Bug#736081: Won't authenticate over STARTTLS without AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS

Andreas Metzler ametzler at bebt.de
Sun Jan 19 16:49:48 UTC 2014 

On 2014-01-19 Juliusz Chroboczek <jch at pps.univ-paris-diderot.fr> wrote:
> Package: exim4-daemon-light
> Version: 4.82-3

> Smarthost requires STARTTLS and PLAIN login -- therefore the
> connection is authenticated.  A default install refuses to authenticate:

>     SMTP>> STARTTLS
>     SMTP<< 220 2.0.0 Ready to start TLS
>     SMTP>> EHLO x.x.x.x
>     SMTP<< 250-x.x.x.x
>            250-PIPELINING
>            250-SIZE 10240000
>            250-ETRN
>            250-AUTH PLAIN LOGIN
>            250-AUTH=PLAIN LOGIN
>            250-ENHANCEDSTATUSCODES
>            250-8BITMIME
>            250 DSN
>   [...]
>   x.x.x.x in hosts_require_auth? no (option unset)
>   search_open: nwildlsearch "/etc/exim4/passwd.client"
>   search_find: file="/etc/exim4/passwd.client"
>     key="x.x.x.x" partial=-1 affix=NULL starflags=0
>   [...]
>   x.x.x.x in "*.x.x"? yes (matched "*.x.x")
>   lookup yielded: x:x
>   [...]
>     SMTP>> MAIL FROM:<> SIZE=2447
>     SMTP>> RCPT TO:<jch at x.x.x>
>     SMTP>> DATA
>   [...]
>     SMTP<< 250 2.1.0 Ok
>     SMTP<< 554 5.7.1 <unknown[x.x.x.x]>: Client host rejected: Access denied
>     SMTP<< 554 5.5.1 Error: no valid recipients

> If I add ``AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true'' to the exim
> configuration, everything works fine:

>     SMTP>> STARTTLS
>     SMTP<< 220 2.0.0 Ready to start TLS
>     SMTP>> EHLO x.x.x.x
>     SMTP<< 250-x.x.x.x
>            250-PIPELINING
>            250-SIZE 10240000
>            250-ETRN
>            250-AUTH PLAIN LOGIN
>            250-AUTH=PLAIN LOGIN
>            250-ENHANCEDSTATUSCODES
>            250-8BITMIME
>            250 DSN
>     SMTP>> AUTH PLAIN ********************
>     SMTP<< 235 2.7.0 Authentication successful

> However, this should not be needed, since the connection is protected
> by TLS.

Hello,
You seem to be quoting two different outputs, one with and and one
without debugging info.

Please show the debugging output with and without
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS (take care to remove
username/password from the output)

echo blah | exim4 -d+all some at adress > exim.debug 2>&1 


(with some at adress being a email address that ends up being routed
through the smarthost.)

Also is there a reason why you say x.x.x.x instead of showing the IP
address? Did you customize the authenticator?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-maintainers mailing list