Re: [exim] Smtp-Authentication problems (using courier-authd…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Andreas Kahl
CC: exim-users
Subject: Re: [exim] Smtp-Authentication problems (using courier-authdaemondon debian etch)
On 2007-06-12 at 22:14 +0200, Andreas Kahl wrote:
>   accept  hosts         = +relay_from_hosts

>
> accept authenticated = *
>
>   deny    message       = relay not permitted


This is fine.

> > You can get more diagnostics, running a debug Exim; this won't detach
> > >from the terminal, so you'll see what's going on. For instance:
> >
> > # exim -d+acl+auth -oX 26 -bd
> >
>
> I also did this (with Port 25). A copy of my console is attached in
> exim-session.txt .


This shows the problem. The client isn't authenticating.

> 28267 SMTP>> 220 vitruvia.dyndns.org ESMTP Exim 4.63 Tue, 12 Jun 2007 22:02:33 +0200
> 28267 Process 28267 is ready for new message
> 28267 smtp_setup_msg entered
> 28267 SMTP<< XXXX Cirrus.local


WTF is XXXX as an SMTP command?
Ah, it appears to be what a Cisco firewall replaces unacceptable
commands with.

You've got a broken application-level firewall breaking your SMTP
conversations.

You could try using the "submission" port, 587, for submission of email.
Or smtps on port 465 (SMTP with SSL-on-connect, instead of being
negotiated). Submission is better, smtps might better survive the
man-in-the-middle attack perpetrated by the malware pretending to be a
firewall. I call it malware because it's actively preventing good
security.

> 28267 LOG: smtp_syntax_error MAIN
> 28267 SMTP syntax error in "XXXX Cirrus.local" H=p54997838.dip.t-dialin.net [84.153.120.56] unrecognized command
> 28267 SMTP>> 500 unrecognized command
> 28267 SMTP<< HELO Cirrus.local


So here your client is saying HELO instead of EHLO, so isn't learning
about the authentication options.

> 28267 SMTP>> 250 vitruvia.dyndns.org Hello p54997838.dip.t-dialin.net [84.153.120.56]
> 28267 SMTP<< MAIL FROM:<kahl3@???>
> 28267 SMTP>> 250 OK


Here you see your server responding to the HELO and then the client
starting to send email; there's no authentication in-between.

> 28267 SMTP<< RCPT TO:<Andreas_Kahl@???>
> 28267 using ACL "acl_check_rcpt"

[...]
> 28267 processing "accept"
> 28267 check authenticated = *
> 28267 accept: condition test failed


And so the "have they authenticated?" test fails.

-Phil