On Mon, 14 Sep 2020, Marc MERLIN via Exim-users wrote:
>>
>> (I don't see that, in your output below)
>>
>>> that AUTH is being done without TLS,
>>
>> Nope.
>>
>>> which is why it fails.
>>
>> And therefore, nope.
>
> Indeed, thanks for having better eyes than mine. I was confused on TLS
> because of the output below.
>
> I'm more confused though, because with Mail -v, starttls does not
> happen, or looks like it doesn't, but maybe does and it's not shown
> in the newer exim.
>
> On debian10:
> root@salt2:~# echo test | Mail -v -s test merlin@???
> LOG: MAIN
> <= root@??? U=root P=local S=493
> root@salt2:~# delivering 1kHzyE-0003mM-PR
> R: smarthost for merlin@???
> T: remote_smtp_smarthost for merlin@???
> Connecting to smtp.gmail.com [74.125.202.108]:587 ... connected
> SMTP<< 220 smtp.gmail.com ESMTP i9sm3568681ils.34 - gsmtp
> SMTP>> EHLO salt2.c.domain.internal
> SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
> 250-SIZE 35882577
> 250-8BITMIME
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
> ************* no TLS here, AUTH PLAIN is sent in cleartext and rejected ************
> SMTP>> AUTH PLAIN ****************************************************************
> SMTP<< 534-5.7.14 <https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbu
> 534-5.7.14 Dx20Zf13d9Br-HAencmvvqEqBmt4XstOZ6hD2iHaRxElEbZAl7JF6YqmbeMzug2-MVxz-
> 534-5.7.14 b6ZSBQynvcJYMvr2Zk5gdKTW9MMvv6z9UlfNe2stH43D7dJjS8k_HrxsIosqdOQH>
> 534-5.7.14 Please log in via your web browser and then try again.
> 534-5.7.14 Learn more at
> 534 5.7.14 https://support.google.com/mail/answer/78754 i9sm3568681ils.34 - gsmtp
>
> On debian9:
> root@salt:~# echo test | Mail -v -s test merlin@???
> LOG: MAIN
> <= root@??? U=root P=local S=489
> root@salt:~# delivering 1kI05V-0000cE-PP
> R: smarthost for merlin@???
> T: remote_smtp_smarthost for merlin@???
> Connecting to smtp.gmail.com [2607:f8b0:4001:c05::6d]:587 ... failed: Network is unreachable
> LOG: MAIN
> H=smtp.gmail.com [2607:f8b0:4001:c05::6d] Network is unreachable
> Connecting to smtp.gmail.com [209.85.146.109]:587 ... connected
> SMTP<< 220 smtp.gmail.com ESMTP o15sm7818013ilc.41 - gsmtp
> SMTP>> EHLO salt.c.domain.internal
> SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
> 250-SIZE 35882577
> 250-8BITMIME
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
> SMTP>> STARTTLS <<<<<<<<<<<<<<<<<<<<<<<<<< here
> SMTP<< 220 2.0.0 Ready to start TLS
> SMTP>> EHLO salt.c.domain.internal
> SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
> 250-SIZE 35882577
> 250-8BITMIME
> 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-CHUNKING
> 250 SMTPUTF8
> SMTP>> AUTH PLAIN ****************************************************************
> SMTP<< 235 2.7.0 Accepted
>
>
> Either way, the debian10 Email isn't going through.
>
> Ok, so now I'm comparing the rest of the d+all that works (9) vs the one that doesn't (10)
>
> do you have better eyes than me to see what I'm missing?
>
> debian 9:
> internal_search_find: file="/etc/exim4/passwd.client"
> type=nwildlsearch key="smtp.gmail.com"
> cached data used for lookup of smtp.gmail.com
> in /etc/exim4/passwd.client
> lookup yielded: account@???:CLEARTEXTPWD
> . /considering: $value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
> . |__expanding: $value
> . \_____result: account@???:CLEARTEXTPWD
> . |__expanding: ${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}
> . \_____result: account@???:CLEARTEXTPWD
> . /considering: \N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
> . |__expanding: \N[\^]\N
> . \_____result: [\^]
> . /considering: ^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
> . |__expanding: ^^
> . \_____result: ^^
> |__expanding: ${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}
> \_____result: account@???:CLEARTEXTPWD
> /considering: \N([^:]+:)(.*)\N}{\$2}}}fail}
> |__expanding: \N([^:]+:)(.*)\N
> \_____result: ([^:]+:)(.*)
> /considering: \$2}}}fail}
> |__expanding: \$2
> \_____result: $2
> /considering: $2
> |__expanding: $2
> \_____result: CLEARTEXTPWD
> |__expanding: ^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}
> \_____result: ^account@???^CLEARTEXTPWD
> |__expanding: ${if !eq{$tls_out_cipher}{}{^${extract{1}{:}{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}}^${sg{${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
> \_____result: ^account@???^CLEARTEXTPWD
> SMTP>> AUTH PLAIN ****************************************************************
> cmd buf flush 77 bytes
> tls_do_write(0x7fffe26a2470, 77)
> gnutls_record_send(SSL, 0x7fffe26a2470, 77)
> outbytes=77
> Calling gnutls_record_recv(0x5651ba5ed450, 0x7fffe26a1470, 4096)
> read response data: size=20
> SMTP<< 235 2.7.0 Accepted
> plain authenticator yielded 0
>
>
> debian 10:
> internal_search_find: file="/etc/exim4/passwd.client"
> type=nwildlsearch key="smtp.gmail.com"
> cached data used for lookup of smtp.gmail.com
> in /etc/exim4/passwd.client
> lookup yielded: account@???:CLEARTEXTPWD
> ╎ ┌considering: $value}fail}}{\N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
> ╎ ├──expanding: $value
> ╎ └─────result: account@???:CLEARTEXTPWD
> ╎├──expanding: ${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}
> ╎└─────result: account@???:CLEARTEXTPWD
> ╎┌considering: \N[\^]\N}{^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
> ╎├──expanding: \N[\^]\N
> ╎└─────result: [\^]
> ╎┌considering: ^^}}}{\N([^:]+:)(.*)\N}{\$2}}}fail}
> ╎├──expanding: ^^
> ╎└─────result: ^^
> ├──expanding: ${sg{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$value}fail}}{\N[\^]\N}{^^}}
> └─────result: account@???:CLEARTEXTPWD
> ┌considering: \N([^:]+:)(.*)\N}{\$2}}}fail}
> ├──expanding: \N([^:]+:)(.*)\N
> └─────result: ([^:]+:)(.*)
> ┌considering: \$2}}}fail}
> ├──expanding: \$2
> └─────result: $2
> ┌considering: $2
> ├──expanding: $2
> Calling gnutls_record_recv(0x55e83ae8e7b0, 0x7fff61d2a230, 4096)
> read response data: size=420
> SMTP<< 534-5.7.14 <https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbv
> 534-5.7.14 qKSKsn0kNRKhUR23Pa--Kj6Wl8KLR2YeRXbnYfOBTPXmg9LNqNxKXphi8-30QKnIIKbrW
> 534-5.7.14 981EP6xQL8VaAdVrMe--dScYXzWRNELJJgsHg_1Ur90iROuYtko1kw7o6QEwo5WQ>
> 534-5.7.14 Please log in via your web browser and then try again.
> 534-5.7.14 Learn more at
> 534 5.7.14 https://support.google.com/mail/answer/78754 x1sm7617124ilo.50 - gsmtp
> plain authenticator yielded 2
Did you log in with your web browser ?
Google often blocks logins from new devices (ip addresses ?)
until they have been confirmed on a known device.
In the latest incarnation, they even distinguish between different apps.
Have you enabled "less secure apps" or (X)OAUTH2 ?
When I login to google with a web browser I can view a list of all the
devices which are allowed to use my account; if I try to connect from
a different one it refuses the connection and alerts me here.
---
I haven't used it in anger, but I am told that swaks is useful for
debugging email connection issues.
--
Andrew C. Aitchison Kendal, UK
andrew@???
