Hi
> Yes, Outlook doesn't support STARTTLS on any port other than
> 25. This applies with Outlook Express and 2000 in all cases
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;30777
> 2) and with Outlook 2002 and, I think, 2003 after 'a while'.
> We've recently made some changes and encouraged people to use
> port 587 with TLS - things went wrong because I didn't know
> about the above until too late. Outlook 2002 works for a
> while with TLS on 587 but then seems to just stop working.
> Outlook 2003 seems to work better but I've still had a couple
> of cases of people reporting it stopping working. In the end
> I had to reverse the decision and advise the use of port 25
> again just for Outlook. The aim had been to get around ISPs
> who do port 25 transparent proxying and mailhubbing. These
> ISPs are in a minority though. However it does leave some
> people in a bind - Outlook users can't use SSL on anything
> other than 25 and their ISP prevents it on port 25. Rock and
> hard place.
We had great success with:
daemon_smtp_ports = smtp : 587 : 465
tls_on_connect_ports = 465
External server to server traffic is on port 25 (preferably no auth).
Users submitting mail (authenticated) on
port 587 for non outlook clients, using smtp with starttls.
port 465 for outlook clients, using smtp over ssl.
hence outlook can use ssl on ports other than 25 but not using starttls, but
using immediate ssl encryption.
> We could try to implement stunnel but that would cause too
> much disruption to an already disrupted service.
This is not required. Use tls_on_connect_ports.
> Also Norton AV and Norton Internet Security need
> reconfiguring to work with any encryption (they proxy
> connections and can't handle SSL) no matter what port. Many
> Windows machines seem to come preinstalled with Norton AV these days.
If NAV really needs unencrypted connections, that's bad. Thought they would
be better.
We use McAfee VirusScan Enterprise, which integrated nicely into outlook, no
matter which connection.
> A general problem with Outlook/Windows seems to be IP
> caching. We had two machines on round robin DNS which worked
> but if one went down Outlook users reported mail failures.
> Even with a TTL of 1s some people were still trying to use
> the same downed IP a week later.
Never heard of this before. Works well for us.
> I was recently at a conference which blocked both port 25 and
> 587 but left 465 open. First time I'd come across port 587 blocking.
Argh, they should not block 587...
Regards,
Steffen