Re: [exim] TLS Authentication at gmail failing

Top Page
Delete this message
Reply to this message
Author: Marc Haber
Date:  
To: exim4 mailing list
Subject: Re: [exim] TLS Authentication at gmail failing
On Fri, 27 Oct 2006 13:18:21 +0200, Hadron Quark
<hadronquark@???> wrote:
>Marc Haber <mh+exim-users@???> writes:
>> On Fri, 27 Oct 2006 10:00:25 +0200, Hadron Quark
>> <hadronquark@???> wrote:
>>>I have configured exim4 to use smarthost for sending mails. I have,
>>>succesfully, configured it to use procmail_pipe to intercept local
>>>destinations - e.g I can "mail" from the Linux command line to
>>>"root@locahost" and procmail is invoked by exim4 to deliver to my local
>>>maildirs.
>>>
>>>The problem I have is that, using "mail" as opposed to my smtpmail
>>>package in gnus and thus using exim4, the smarthost authentication is
>>>failing. It worked twice and then stopped working.
>>>
>>>Here is the logline I get:
>>>
>>>2006-10-27 09:33:21 1GdMDG-0001tT-D9 ** hadronquark@???
>>>R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server
>>>after MAIL FROM:<hadron@fujitsu> SIZE=1369: host gmail-smtp.l.google.com
>>>[66.249.93.111]: 530 5.5.1 Authentication Required c1sm157417ugf
>>
>> That looks like your exim is not trying to authenticate.
>> http://wiki.debian.org/PkgExim4UserFAQ#head-c1af64f5f8594bec680ed64a199607afb8e1c084
>> might help here.
>
>Not really as it offers no advice on how to setup. I dont know enough
>about SMTP to debug anything.


If you do not know that much about SMTP, then you should probably not
run a mail server on the public Internet.

I have, however, added a few advices about how to debug to the FAQ
entry. It might be more helpful now.

>>>| Next, set up the client to send all outgoing mail via the relay host. Install exim4 and set it to use your relay server as a smarthost. Edit /etc/exim4/passwd.client and put in your username and password, something like:
>>>| 
>>>|     ### CONFDIR/passwd.client
>>>|     #
>>>|     # Format:
>>>|     #targetmailserver.example:login:password
>>>|     #
>>>|     # default entry:
>>>|     ### *:bar:foo
>>>|     *:USERNAME:PASSWORD

>>
>> That is correct, and the * keeps you from hitting the trap mentioned
>> in http://bugs.debian.org/244724 and
>> http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client
>>
>>>| Finally, hack your exim4.conf.template to use port 26 instead of 25. Find the section for remote_smtp_smarthost and add port = 26 to it. In my file it looks like this:
>>>| 
>>>|     remote_smtp_smarthost:
>>>|       debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
>>>|       driver = smtp
>>>|       hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}
>>>|       tls_tempfail_tryclear = false
>>>|       DEBCONFheaders_rewriteDEBCONF
>>>|       DEBCONFreturn_pathDEBCONF
>>>|       port = 26
>>>| 
>>>| That should be it. Now mail sent locally will get relayed via port 26 on your relay host. 

>>
>> Please note that your third-party HOWTO gives the bad advice of
>> delivering to port tcp/26. smtp.google.com only listens on Ports
>> tcp/25 and tcp/587.
>
>The how to I referenced didnt do anything with google. It was to do with
>setting up your OWN smarthost for connecting to when on the the road. As
>I said above, I already changed the port to 587 anyway.


Good.

>> I have just checked: smtp.google.com offers STARTTLS and only
>> advertises SMTP AUTH after the connection has been encrypted. Thus,
>> the Debian exim4 should be able to authenticate fine. I have verified
>> both with swaks and exim4 that authentication works.
>>
>> The only trap that I can see is that smtp.google.com is a CNAME, so
>> you'll need to either put an asterisk in your passwd.client line or
>> explicitly name the reverse DNS name of smtp.google.com, which is
>> (today) gmail-smtp.l.google.com.
>
>Can you reference the info about this asterisk?


Sure. I already did. Information is available in
http://bugs.debian.org/244724 and
http://pkg-exim4.alioth.debian.org/README/exim4-config_files.5.html#/etc/exim4/passwd.client

>As for the CNAME - my
>exim4 log reveals it has started a converstion with the smtp server just
>fine - so where does this CNAME come in?


The plain authenticator in Debian's default configuration uses $host
as a key into /etc/exim4/passwd.client, and that variable contains the
name of the host you are actually connected to, which is most probably
taken from the reverse DNS entry of the associated IP address. Thus,
an entry "smtp.gmail.com" would not match for the host you are
connected to.

Changing this without exim helping here (which would require a change
in exim program code) is _exceptionally_ hard in the configuration.

>> May I ask why you chose to ignore all Debian documentation and instead
>> went to honor a third-party HOWTO that clearly shows that its author
>> is not familiar with Debian's exim packages?
>
>Because I couldnt google anything up which was easy enough to follow :
>as a newbie, totally unfamiliar with exim4 the main docs are extremely
>hard to follow.


Running a Mail server on the Internet requires considerable knowledge,
and it is a bad idea to do this without even knowing the basics of
mail processing.

> If you know of a small howto which works


No. The topic is complex and requires considerable knowledge.

It _might_ help to deliver a message from the command line with
"< /dev/null exim -d target.address" and to send the debug output to a
paste service. Beware that this output might contains your SMTP AUTH
password, so you'd need to sanitize the output before posting.

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834