(please Cc me on replies so that I see them quicker)
On Tue, Sep 15, 2020 at 12:55:34AM +0100, Jeremy Harris via Exim-users wrote:
> On 15/09/2020 00:29, Marc MERLIN wrote:
> > So, exim -d+all does not make it very clear that TLS is even failing and
>
> (I don't see that, in your output below)
>
> > that AUTH is being done without TLS,
>
> Nope.
>
> > which is why it fails.
>
> And therefore, nope.
Indeed, thanks for having better eyes than mine. I was confused on TLS
because of the output below.
I'm more confused though, because with Mail -v, starttls does not
happen, or looks like it doesn't, but maybe does and it's not shown
in the newer exim.
On debian10:
root@salt2:~# echo test | Mail -v -s test merlin@???
LOG: MAIN
<= root@??? U=root P=local S=493
root@salt2:~# delivering 1kHzyE-0003mM-PR
R: smarthost for merlin@???
T: remote_smtp_smarthost for merlin@???
Connecting to smtp.gmail.com [74.125.202.108]:587 ... connected
SMTP<< 220 smtp.gmail.com ESMTP i9sm3568681ils.34 - gsmtp
SMTP>> EHLO salt2.c.domain.internal
SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
************* no TLS here, AUTH PLAIN is sent in cleartext and rejected ************
SMTP>> AUTH PLAIN ****************************************************************
SMTP<< 534-5.7.14 <https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbu
534-5.7.14 Dx20Zf13d9Br-HAencmvvqEqBmt4XstOZ6hD2iHaRxElEbZAl7JF6YqmbeMzug2-MVxz-
534-5.7.14 b6ZSBQynvcJYMvr2Zk5gdKTW9MMvv6z9UlfNe2stH43D7dJjS8k_HrxsIosqdOQH>
534-5.7.14 Please log in via your web browser and then try again.
534-5.7.14 Learn more at
534 5.7.14 https://support.google.com/mail/answer/78754 i9sm3568681ils.34 - gsmtp
On debian9:
root@salt:~# echo test | Mail -v -s test merlin@???
LOG: MAIN
<= root@??? U=root P=local S=489
root@salt:~# delivering 1kI05V-0000cE-PP
R: smarthost for merlin@???
T: remote_smtp_smarthost for merlin@???
Connecting to smtp.gmail.com [2607:f8b0:4001:c05::6d]:587 ... failed: Network is unreachable
LOG: MAIN
H=smtp.gmail.com [2607:f8b0:4001:c05::6d] Network is unreachable
Connecting to smtp.gmail.com [209.85.146.109]:587 ... connected
SMTP<< 220 smtp.gmail.com ESMTP o15sm7818013ilc.41 - gsmtp
SMTP>> EHLO salt.c.domain.internal
SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
SMTP>> STARTTLS <<<<<<<<<<<<<<<<<<<<<<<<<< here
SMTP<< 220 2.0.0 Ready to start TLS
SMTP>> EHLO salt.c.domain.internal
SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
SMTP>> AUTH PLAIN ****************************************************************
SMTP<< 235 2.7.0 Accepted
Either way, the debian10 Email isn't going through.
Ok, so now I'm comparing the rest of the d+all that works (9) vs the one that doesn't (10)
do you have better eyes than me to see what I'm missing?
debian 9:
internal_search_find: file="/etc/exim4/passwd.client"
type=nwildlsearch key="smtp.gmail.com"
cached data used for lookup of smtp.gmail.com
in /etc/exim4/passwd.client
lookup yielded: account@???:CLEARTEXTPWD
. /considering: $value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
. |__expanding: $value
. \_____result: account@???:CLEARTEXTPWD
. |__expanding: ${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}
. \_____result: account@???:CLEARTEXTPWD
. /considering: \N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
. |__expanding: \N[\^]\N
. \_____result: [\^]
. /considering: ^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
. |__expanding: ^^
. \_____result: ^^
|__expanding: ${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}
\_____result: account@???:CLEARTEXTPWD
/considering: \N([^:]+:)(.*)\N}{\$2}}}fail}
|__expanding: \N([^:]+:)(.*)\N
\_____result: ([^:]+:)(.*)
/considering: \$2}}}fail}
|__expanding: \$2
\_____result: $2
/considering: $2
|__expanding: $2
\_____result: CLEARTEXTPWD
|__expanding: ^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}
\_____result: ^account@???^CLEARTEXTPWD
|__expanding: ${if !eq{$tls_out_cipher}{}{^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
\_____result: ^account@???^CLEARTEXTPWD
SMTP>> AUTH PLAIN ****************************************************************
cmd buf flush 77 bytes
tls_do_write(0x7fffe26a2470, 77)
gnutls_record_send(SSL, 0x7fffe26a2470, 77)
outbytes=77
Calling gnutls_record_recv(0x5651ba5ed450, 0x7fffe26a1470, 4096)
read response data: size=20
SMTP<< 235 2.7.0 Accepted
plain authenticator yielded 0
debian 10:
internal_search_find: file="/etc/exim4/passwd.client"
type=nwildlsearch key="smtp.gmail.com"
cached data used for lookup of smtp.gmail.com
in /etc/exim4/passwd.client
lookup yielded: account@???:CLEARTEXTPWD
╎ ┌considering: $value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
╎ ├──expanding: $value
╎ └─────result: account@???:CLEARTEXTPWD
╎├──expanding: ${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}
╎└─────result: account@???:CLEARTEXTPWD
╎┌considering: \N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
╎├──expanding: \N[\^]\N
╎└─────result: [\^]
╎┌considering: ^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
╎├──expanding: ^^
╎└─────result: ^^
├──expanding: ${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}
└─────result: account@???:CLEARTEXTPWD
┌considering: \N([^:]+:)(.*)\N}{\$2}}}fail}
├──expanding: \N([^:]+:)(.*)\N
└─────result: ([^:]+:)(.*)
┌considering: \$2}}}fail}
├──expanding: \$2
└─────result: $2
┌considering: $2
├──expanding: $2
└─────result: CLEARTEXTPWD
├──expanding: ^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}
└─────result: ^account@???^CLEARTEXTPWD
├──expanding: ${if !eq{$tls_out_cipher}{}{^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
└─────result: ^account@???^CLEARTEXTPWD
SMTP>> AUTH PLAIN ****************************************************************
cmd buf flush 77 bytes
tls_write(0x7fff61d2b230, 77)
gnutls_record_send(SSL, 0x7fff61d2b230, 77)
outbytes=77
Calling gnutls_record_recv(0x55e83ae8e7b0, 0x7fff61d2a230, 4096)
read response data: size=420
SMTP<< 534-5.7.14 <https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbv
534-5.7.14 qKSKsn0kNRKhUR23Pa--Kj6Wl8KLR2YeRXbnYfOBTPXmg9LNqNxKXphi8-30QKnIIKbrW
534-5.7.14 981EP6xQL8VaAdVrMe--dScYXzWRNELJJgsHg_1Ur90iROuYtko1kw7o6QEwo5WQ>
534-5.7.14 Please log in via your web browser and then try again.
534-5.7.14 Learn more at
534 5.7.14 https://support.google.com/mail/answer/78754 x1sm7617124ilo.50 - gsmtp
plain authenticator yielded 2
Thanks,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Home page: http://marc.merlins.org/ | PGP 7F55D5F27AAF9D08
