Re: [exim] Smtp-Authentication problems (using courier-authd…

Etusivu
Poista viesti
Vastaa
Lähettäjä: Andreas Kahl
Päiväys:  
Vastaanottaja: exim-users
Aihe: Re: [exim] Smtp-Authentication problems (using courier-authdaemond on debian etch)
Thank you very much for your detailed analysis - I would have never
come to that.

Actually there is a Cisco firewall in front of the server. I asked the
admin to open Port 465 and close 25 (which I never intended to use
permanently - I just thought it would be easier for a first test). I
hope with ssl-SMTP the firewall won't understand enough to intercept
commands.

When the port is open I will tell you wether it works.

Regards
Andreas

Phil Pennock schrieb:
> On 2007-06-12 at 22:14 +0200, Andreas Kahl wrote:
>> accept  hosts         = +relay_from_hosts

>>
>> accept authenticated = *
>>
>> deny    message       = relay not permitted

>
> This is fine.
>
>>> You can get more diagnostics, running a debug Exim; this won't
>>> detach
>>>> from the terminal, so you'll see what's going on. For
>>>> instance:
>>>
>>> # exim -d+acl+auth -oX 26 -bd
>>>
>> I also did this (with Port 25). A copy of my console is attached
>> in exim-session.txt .
>
> This shows the problem. The client isn't authenticating.
>
>> 28267 SMTP>> 220 vitruvia.dyndns.org ESMTP Exim 4.63 Tue, 12 Jun
>> 2007 22:02:33 +0200 28267 Process 28267 is ready for new message
>> 28267 smtp_setup_msg entered 28267 SMTP<< XXXX Cirrus.local
>
> WTF is XXXX as an SMTP command? Ah, it appears to be what a Cisco
> firewall replaces unacceptable commands with.
>
> You've got a broken application-level firewall breaking your SMTP
> conversations.
>
> You could try using the "submission" port, 587, for submission of
> email. Or smtps on port 465 (SMTP with SSL-on-connect, instead of
> being negotiated). Submission is better, smtps might better
> survive the man-in-the-middle attack perpetrated by the malware
> pretending to be a firewall. I call it malware because it's
> actively preventing good security.
>
>> 28267 LOG: smtp_syntax_error MAIN 28267 SMTP syntax error in
>> "XXXX Cirrus.local" H=p54997838.dip.t-dialin.net [84.153.120.56]
>> unrecognized command 28267 SMTP>> 500 unrecognized command 28267
>> SMTP<< HELO Cirrus.local
>
> So here your client is saying HELO instead of EHLO, so isn't
> learning about the authentication options.
>
>> 28267 SMTP>> 250 vitruvia.dyndns.org Hello
>> p54997838.dip.t-dialin.net [84.153.120.56] 28267 SMTP<< MAIL
>> FROM:<kahl3@???> 28267 SMTP>> 250 OK
>
> Here you see your server responding to the HELO and then the client
> starting to send email; there's no authentication in-between.
>
>> 28267 SMTP<< RCPT TO:<Andreas_Kahl@???> 28267 using ACL
>> "acl_check_rcpt"
> [...]
>> 28267 processing "accept" 28267 check authenticated = * 28267
>> accept: condition test failed
>
> And so the "have they authenticated?" test fails.
>
> -Phil