Re: [exim] authenticate * not work

Góra strony
Delete this message
Reply to this message
Autor: John W. Baxter
Data:  
Dla: exim-users
Temat: Re: [exim] authenticate * not work
On 5/19/05 12:28 AM, "G W" <gilbert.debian@???> wrote:

>> This part shows that Cisco PIX SMTP fixup is not running for this
>> connection. That stuff only comes out for ESMTP, not for SMTP, which the PIX
>> fix up forces.
> sorry, i don't quite understand. Can you be more specific which party
> shows SMTP fixup is NOT running?
>
>
>> SMTP>> 250-mail3.techsoft.com.hk Hello yckun202214.netvigator.com
>> [219.76.52.214]
>> 250-SIZE 5242880
>> 250-PIPELINING
>> 250-AUTH PLAIN CRAM-MD5
>> 250 HELP


The response above can only come from EHLO, not from HELO. PIX fix up (in
now-older versions) prevents EHLO. Hence the transaction did not come
through a PIX with fix up on.

I don't THINK fix up lets the command in and then translates to a proper
HELO response.

Best test is to telnet to port 25 of the machine from OUTSIDE the firewall,
and see what you get. Sensible banner and proper EHLO response means fix up
is off.

>>
>> Did this connection go through the PIX? (An earlier message pretty clearly
>> showed that PIX SMTP fixup was on.)
>>
>> Do I remember that the client MUA in your tests is Microsoft Outlook or
>> Outlook Express? If so, you need to advertise AUTH LOGIN, too. (As usual,
>> Microsoft "improves" on published standards.) Meaning you need to introduce
>> another authenticator for AUTH LOGIN. It's almost the same, and discussed
>> in the Exim spec.
>
> i tried Mozilla Thunderbird as well. It won't work if there's NO LOGIN
> authenticator.
> am i right that AUTH LOGIN is not only required by MS O/OE, but also
> others, in this case, thunderbird??
>
> why don't the MUA use AUTH PLAIN or AUTH CRAM-MD5 that i advertise??


I rather thought Thunderbird would use CRAM-MD5 preferentially.

I fired up Thunderbird, and it used CRAM-MD5 for my test message (we
advertise--to customers, not on the MX address--CRAM-MD5, SPA, LOGIN, and
PLAIN, and all are known to work).

>
>
>> shows that the client didn't try to authenticate (authentication comes
>> between the end of the extensions list and the MAIL FROM: command) which
>> would explain why the authenticated = * test failed.
>
> i'm a bit confused.
> The sequence i thought was:
> ehlo domain.tld
> auth { cram-md5, login }
> mail from: sender
> rcpt to: recipient
> data


That's the sequence one sends. There are replies after the ehlo and after
the auth. (I didn't know about the listing of alternatives in the AUTH
command...perhaps that's not what you meant.)

--John