Bug#742901: exim4 doesn't send authentication: broken

Andreas Metzler ametzler at bebt.de
Sat Mar 29 17:34:01 UTC 2014 

On 2014-03-28 David Lawyer <dave at lafn.org> wrote:
> Package: exim4_4.82-5_all
> Version: 4.82-5

> I have 4 exim4 packages installed for each version.  When I updated
> exim4 from 4.80-4 to 4.82-5, exim broke since it would not output
> email to my smart-host.  The logs said that the smart-host said
> "Relaying denied.  Proper authentation required."  I wrote a test
> script which ran exim with -d (debug) for both versions (4.80 and
> 4.82).  The debug output is attached as a wdiff file showing the
> difference between the output for 4.80 and 4.82.

> What is observed from looking at this debug output is: After my exim
> and the smart-host (server) agree on "using PIPELINING" both
> versions of exim find my name and password.  But next they do
> "scanning authentication mechanisms" quite differenly.  4.80 looks
> up my password twice more (wasted effort since my passwork has
> already been found).  It then sends authentication to the server by
> SMPT>> AUTH PLAIN *****..** and the server responds "OK
> Authenticated".  Then the header FROM: TO: and DATA is sent to the
> sever.

> But 4.82 just skips any authentication and sends FROM: TO: and DATA
> to the server OK.  The server say the sender is OK but then after
> repeating the TO: address says "Relaying denied.  Proper
> authentation required."  It's obvious this is happening because of
> the failure of 4.82 to send any authentication to the server.
[...]

Hello David,

thank you for the extensive info. The only relevant thing on the
configuration side that changed is this:
-----------
 <   client_send = "<; ${if !eq{$tls_cipher}{}\
 >   client_send = "<; ${if !eq{$tls_out_cipher}{}\
-----------
This should show up if "-d+auth+expand" is used instead of a simple
"-d". - Could you please doublecheck that $tls_out_cipher expands to
an empty value?

I think there is indeed a problem with $tls_out_cipher (See
<http://bugs.exim.org/show_bug.cgi?id=1455>), as a workaround you can
edit the plain and login authenticator and replace tls_out_cipher with
tls_cipher for the time being.

Your wdiff-file included login info in the lookup results. I assume
you realized this and replaced the actual password with a dummy one
before posting.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-maintainers mailing list