Re: [exim] Debian9/exim4.89 does TLS and SMTP AUTH with gmai…

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: exim-users, Marc MERLIN
Subject: Re: [exim] Debian9/exim4.89 does TLS and SMTP AUTH with gmail, but Debian10/exim4.92 doesn't?

On Mon, 14 Sep 2020, Marc MERLIN via Exim-users wrote:

>>
>> (I don't see that, in your output below)
>>
>>> that AUTH is being done without TLS,
>>
>> Nope.
>>
>>> which is why it fails.
>>
>> And therefore, nope.
>
> Indeed, thanks for having better eyes than mine. I was confused on TLS
> because of the output below.
>
> I'm more confused though, because with Mail -v, starttls does not
> happen, or looks like it doesn't, but maybe does and it's not shown
> in the newer exim.
>
> On debian10:
> root@salt2:~# echo test | Mail -v -s test merlin@???
> LOG: MAIN
>  <= root@??? U=root P=local S=493
> root@salt2:~# delivering 1kHzyE-0003mM-PR
> R: smarthost for merlin@???
> T: remote_smtp_smarthost for merlin@???
> Connecting to smtp.gmail.com [74.125.202.108]:587 ... connected
>  SMTP<< 220 smtp.gmail.com ESMTP i9sm3568681ils.34 - gsmtp
>  SMTP>> EHLO salt2.c.domain.internal
>  SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>         250-SIZE 35882577
>         250-8BITMIME
>         250-STARTTLS
>         250-ENHANCEDSTATUSCODES
>         250-PIPELINING
>         250-CHUNKING
>         250 SMTPUTF8
> ************* no TLS here, AUTH PLAIN is sent in cleartext and rejected ************
>  SMTP>> AUTH PLAIN ****************************************************************
>  SMTP<< 534-5.7.14 <https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbu
>         534-5.7.14 Dx20Zf13d9Br-HAencmvvqEqBmt4XstOZ6hD2iHaRxElEbZAl7JF6YqmbeMzug2-MVxz-
>         534-5.7.14 b6ZSBQynvcJYMvr2Zk5gdKTW9MMvv6z9UlfNe2stH43D7dJjS8k_HrxsIosqdOQH>
>         534-5.7.14 Please log in via your web browser and then try again.
>         534-5.7.14  Learn more at
>         534 5.7.14  https://support.google.com/mail/answer/78754 i9sm3568681ils.34 - gsmtp

>
> On debian9:
> root@salt:~# echo test | Mail -v -s test merlin@???
> LOG: MAIN
>  <= root@??? U=root P=local S=489
> root@salt:~# delivering 1kI05V-0000cE-PP
> R: smarthost for merlin@???
> T: remote_smtp_smarthost for merlin@???
> Connecting to smtp.gmail.com [2607:f8b0:4001:c05::6d]:587 ... failed: Network is unreachable
> LOG: MAIN
>  H=smtp.gmail.com [2607:f8b0:4001:c05::6d] Network is unreachable
> Connecting to smtp.gmail.com [209.85.146.109]:587 ... connected
>  SMTP<< 220 smtp.gmail.com ESMTP o15sm7818013ilc.41 - gsmtp
>  SMTP>> EHLO salt.c.domain.internal
>  SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
>         250-SIZE 35882577
>         250-8BITMIME
>         250-STARTTLS
>         250-ENHANCEDSTATUSCODES
>         250-PIPELINING
>         250-CHUNKING
>         250 SMTPUTF8
>  SMTP>> STARTTLS    <<<<<<<<<<<<<<<<<<<<<<<<<< here
>  SMTP<< 220 2.0.0 Ready to start TLS
>  SMTP>> EHLO salt.c.domain.internal
>  SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
>         250-SIZE 35882577
>         250-8BITMIME
>         250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>         250-ENHANCEDSTATUSCODES
>         250-PIPELINING
>         250-CHUNKING
>         250 SMTPUTF8
>  SMTP>> AUTH PLAIN ****************************************************************
>  SMTP<< 235 2.7.0 Accepted

>
>
> Either way, the debian10 Email isn't going through.
>
> Ok, so now I'm comparing the rest of the d+all that works (9) vs the one that doesn't (10)
>
> do you have better eyes than me to see what I'm missing?
>
> debian 9:
> internal_search_find: file="/etc/exim4/passwd.client"
>   type=nwildlsearch key="smtp.gmail.com"
> cached data used for lookup of smtp.gmail.com
>   in /etc/exim4/passwd.client
> lookup yielded: account@???:CLEARTEXTPWD
>   .  /considering: $value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
>   .  |__expanding: $value
>   .  \_____result: account@???:CLEARTEXTPWD
>   . |__expanding: ${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}
>   . \_____result: account@???:CLEARTEXTPWD
>   . /considering: \N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
>   . |__expanding: \N[\^]\N
>   . \_____result: [\^]
>   . /considering: ^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
>   . |__expanding: ^^
>   . \_____result: ^^
>    |__expanding: ${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}
>    \_____result: account@???:CLEARTEXTPWD
>    /considering: \N([^:]+:)(.*)\N}{\$2}}}fail}
>    |__expanding: \N([^:]+:)(.*)\N
>    \_____result: ([^:]+:)(.*)
>    /considering: \$2}}}fail}
>    |__expanding: \$2
>    \_____result: $2
>    /considering: $2
>    |__expanding: $2
>    \_____result: CLEARTEXTPWD
>   |__expanding: ^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}
>   \_____result: ^account@???^CLEARTEXTPWD
>  |__expanding: ${if !eq{$tls_out_cipher}{}{^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
>  \_____result: ^account@???^CLEARTEXTPWD
>   SMTP>> AUTH PLAIN ****************************************************************
> cmd buf flush 77 bytes
> tls_do_write(0x7fffe26a2470, 77)
> gnutls_record_send(SSL, 0x7fffe26a2470, 77)
> outbytes=77
> Calling gnutls_record_recv(0x5651ba5ed450, 0x7fffe26a1470, 4096)
> read response data: size=20
>   SMTP<< 235 2.7.0 Accepted
> plain authenticator yielded 0

>
>
> debian 10:
> internal_search_find: file="/etc/exim4/passwd.client"
>   type=nwildlsearch key="smtp.gmail.com"
> cached data used for lookup of smtp.gmail.com
>   in /etc/exim4/passwd.client
> lookup yielded: account@???:CLEARTEXTPWD
>    ╎ ┌considering: $value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
>    ╎ ├──expanding: $value
>    ╎ └─────result: account@???:CLEARTEXTPWD
>    ╎├──expanding: ${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}
>    ╎└─────result: account@???:CLEARTEXTPWD
>    ╎┌considering: \N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
>    ╎├──expanding: \N[\^]\N
>    ╎└─────result: [\^]
>    ╎┌considering: ^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
>    ╎├──expanding: ^^
>    ╎└─────result: ^^
>    ├──expanding: ${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}
>    └─────result: account@???:CLEARTEXTPWD
>    ┌considering: \N([^:]+:)(.*)\N}{\$2}}}fail}
>    ├──expanding: \N([^:]+:)(.*)\N
>    └─────result: ([^:]+:)(.*)
>    ┌considering: \$2}}}fail}
>    ├──expanding: \$2
>    └─────result: $2
>    ┌considering: $2
>    ├──expanding: $2


> Calling gnutls_record_recv(0x55e83ae8e7b0, 0x7fff61d2a230, 4096)
> read response data: size=420
>   SMTP<< 534-5.7.14 <https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbv
>          534-5.7.14 qKSKsn0kNRKhUR23Pa--Kj6Wl8KLR2YeRXbnYfOBTPXmg9LNqNxKXphi8-30QKnIIKbrW
>          534-5.7.14 981EP6xQL8VaAdVrMe--dScYXzWRNELJJgsHg_1Ur90iROuYtko1kw7o6QEwo5WQ>
>          534-5.7.14 Please log in via your web browser and then try again.
>          534-5.7.14  Learn more at
>          534 5.7.14  https://support.google.com/mail/answer/78754 x1sm7617124ilo.50 - gsmtp
> plain authenticator yielded 2


Did you log in with your web browser ?

Google often blocks logins from new devices (ip addresses ?)
until they have been confirmed on a known device.
In the latest incarnation, they even distinguish between different apps.
Have you enabled "less secure apps" or (X)OAUTH2 ?

When I login to google with a web browser I can view a list of all the
devices which are allowed to use my account; if I try to connect from
a different one it refuses the connection and alerts me here.

---
I haven't used it in anger, but I am told that swaks is useful for
debugging email connection issues.

-- 
Andrew C. Aitchison                    Kendal, UK
             andrew@???