[Pkg-exim4-users] Solution: Verizon SMTP on outbound.verizon.net

Thaddeus H. Black t at b-tk.org
Wed Jul 26 22:58:21 UTC 2006 

If you do not live in the U.S., in an area of the
country whose telephone is served by Verizon, then you
can skip this post.

Six months ago a Debian sarge user and U.S. Verizon DSL
subscriber met trouble [1] sending mail by
outgoing.verizon.net SMTP.  Today I have met the same
trouble and have solved it.  This post explains the
solution for the list archives, so that other
Debian-using U.S. Verizon DSL subscribers can google it
later.

The problem appears to be that Verizon's SMTP server at
outgoing.verizon.net port 25 demands authentication but
for some reason does not recognize the SMTP STARTTLS
command.  (Compare this against smtp.gmail.com port 25,
which does properly recognize the command.)  The
STARTTLS command starts channel encryption; before
STARTTLS, the channel runs in the clear, meaning that
any sufficiently sophisticated person with access to any
router between you and outgoing.verizon.net can read
whatever you send, including your Verizon password.
Many or most Verizon users are presumably sending e-mail
with Microsoft Outlook, which *should* refuse to reveal
your password under the circumstance but which evidently
transmits it anyway, without warning you that it is
giving your password away.  If not for this apparent
flaw in Outlook, Verizon probably would have fixed
outgoing.verizon.net long ago, and then Debian users
would have no trouble sending e-mail over Verizon.

However, outgoing.verizon.net does appear to be broken,
and there is no indication that Verizon is interested in
fixing it, so the best solution for you may be to use
some non-Verizon SMTP smarthost.  If this is not
practical for you, then here's how to route around the
damage.  Basically, you must break your exim4 slightly
to work with the similarly broken outgoing.verizon.net.

1.  Change your Verizon password to something you don't
really care if some net lurker intercepts.

2.  Consider hosting your incoming e-mail somewhere
other than incoming.verizon.net, inasmuch as your
account has the same password on both machines.

3.  Run "dpkg-reconfigure exim4-config".  Answer the
indicated questions more or less as follows.

    Small files: no.
    General type: smarthost, SMTP
    System mail name: (mine is "b-tk.org";
        yours is whatever yours is)
    Listen: 127.0.0.1
    Other accepted: (as appropriate; the default is
        probably fine)
    Relay: (blank)
    Smarthost: outgoing.verizon.net
    Hide: (as you like; I answer "no.")
    Dial-on-demand: no.


4.  Add to /etc/exim4/passwd.client the line

    *:username:password

where "username" and "password" are your Verizon
username and password which you're about to send across
the net in the clear.

5.  Verify that "ls -l /etc/exim4/passwd.client" returns

    -rw-r----- [...] root Debian-exim [...] /etc/exim4/passwd.client

6.  Create the new file
/etc/exim4/exim4.conf.localmacros .
In this file, put the one evil line

    AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

This makes exim4 behave like Outlook, giving your
Verizon password away in the clear.

7.  Run "update-exim4.conf".

8.  Run "/etc/init.d/exim4 restart".

9.  Send mail.

So, if you've been trying to figure out why you you
can't send e-mail, it's not that you're dimwitted; it's
that Verizon's SMTP server is broken and apparently has
been broken for a long time.

The above solution worked for me (if it hadn't, then you
wouldn't be reading this post, would you, because I
could not have sent it to the list).  It will likely
work for you, too.  If anyone who reads these words has
a more secure solution which he knows or believes will
work on outgoing.verizon.net, he is invited to post it
here; but my belief is that in the absence of Verizon
STARTTLS capability, there exists no more secure
solution.  Basically, TLS *is* the solution, and Verizon
just hasn't got it.

There is one good piece of news from Verizon.  I had
read in the blog of a Jason Boxman that as recently as
February, if I understand him correctly, verizon.net did
not allow you to send mail with your own
non-Verizon-hosted domain name on the From: line.  If
that was true then, evidently it isn't true any more.
If you notice, this e-mail is From: t at b-tk.org, which
domain has nothing to do with Verizon.  It was sent
through outgoing.verizon.net.

Good luck.  If you try the above and find any
troublesome typos or omissions, please post corrections.
Thanks.

-- 
Thaddeus H. Black
508 Nellie's Cave Road
Blacksburg, Virginia 24060, USA
+1 540 961 0920, t at b-tk.org, thb at debian.org

[1] http://lists.alioth.debian.org/pipermail/pkg-exim4-users/2006-January/000468.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20060726/59693f0a/attachment.pgp

More information about the Pkg-exim4-users mailing list