Re: [PLUG] VOIP texting - was Help with Postfix SASL auth to smarthost o

Re: [PLUG] VOIP texting - was Help with Postfix SASL auth to smarthost on RedHat distro

See below

From: "Keith C. Perry" <kperry@daotechnologies.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Monday, February 19, 2018 12:43:46 PM
Subject: Re: [PLUG] VOIP texting - was Help with Postfix SASL auth to smarthost on RedHat distro

Comments below in blue (hopefully it comes out, I forget whether or not HTML posts are passed...)

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

From: "Lee H. Marzke" <lee@marzke.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Sunday, February 18, 2018 3:15:24 PM
Subject: Re: [PLUG] VOIP texting - was Help with Postfix SASL auth to smarthost on RedHat distro

See below,

----- Original Message -----
From: "Keith C. Perry" <kperry@daotechnologies.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Sunday, February 18, 2018 2:05:00 PM
Subject: Re: [PLUG] VOIP texting - was Help with Postfix SASL auth to smarthost on RedHat distro

Yep, TLS / SASL to my Zimbra server here too. Life is good...

I'm testing Google Fi stuff now but I haven't ported my number yet. My
understanding is that I can IM/txt in hangouts which is good. The little bit
of voice spam I have received also demonstrated to me how can be answered and
made via hangouts too. For me that is going to be ideal since 1) I don't talk
on my mobile line unless absolutely necessary and 2) I hate having to pick up
my phone to response/send text messages.

So far I've avoided gmail ( I use Zimbra ) and Hangouts, and I use Google Fi and Google search
only. Very happy with Fi so far, working WIfi tethering, and the free data-only SIM card for
my Nexus 10 tablet.

Seems good to me so far though, the Pixel 2 battery seem to be a bit light for me. I may move up to the Pixel 2 XL for more battery primarily but it has been a bit of a challenge from from the Nexus 6 to the Pixel 2. I use the hacker keyboard on android and more real estate is better.

I'm getting good battery life on the Nexus 5x. I've been using the iClever BK05 tri-color , tri-fold wireless KB

https://www.amazon.com/iClever-Backlight-Tri-folding-Bluetooth-Smartphones/dp/B018K5EJCQ/ref=dp_ob_title_def

I've been using KB that with my Nexus 10 tablet, and Horizon View remote desktop (VDI). Horizon will display

a usable Win10 session inside a tablet or phone, but you need an external KB for any real work. Works really great

Kind of freeky to see Win 10 display on a tablet or phone, but usable in emergencies with an external KB.

Looks like Hangouts integrates with Google Voice, and while I use Google Fi, I
pretty much avoid the rest and use a wholesale VOIP trunks to my Asterisk box, so I'm
not sure how Hangouts would work. Looks like it competes with WhatsApp, which does
much the same thing - only it doesn't require a gmail account and works with any mobile
phone number that has inbound SMS.

There's most likely never going to be open way to do that integration so its going to have to remain separate until some unifying way emerges to have messaging over VoIP. I've got an email into my ITSP partners on this to see what they may know of coming dowe the line. I'm not holding my breath. With the way things are these days, I doubt such a thing will happen anytime soon. The move to LTE-A is already being slow walked so I can't see the next universal / worldwide messaging infrastructure being viable yet.

I still use regular SMS but you are right that with so much movement towards
VoIP, that is going to have to change- I've been doing mid-sized VoIP office
deployments where this doesn't come up but now I'm seeing more interested in
the home office environment so I'm sure that question is going to come up at
some point. I stopped actively giving out my mobile number even though its in
my business card QR code contact. When I am out of the office I just turn on
the soft phone if I will be available for calls.

Some of the supported VOIP solutions make integration easier I suppose. I'm using
wholesale VOIP trunks and a Panasonic DECT portable VOIP phone, and their is a
lot of work to just get them working on FreePBX (even without encryption ). Now if
you use supported Sipura phones or buy the commercial phone module much of this gets easier.

Do you have encryption working to any softphones , or do you just run OpenVPN on the
laptop ? I've seen FreePBX / OpenVPN integrations, but they seem to only support Sipura
phones etc.

I prefer to just run OpenVPN at the device or network level. All Sangoma devices should work with FreePBX and PBXact servers. I've just been running SIP and IAX2 device for so long that all the false starts and lack of interop with security took its toll and I found other solutions. I might test this again though since I do have remote handset being deployed for an upcoming install.

I have OpenVPN server ( on pfSense ) configs working with Windows, Linux , and Android but phones are too much work with cert issues. I

think Sangoma phones are supposed to work with a canned VPN config from latest FreePBX if your willing to use their phones.

If you are running FreePBX you might want to sign up for the Zulu beta which is
Sangoma's / FreePBX's softphone. If you are running a recent versions of
FreePBX, on activated systems you'll see it in the commercial modules listing.
It wasn't being pushed heavily since a major upgrade has been going on but it
looks like it just about ready.

OK, I saw that and will take a look. I just migrated my office PBX to the latest
FreePBX SNG7 distro, and that took quite a while. Even my SIP trunks were not connecting
at first, so I signed up for the free trial of SipStation trunks, looked at how the
config in /etc/asterisk/sip_additional.conf was done, and then experimented with the
GUI to get my trunks to create a similar config. I think they add more and more fields
to FreePBX GUI and change things just to make it difficult for any non SipStation trunks to work.

You probably already know this but pjsip is the default protocol now, not sip (which I think was moved to 5061). They flipped the ports so unless you go into the advanced settings and switch it back that is the first thing that frustrates people. You are right, the parameter page gets longer and longer but you really only need to set a couple of things and then take the defaults.

So my trunks are working with SIP on port 5160, and the local phones on pjSIP on 5060. The issue is my VOIP provider has seperate servers for inbound

and outbound, while the GUI dialogs mix it all together. The GUI has seperate fields for trunk name, context, peer details, user details, etc. when

in the end it all gets into one place in the trunk config. So the INBOUND trunk has many fields just blank, and same for the OUTBOUND trunk.

https://www.sangoma.com/products/zulu/

The SMS component appears to require SIPStation's trunking service so that will
probably hold back more widespread testing.

Yes, I started to consider SipStation trunks, but they only have standard usage
trunks ( small fee for each DID, then ~$24/month for each trunk ). With low usage, and
wholesale trunks ( I pay per minute for inbound/outbound local calls ) my typical monthly
charge is more like $3/month instead of $24

The whole debate about unlimited vs wholesale trunks is here:
http://nerdvittles.com/?p=13031

So true, I tell people all the time, metered is generally the way to go. I had the industry math explained to one upon as time ;)

Also, for XMPP stuff and private IM/chat solutions I run and recommend Openfire
(https://www.igniterealtime.org/projects/openfire/). They do have a SIP plugin
but I haven't played around with it in awhile. I think it runs in capable web
browsers with the Spark web client (should be everything these days) and with
the Spark desktop client. 'Might ultimately be better to just use the FreePBX
XMPP client in the UCP though so you have one less think to worry about.

I had looked at OpenFire/Spark, but never got it running, and with FreePBX XMPP on a public
IP, I just set the domain name in FreePBX, and got a Pidgin client connected with no issues
in 5 minutes. But I don't have much use for Private XMPP since this is just my
office - and that's why I'm looking for SMS or similar solutions.

Most of my solutions are for a home office ( 1 to 3 person office ) with extremely low
recurring cost, while most UC solutions seem to have larger environments in mind.

That's that I find as well. For the small or home office deployment you end of having to package things together in an a la carte way but that is where the opportunity is as well and to be honest, sometimes that in the long run is better approach. The do one thing and do it well approach keep things simple but has other advantages too.

Thanks for all the info, Keith.

The one remaining problem is that with FreePBX on a public IP (no NAT), and home phones behind
pfSense firewall with NAT it works fine, but moving the FreePBX to EC2 (different public IP )
and my home phones lose RTP connectivity due to NAT issue ( no voice either direction ).

Running on EC2 is really just for DR, or learning EC2 at this point so it's not required. But
I still can't see why changing the Asterisk public IP breaks my local hardphones. Its
doing the same RTP NAT traversal either way, and I've even set pfSense static port option
and cleared the states per pfSense postings, but it didn't work.

Lee

Keep in mind that Asterisk is really a multi-protocol media gateway so the information in the application [SIP] headers is just as important as the packet. You might have a situation where the nat setting for the PBX is fighting the network nat. If you don't have voice either way but you have handset "sync" (i.e. you see your device peers) then that is a good sign the pbx and network are not playing nice. Another thing to keep in mind is the reinvite setting. If that is set to "no" your PBX stays in the conversation so changing its IP would matter. If it is set to "yes" then the PBX is out of the conversation but then you could also lose a peer unless there are mechanisms in place to make sure they know where the PBX is at all times. Since I do on prem systems this is never an issue. When clients want it, we can do backup / redundant office internet over wireless broadband. Since network changes are downstream from the PBX (i.e. edge of the network or DMZ) then once internet access is reestablished to the ITSP the PBX can take calls again.

I'm not trying to do a live failover , I have FreePBX on a public IP locally, and have a clone of the same VM on EC2 for testing on a seperate public IP.

Just flipping my phone config to use the other public IP breaks voice. ( and I reset pfSense state tracking ). Yes there are places in SIP or pjSIP to

set the external NAT IP, but so far only the local public IP works reliablly and not the EC2 IP. So the NAT traversal is really the same either way, just

to a different public IP, but still no luck. I guess, I should do a packet capture as an excercise anyway.

Another issue, lately the VMX locator I had been using seems to be broken. It is a small IVR menu inside each extension config - and you can do things

like "If this is an urgent call push 1 and the system will locate me, other please leave a message" , then pushing 1 will call your cell ( without revealing your

cell number ) Even though this code is in production, seems to be a few issues yet.

Lee

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

----- Original Message -----
From: "Lee H. Marzke" <lee@marzke.net>
To: "Philadelphia Linux User's Group Discussion List"
<plug@lists.phillylinux.org>
Sent: Sunday, February 18, 2018 8:00:00 AM
Subject: Re: [PLUG] VOIP texting - was Help with Postfix SASL auth to smarthost
on RedHat distro

Thanks for reminding me to close down those gmail security exceptions, as I'm
running my
voicemail messages through my main SMTP server now, over TLS/SASL.

I have a question. What do people use these days for texting ?

SMS was popular on mobile phones, but doesn't have support by most VOIP
carriers.
Many VOIP carriers have inbound SMS, but the clients are often XMPP , not the
native SMS client.

Even FreePBX 14 now has an embedded XMPP server, but that's not useful unless
you
have a whole company on your PBX. Pidgin on Linux talked to FreePBX XMPP
easily.
Or maybe people register with a whole bunch of XMPP services ?

I would like to not publish my cell number since I route my incoming VOIP trunks
to it, so
the cell's SMS capability doesn't hide the cell number for me.

I've also notices that WhatsApp is popular, and I have an unexpected number of
business and family with accounts. That service can be used on the phone with
any inbound number that receives texts so that may work for me.

What are people using these days for texting? So many choices.

Lee

----- Original Message -----
From: "Keith C. Perry" <kperry@daotechnologies.com>
To: "Philadelphia Linux User's Group Discussion List"
<plug@lists.phillylinux.org>
Sent: Saturday, February 17, 2018 9:05:06 PM
Subject: Re: [PLUG] Help with Postfix SASL auth to smarthost on RedHat distro

I know this is a bit dated but I wanted to +1 this because after realizing many
ISPs blocks port 25 for residential customers I ended up created an account on
my mail server so that my clients that work out of their homes could relay
their voicemail messages. As stated Gmail, is going to be a pita to use so it
makes life easier just to run this traffic through my own server.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

----- Original Message -----
From: "Lee H. Marzke" <lee@marzke.net>
To: "Philadelphia Linux User's Group Discussion List"
<plug@lists.phillylinux.org>
Sent: Monday, February 12, 2018 8:00:00 AM
Subject: Re: [PLUG] Help with Postfix SASL auth to smarthost on RedHat distro

FYI,

OK SMTP auth over tls is working now.

Turns out gmail relay still fails, and it forces you to allow "less secure apps"
in your account settings before this works.
So I've switched to my other smarthost and that is working as well.

This is an example of why software code reviews can be so helpful, when you
carefully explain or walk through the
code with others, the error that you couldn't see before just jump out.

Lee

----- Original Message -----
From: "Lee H. Marzke" <lee@marzke.net>
To: "Philadelphia Linux User's Group Discussion List"
<plug@lists.phillylinux.org>
Sent: Sunday, February 11, 2018 10:45:22 PM
Subject: Re: [PLUG] Help with Postfix SASL auth to smarthost on RedHat distro

Wow, just typing this message out helped me find the likely error already.

-rw------- 1 root root 111 Feb 11 18:37 sasl_paswd
-rw------- 1 root root 12288 Feb 11 19:42 sasl_paswd.db

Looks like passwd is missing an 's' both places. How did I miss that.

I'll let everyone know if that fixes it.

Lee

----- Original Message -----
From: "Lee H. Marzke" <lee@marzke.net>
To: "Philadelphia Linux User's Group Discussion List"
<plug@lists.phillylinux.org>
Sent: Sunday, February 11, 2018 10:36:36 PM
Subject: [PLUG] Help with Postfix SASL auth to smarthost on RedHat distro

I'm having trouble with Postfix SMTP authentication to a smarthost on a new
install of RH 7.3

This is actually the latest FreePBX SNG7 OS based on RH 7.3 but shouldn't
matter.
https://en.wikipedia.org/wiki/FreePBX_Distro

I have Postfix SMTP auth over TLS working on an old Ubuntu release, but for
some reason the Red Hat distro is giving me permission issues
with nearly the same setup. Any clues where I should look next ?

Basically SASL authentication strings are in the file /etc/postfix/sasl_passwd
containing two smart hosts:

[smtp.gmail.com]:587 username:password
[smtp.smarthost2.net]:587 username:password

and has permissions:

-rw------- 1 root root 111 Feb 11 18:37 sasl_paswd
-rw------- 1 root root 12288 Feb 11 19:42 sasl_paswd.db

the hash is updated/created with:
sudo postmap hash:/etc/postfix/sasl_passwd

Notes with CentOS claim that postfix reads the .db map file as root, then drops
permissions on startup.

However, when I send email, I keep getting errors where postfix can't read the
sasl_passwd.db file.

Feb 11 22:12:42 freepbx postfix/smtp[11208]: Trusted TLS connection established
to smtp.gmail.com[209.85.232.108]:587: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning:
hash:/etc/postfix/sasl_passwd is unavailable. open database
/etc/postfix/sasl_passwd.db: No such file or directory
Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning:
hash:/etc/postfix/sasl_passwd lookup error for "smtp.gmail.com"
Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning: 89DF211780BB:
smtp_sasl_passwd lookup error
Feb 11 22:12:42 freepbx postfix/smtp[11208]: 89DF211780BB: local data error
while talking to smtp.gmail.com[209.85.232.108]

Now I know the file is there. And I've tried changing permissions to allow
postfix group read, and other combination
but they always fail the same way.

The relevant sections of main.cf are:

#Setup TLS, using default self-signed certs

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt
smtp_tls_cert_file = /etc/pki/tls/certs/localhost.crt
smtp_tls_key_file = /etc/pki/tls/private/localhost.key

# Use smarthost
#relayhost = [smtp.protectedservice.net]:587
relayhost = [smtp.gmail.com]:587

# Setup SASL over TLS for smart host ( Gmail require TLS, others may not )

smtp_use_tls = yes
smtp_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_security_level = encrypt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

###DEBUG
#debug_peer_list=smtp.gmail.com
#debug_peer_level=3

The policy map tls_policy contains: (but this isn't causing issues so
far)

[smtp.gmail.com]:587 encrypt
[smtp.othersmarhost.net]:587 encrypt

Regards,

Lee

--
"Between subtle shading and the absence of light lies the nuance of iqlusion..."
- Kryptos

Lee Marzke, lee@marzke.net http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

--
"Between subtle shading and the absence of light lies the nuance of iqlusion..."
- Kryptos

Lee Marzke, lee@marzke.net http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
+1 800-393-5217 office
+1 484-348-2230 fax
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

--
"Between subtle shading and the absence of light lies the nuance of iqlusion..."
- Kryptos

Lee Marzke, lee@marzke.net http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
+1 800-393-5217 office
+1 484-348-2230 fax
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

--
"Between subtle shading and the absence of light lies the nuance of iqlusion..."
- Kryptos

Lee Marzke, lee@marzke.net http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
+1 800-393-5217 office
+1 484-348-2230 fax
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

--
"Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos

Lee Marzke, lee@marzke.net http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug