Re: [exim] TLS Authentication at gmail failing

Top Page
Delete this message
Reply to this message
Author: Hadron Quark
Date:  
To: exim4 mailing list
Subject: Re: [exim] TLS Authentication at gmail failing

(apologies as I replied directly to Mark as opposed to following up)
====================================================================

Thanks for the reply. See below.

Marc Haber <mh+exim-users@???> writes:

> On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark
> <hadronquark@???> wrote:
>>I have configured exim4 to use smarthost for sending mails. I have,
>>succesfully, configured it to use procmail_pipe to intercept local
>>destinations - e.g I can "mail" from the Linux command line to
>>"root@locahost" and procmail is invoked by exim4 to deliver to my local
>>maildirs.
>>
>>The problem I have is that, using "mail" as opposed to my smtpmail
>>package in gnus and thus using exim4, the smarthost authentication is
>>failing. It worked twice and then stopped working.
>>
>>Here is the logline I get:
>>
>>2006-10-27 09:33:21 1GdMDG-0001tT-D9 ** hadronquark@???
>>R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server
>>after MAIL FROM:<hadron@fujitsu> SIZE=1369: host gmail-smtp.l.google.com
>>[66.249.93.111]: 530 5.5.1 Authentication Required c1sm157417ugf
>
> That looks like your exim is not trying to authenticate.
> http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084
> might help here.


Not really as it offers no advice on how to setup. I dont know enough
about SMTP to debug anything.

>
>>Here is the HowTo I followed, changing the port selected by the client
>>to 587 for gmail's smtp servers. I have set up my passwd.client file.
>>
>>http://www.lexspoon.org/linux/smtp-relay.html
>
> That HOWTO is actually quite bad. A critique of it can be found in
> http://wiki.debian.org/PkgExim4UserFAQ#head-143dbe79ffa3848284fbd0b0a2bb78dae3d75a18.
>
>>Possibly something to do with authentication file generated by
>>"/usr/share/doc/exim4-base/examples/exim-gencert"
>
> Not at all. A certificate is not needed if all you want to do is
> authenticate as a client.


That's good to know - thanks.

>
>> - should I have even
>>run that keeping in mind that I'm not running a receiving smtp server -
>>only a client.
>
> It does not hurt, but it is not needed.
>
>>| Next, set up the client to send all outgoing mail via the relay host. Install exim4 and set it to use your relay server as a smarthost. Edit /etc/exim4/passwd.client and put in your username and password, something like:
>>| 
>>|     ### CONFDIR/passwd.client
>>|     #
>>|     # Format:
>>|     #targetmailserver.example:login:password
>>|     #
>>|     # default entry:
>>|     ### *:bar:foo
>>|     *:USERNAME:PASSWORD

>
> That is correct, and the * keeps you from hitting the trap mentioned
> in http://bugs.debian.org/244724 and
> http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client
>
>>| Finally, hack your exim4.conf.template to use port 26 instead of 25. Find the section for remote_smtp_smarthost and add port = 26 to it. In my file it looks like this:
>>| 
>>|     remote_smtp_smarthost:
>>|       debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
>>|       driver = smtp
>>|       hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}
>>|       tls_tempfail_tryclear = false
>>|       DEBCONFheaders_rewriteDEBCONF
>>|       DEBCONFreturn_pathDEBCONF
>>|       port = 26
>>| 
>>| That should be it. Now mail sent locally will get relayed via port 26 on your relay host. 

>
> Please note that your third-party HOWTO gives the bad advice of
> delivering to port tcp/26. smtp.google.com only listens on Ports
> tcp/25 and tcp/587.


The how to I referenced didnt do anything with google. It was to do with
setting up your OWN smarthost for connecting to when on the the road. As
I said above, I already changed the port to 587 anyway.

>
> I have just checked: smtp.google.com offers STARTTLS and only
> advertises SMTP AUTH after the connection has been encrypted. Thus,
> the Debian exim4 should be able to authenticate fine. I have verified
> both with swaks and exim4 that authentication works.
>
> The only trap that I can see is that smtp.google.com is a CNAME, so
> you'll need to either put an asterisk in your passwd.client line or
> explicitly name the reverse DNS name of smtp.google.com, which is
> (today) gmail-smtp.l.google.com.


Can you reference the info about this asterisk? As for the CNAME - my
exim4 log reveals it has started a converstion with the smtp server just
fine - so where does this CNAME come in? Clearly I wouldnt want to put
in a "day specfic" smpt server name. stp.gmail.com seems to find their
servers fine. What am I misunderstanding here?

>
> May I ask why you chose to ignore all Debian documentation and instead
> went to honor a third-party HOWTO that clearly shows that its author
> is not familiar with Debian's exim packages?


Because I couldnt google anything up which was easy enough to follow :
as a newbie, totally unfamiliar with exim4 the main docs are extremely
hard to follow. If you know of a small howto which works please let me
know or even the link to proper debian documentation which doesnt assume
knowledge of SMTP protocol and telnet. I had a look at the wiki FAQ,
here : http://wiki.debian.org/PkgExim4UserFAQ but I can see nothing
about configuring smarthosts with TLS authentication - I am not able to
debug SMTP.


Many thanks for your help.

>
> Greetings
> Marc
>
> -- 
> -------------------------------------- !! No courtesy copies, please !! -----
> Marc Haber         |   " Questions are the         | Mailadresse im Header
> Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
> Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834