SMTP Authentication??

[florian]

R1200,

well, IMAP in general works without any flaws - actually I am a Mac User writing this from Entourage running in IMAP mode, so it should be possible. :-) All of SWA's communications is also based on our IMAP server, btw.

Could you please try the following, just to be sure.... from the client machine, to a
telnet <myscalixserverhostname> 25

what output do you get?

also, please post your full /var/opt/scalix/sys/smtpd.cfg file.


BigBirdy,

SMTP authentication is already built-in the SMTP relay and configured by default; the only thing needed would be a "AUTH_SUCCESS accept ALL" line in smtpd.cfg.

Than ks,
Florian.

[ScalixSupport]

Hi. First, in Thunderbird, go to Tools, Account Settings, scroll to the bottom and choose Outgoing Server (SMTP). Now, make sure "Use name and password" is checked and that the "User Name:" field is filled in. That will insure that Thunderbird uses SMTPAuth.

Next, you posted "250 ms3.lab.com Hello blah, blah blah [xx.xx.xx.xx], pleased to meet you", but you blanked out the important part that we need to see, what domain are you coming from? I see that your Scalix host thinks that it's part of ms3.mylab.net as shown in this line "Cli 16900/1 sent : 221 ms3.mylab.net closing connection ". If the machine you're using is also part of mylab.net, then you would need a line such as:

RELAY accept .mylab.net

to prevent getting "Denied due to spam list" errors when trying to relay through your Scalix server. However, as Dave pointed out, what you really want to do is get authentication working rather than allowing everyone in lab.com (or mylab.net) to relay without authentication.

So, if you could start by getting the changes made to Thunderbird as described above, then attempt to send, you should get prompted for your password. Enter your Scalix password and your message should be accepted.

Thanks,
Rachel

[R1200GS]

Hi!

I'll answer both replys...

Could you please try the following, just to be sure.... from the client machine, to a
telnet <myscalixserverhostname> 25

I've done this and attempted to duplicate the dialog. I essentially receive the exact same response and smtpd.log entries.

also, please post your full /var/opt/scalix/sys/smtpd.cfg file.

RELAY accept 127.0.0.1
RELAY accept .mylab.net
RELAY accept 192.168.12.0
AUTH_SUCCESS Header ms3.mylab.net
AUTH_SUCCESS Accept ALL
DEBUG_LOG=TRUE

RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

First, in Thunderbird, go to Tools...

This has been done. I've properly configured both Outlook and Thunderbird. I know these configurations are correct.

Next, you posted "250 ms3.lab.com Hello blah, blah blah [xx.xx.xx.xx], pleased to meet you", but you blanked out the important part that we need to see, what domain are you coming from?

"Lab.com" and "mylab.com" are obviously representitive domains. The domain naming conventions work properly as I have several other test machines in these domains. "Lab.Com" is the (representitive) public domain while "mylab.com" is a private domain used for internal dns only. This domain architecture is known good.

I see that your Scalix host thinks that it's part of ms3.mylab.net as shown in this line "Cli 16900/1 sent : 221 ms3.mylab.net closing connection ". If the machine you're using is also part of mylab.net, then you would need a line such as: RELAY accept .mylab.net

The client is an external client connecting via a public IP port 25. And yes, simply adding RELAY accept .mylab.net is the only was I've been able to get realying to work but this is a very bad thing and SMTP_AUTH is not functioning via this addition to the smtpd.cfg so this is an unacceptable entry.

So, if you could start by getting the changes made to Thunderbird as described above, then attempt to send, you should get prompted for your password. Enter your Scalix password and your message should be accepted.

Using both Outlook and Thunderbird and NOT defining a cached password for SMTP (or POP for that matter), I am challanged for the password for POP but never for SMTP which leads me to believe that SMTP_AUTH is not enabled in Scalix although, looking at my smtpd.cfg config above, AUTH_SUCCESS accept All is defined.

Wheew!

Thank you for the assistance! I know this is not that hard but I am lost here!

Now where do we go???

[ScalixSupport]

Hi there,

can you telnet to this server and instead of a SMTP conversation, type

ehlo localhost

and then cut'n paste the output back to us (complete from the top)

Thanks!

Sascha.

[R1200GS]

Certainly!

The response from a client on the public network is:

500 Unrecognized command


The response from a client on the private network and from the localhost is:

220 ms3.mylab.net ESMTP Scalix SMTP Relay 9.2.0.115; Wed, 01 Jun 2005 10:26:08 -0400 (EDT)
ehlo localhost
250-ms3.mylab.net Hello [192.168.12.175], pleased to meet you
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=LOGIN
250-DSN
250 8BITMIME

[florian]

This is quite interesting. Is the problem happening when you're sending from the public network, from the private network or both?

On the public network, it seems that you're not actually talking to our SMTP relay. Attension - some ISPs actually redirect outgoing port 25 traffic to their own SMTP relay server to catch spammers. you would need to work around this ISPs restriction using tunnelling, VPN or by setting up the SMTP listener to run on another port.

Also, please post your FULL smtpd.cfg file, not just the lines regarding relaying; I am particularly interested in the top block of active config lines, please just cut out the ones starting with the comment character. At best, I'd like to see the output of

sed -e 'g/^#/d' /var/opt/scalix/sys/smtpd.cfg

In a worst case, would it be possible for us to ssh into your server? (please do NOT post access data here in the forum! :-)

Cheers,
Florian.

[R1200GS]

Is the problem happening when you're sending from the public network, from the private network or both?

Only the public...

I don't believe that the ISP is donig port redirect but am looknig into that now!

I'm sorry! I thought (Ah, ha! There's a problem) I had posted all the un-commented line but had not...

This look right to me!

EXTENSIONS=AUTH,DSN,8BITMIME

RELAY accept 127.0.0.1
RELAY accept .mylab.net
RELAY accept 192.168.12.0
AUTH_SUCCESS Header ms3.mylab.net
AUTH_SUCCESS Accept ALL
DEBUG_LOG=TRUE

RELAY Log_Reject ALL

RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

The sed command didn't work and yes, I can do ssh but need to configure my PIX...

[florian]

R12,

the config file looks alright except for the
AUTH_SUCCESS Header ms3.mylab.net
line which is unneeded. The other AUTH_SUCCESS should suffice.

Could you try an authenticated session with T'Bird from the Private network and see in the smtpd.log file if it produces an Authentication trace? If that's the case, it's almost certainly your network situation and some strange man-in-the-middle.

What you call the public network, is this the Internet? What would the IP address of your Scalix system be from the Internet so that I could try to telnet to port 25?

If you provide such information, please respond through Personal Message here!

Cheers,
Florian.

[R1200GS]

In thinking about the ISP, I have other smtp servers functioning properly but I'm not professing to know all...

And in speaking with the ISP, no, they are doing no such thing!

[R1200GS]

Yes, on the private network authentication works properly and yes, the "public network" is the internet...

smtpd.log recorded the full authetication dialog BUT this client is on the network defined in the smtpd.cfg (192.168.12.0)

Oh, hmmm...

I think I have had a revelation...

On my PIX firewall, I have a rule that essentially scrambles the SMTP banner hiding the server name, the relay- type and version.

During the inital smtp conversation instead of this being returned to the client;

220 ms3.mylab.net ESMTP Scalix SMTP Relay 9.2.0.115; Wed, 01 Jun 2005 13:01:08 -0400 (EDT)

This is returned to the client;

220 *************************************************2*0***********************0*********200***0*2***********0*00 ***


I'm thinking this is exactly the cause of the problem!!!!!

[R1200GS]

This is definitive cause of this problem!

Florian, when you said "some strange man-in-the-middle" that triggered the tought that the only man-in-the-middle was the firewall...

The Cisco PIX "Protocol Fix-up" essentially breaks ESMTP and only accepts SMTP. HELO, MAIL,RCPT, DATA, RSET, NOOP, and QUIT are the only accepted commands, all other commands (e.g. AUTH) are rejected with the "500 command unrecognized" reply code which is exactly the behavior I am seeing...

If you are using authenticated smtp to retrieve email, the pix will block the "auth" command which is trying to authenticate reurning a "500 command unrecognized" and Outlook returns a "No transport provder" NDR and Thunderbird returns nothing.

The answer is to turn off smtp fix-up by issuing;
#clear fixup protocol smtp 25
or
#no fixup smtp
Test and do #write mem

From Cisco;
As of version 5.1 and later, the fixup protocol smtp command changes the characters in the SMTP banner to asterisks except for the "2", "0", "0 "characters. Carriage return (CR) and linefeed (LF) characters are ignored. In version 4.4, all characters in the SMTP banner are converted to asterisks. Refer to CSCds33156 in the Bug Navigator on CCO to view more information.

From Microsoft;
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320027&gssnb=1

From exmin.org;
http://www.exim.org/pipermail/exim-users/Week-ofMon-20010903/029660.html

I'm not surprised that it wasn't Scalix. Scalix is rather easy after a while and I believed that I was just missing something and I was!

Thanks!

[florian]

quite amazing what these little gizmos do.... ;-) glad that it works now.

enjoy scalix,
Florian.