[exim] SMTP Authentication problem.

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Paul O'Rorke
Date:  
À: Exim-users
Sujet: [exim] SMTP Authentication problem.
Hi Exim list,

I am setting up a Debian Wheezy based exim/Cyrus mail server and am
stuck getting SMTP to authenticate through the authenticator
digest_md5_sasl_server.

======================== encrypted authentication issue
=========================================================

I've defined in auth/30_exim4-config_examples:

<snip>
digest_md5_sasl_server:
driver = cyrus_sasl
public_name = DIGEST-MD5
server_realm = chemainus.mjbrownloos.com
server_set_id = $auth1
</snip>

and I can authenticate to cyrus for normal logins, get access to and
work with mail boxes, receive and read mail etc but I cannot send. My
MUA (Thunderbird) when querying the account on set up finds the IMAP and
prompts to use and 'Encrypted password' but SMTP insists on using 'no
encryption'.

<quote>
If I use 'No Encryption' I get the error message from TB:
Sending of message failed.
The SMTP server chemainus.mjbrownloos.com does not support the selected
authentication method. Please change the 'Authentication method' in the
'Account Settings | Outgoing Server (SMTP)'.
</quote>

Fair enough - it's not supposed to work, but switching the SMTP in TB to
use 'Encrypted password' results in the same thing. I was reading here
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html
that I may need to use server_ and client_ but I don't understand the
example:

<quote>
If an authenticator is to be used for both server and client functions,
a single definition, using both sets of options, is required. For example:

cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${if eq{$auth1}{ph10}{secret1}fail}
client_name = ph10
client_secret = secret2

The server_ option is used when Exim is acting as a server, and the
client_ options when it is acting as a client.
</quote>

Why would a user and password be hard coded into the authenticator? How
does this use the user's name and password?




=============================== TLS Issue (Should be a seperate thread?)
==========================================

Alternatively, I could use LOGIN in cleartext if I could get TLS
working, and eventually both TLS and Encrypted passwords is desired.
I believe I have Exim advertising TLS OK, it responds with 250-STARTTLS
when testing with both swaks and telnet:

******** SWAKS *********
root@vm-manager:~# swaks -a -tls -q HELO -s chemainus.mjbrownloos.com
-au hire -ap '<>'
=== Trying chemainus.mjbrownloos.com:25...
=== Connected to chemainus.mjbrownloos.com.
<- 220 blmail.chemainus.mjbrownloos.com ESMTP Exim 4.80 Fri, 21 Feb 2014
09:32:47 -0800
-> EHLO vm-manager.chemaimus.tracker-software.com
<- 250-blmail.chemainus.mjbrownloos.com Hello
untangle.chemainus.tracker-software.com [192.168.4.254]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250-AUTH DIGEST-MD5
<- 250-STARTTLS
<- 250 HELP
-> STARTTLS
<- 220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
=== TLS peer subject DN="/C=CA/ST=British Columbia/L=Chemainus/O=MJ
Brown Ltd/OU=Brown Loos/CN=blmail.chemainus.mjbrownloos.com"
~> EHLO vm-manager.chemaimus.tracker-software.com
<~ 250-blmail.chemainus.mjbrownloos.com Hello
untangle.chemainus.tracker-software.com [192.168.4.254]
<~ 250-SIZE 52428800
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH DIGEST-MD5
<~ 250 HELP
~> QUIT
<~ 221 blmail.chemainus.mjbrownloos.com closing connection
=== Connection closed with remote host.

******** Telnet *********
root@vm-manager:~# telnet chemainus.mjbrownloos.com 25
Trying 184.71.6.202...
Connected to chemainus.mjbrownloos.com.
Escape character is '^]'.
220 blmail.chemainus.mjbrownloos.com ESMTP Exim 4.80 Fri, 21 Feb 2014
15:18:41 -0800
EHLO chemainus.mjbrownloos.com
250-blmail.chemainus.mjbrownloos.com Hello
untangle.chemainus.tracker-software.com [192.168.4.254]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH DIGEST-MD5
250-STARTTLS
250 HELP


Yet neither Thunderbird nor Outlook are responding to the TLS and only
cyrus the encrypted password. So I can authenticate using DIGEST_MD5 for
IMAP but not SMTP. I need to either get encrypted passwords working on
SMTP or fix my TLS issue and use LOGIN. Any suggestions? What configs or
logs entries would help troubleshoot this?

One thing I noticed is that while Exim is advertising TLS according to
those tests, it is not reported in exim -bV:
<quote>
root@blmail:/etc/exim4/conf.d# exim -bV
Exim version 4.80 #2 built 02-Jan-2013 18:59:17
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2012
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
</quote>

Does this mean I have something to do to make DIGEST-MD5 available for
sending mail?

Sorry for the verboseness - I hope my issue is clear.

Regards
--

*Paul O’Rorke*
Tracker Software Products
paul@??? <mailto:paul.ororke@tracker-software.com>