about a DDoS attack, just loads of mails.

Same as with :25 :-)

Err, no. Port 25 will just receive anything, as long it is destined for that mailserver.

...

...

They were bombarded on port 25 because they had it wide open.

Carlos, it is a mailserver, it is supposed to be "wide open".

Nope :-)

It is open only to clients, or to those sending emaisl to clients.

We really have our wires crossed. A public mailserver which receives mails for e.g. "jessen.ch" does not have "clients". _anyone_ can send me a mail. We are not talking about a smarthost.

...

...

...

...

The only case in which using the smtp port does not require authentication, per the rules, is that the destination resides on that server.

Which rules are you referring to here? When other mailservers deliver mails to my customers, they talk to 'inbound.example.com', without authentication. We filter the emails and pass the clean ones to our customers. This is a widespread practice in my business.

well, exactly.

If a mail relay server wants to send mail to someone@example.com, it connects to inbound.example.com:25 without authentication.

If it wants to send email to someone@otherexample.com and connects to inbound.example.com:25, authentication will be requested.

No, never. Provided 'example.com' and 'otherexample.com' both belong to customers of ours,

No, they don't :-) They belong to different providers.

I have no idea what you are talking about. Providers are irrelevant here. Obviously, if 'example.com' belongs to my customer#4567 and and 'otherexample.com' does not belong to any of my customers, I accept the first and reject the latter. No authentication involved. -- Per Jessen, Zürich (16.2°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Dave Howorth wrote:

On Fri, 21 Sep 2018 20:50:48 +0200 Per Jessen <per@computer.org> wrote:

...

Carlos E. R. wrote:

...

On 21/09/2018 13.48, Per Jessen wrote:

...

Carlos E. R. wrote:

...

If a mail relay server wants to send mail to someone@example.com, it connects to inbound.example.com:25 without authentication.

If it wants to send email to someone@otherexample.com and connects to inbound.example.com:25, authentication will be requested.

No, never. Provided 'example.com' and 'otherexample.com' both belong to customers of ours,

No, they don't :-) They belong to different providers.

I have no idea what you are talking about. Providers are irrelevant here.

Obviously, if 'example.com' belongs to my customer#4567 and and 'otherexample.com' does not belong to any of my customers, I accept the first and reject the latter. No authentication involved.

As you say, I think you're at cross-purposes. I think Carlos is talking about a mail server that accepts incoming mail from its customers and delivers them to whoever. While you're talking about a mail server that accepts mail from wherever and delivers them to its customers.

Exactly. Thank you for putting it so concisely, Dave. I thought I was losing it. Maybe I am :-)

But then, I'm no expert on this subject.

You seem to be doing just fine. -- Per Jessen, Zürich (14.8°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 21/09/2018 15.01, Dave Howorth wrote:

On Fri, 21 Sep 2018 20:50:48 +0200 Per Jessen <per@computer.org> wrote:

...

Carlos E. R. wrote:

...

On 21/09/2018 13.48, Per Jessen wrote:

...

Carlos E. R. wrote:

...

If a mail relay server wants to send mail to someone@example.com, it connects to inbound.example.com:25 without authentication.

If it wants to send email to someone@otherexample.com and connects to inbound.example.com:25, authentication will be requested.

No, never. Provided 'example.com' and 'otherexample.com' both belong to customers of ours,

No, they don't :-) They belong to different providers.

I have no idea what you are talking about. Providers are irrelevant here.

Obviously, if 'example.com' belongs to my customer#4567 and and 'otherexample.com' does not belong to any of my customers, I accept the first and reject the latter. No authentication involved.

As you say, I think you're at cross-purposes. I think Carlos is talking about a mail server that accepts incoming mail from its customers and delivers them to whoever. While you're talking about a mail server that accepts mail from wherever and delivers them to its customers.

Yes, you got it right. Clients or users of that system, the denomination is irrelevant. People which get the email using that server. If providers is the incorrect word then replace with mail server. Whatever, call it X.

But then, I'm no expert on this subject. PS hope I got the quotation levels right.

-- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))

On Wed, 19 Sep 2018 17:31:03 -0400 "Carlos E. R." <robin.listas@gmx.es> wrote:

The one that doesn't work now is Telefonica:

Hey Carlos (the real Carlos!), there's somebody impersonating you on the opensuse list, using a different email address and sending unsigned mail. It can't be the real, paranoid you, can it? :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 20/09/2018 07.59, James Knott wrote:

On 09/20/2018 07:24 AM, Dave Howorth wrote:

...

Hey Carlos (the real Carlos!), there's somebody impersonating you on the opensuse list, using a different email address and sending unsigned mail.

Oops. Signed now.

...

It can't be the real, paranoid you, can it? :)

I was wondering why he was talking about Bell.  ;-)

Because I'm on a trip on Canada ;-) -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))