Re: [exim] Smtp-Authentication problems (using courier-authd…

Top Page
Delete this message
Reply to this message
Author: Andreas Kahl
Date:  
To: exim-users
Subject: Re: [exim] Smtp-Authentication problems (using courier-authdaemond on debian etch)
Hello,

by now I tryed to activate Port 465 for SMTP-TLS Connections and tested
that via telnet. I added these lines at the very beginning of my
Main-Section of /etc/exim4/exim4.conf:

<<
MAIN_TLS_ENABLE = true
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
tls_on_connect_ports=465
>>


But Port 465 is still closed as this telnet session says:
<<
vitruvia:/etc/mailman# telnet localhost 465
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
>>


After having changed tls_on_connect_ports to =25, at least I got a
connection that terminated itself (I suspect because the telnet failed
to do a TLS-auth):
<<
vitruvia:/etc/mailman# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
>>


But I need port 465 for my friends using Windows...
What can I do to open port 465?

Thanks for your help.

Regards
Andreas


Phil Pennock schrieb:
> On 2007-06-12 at 22:14 +0200, Andreas Kahl wrote:
>
>>   accept  hosts         = +relay_from_hosts

>>
>> accept authenticated = *
>>
>>   deny    message       = relay not permitted

>>
>
> This is fine.
>
>
>>> You can get more diagnostics, running a debug Exim; this won't detach
>>> >from the terminal, so you'll see what's going on. For instance:
>>>
>>> # exim -d+acl+auth -oX 26 -bd
>>>
>>>
>> I also did this (with Port 25). A copy of my console is attached in
>> exim-session.txt .
>>
>
> This shows the problem. The client isn't authenticating.
>
>
>> 28267 SMTP>> 220 vitruvia.dyndns.org ESMTP Exim 4.63 Tue, 12 Jun 2007 22:02:33 +0200
>> 28267 Process 28267 is ready for new message
>> 28267 smtp_setup_msg entered
>> 28267 SMTP<< XXXX Cirrus.local
>>
>
> WTF is XXXX as an SMTP command?
> Ah, it appears to be what a Cisco firewall replaces unacceptable
> commands with.
>
> You've got a broken application-level firewall breaking your SMTP
> conversations.
>
> You could try using the "submission" port, 587, for submission of email.
> Or smtps on port 465 (SMTP with SSL-on-connect, instead of being
> negotiated). Submission is better, smtps might better survive the
> man-in-the-middle attack perpetrated by the malware pretending to be a
> firewall. I call it malware because it's actively preventing good
> security.
>
>
>> 28267 LOG: smtp_syntax_error MAIN
>> 28267 SMTP syntax error in "XXXX Cirrus.local" H=p54997838.dip.t-dialin.net [84.153.120.56] unrecognized command
>> 28267 SMTP>> 500 unrecognized command
>> 28267 SMTP<< HELO Cirrus.local
>>
>
> So here your client is saying HELO instead of EHLO, so isn't learning
> about the authentication options.
>
>
>> 28267 SMTP>> 250 vitruvia.dyndns.org Hello p54997838.dip.t-dialin.net [84.153.120.56]
>> 28267 SMTP<< MAIL FROM:<kahl3@???>
>> 28267 SMTP>> 250 OK
>>
>
> Here you see your server responding to the HELO and then the client
> starting to send email; there's no authentication in-between.
>
>
>> 28267 SMTP<< RCPT TO:<Andreas_Kahl@???>
>> 28267 using ACL "acl_check_rcpt"
>>
> [...]
>
>> 28267 processing "accept"
>> 28267 check authenticated = *
>> 28267 accept: condition test failed
>>
>
> And so the "have they authenticated?" test fails.
>
> -Phil
>