[Pkg-exim4-users] getting authentication to work with a smarthost

Ross Boylan rossboylan at stanfordalumni.org
Tue Jan 12 23:04:55 UTC 2016 

 I've noticed some things and done some tweaks, but still can not get
TLS to start (at least, I see nothing in the logs suggesting it
started) or authentication to be attempted.

1. Names and IPs of the smarthost.
dig mail.ucsf.edu mx yields 3 machine names, with 3 associated IPs.
dig -x on the IP's yields the machine name.  I added
^(cuda|jingo|jango)\.ucsf\.edu$:nnnn:pppp
to passwd.client without luck.
The actual IP connected to doesn't match any of those machines.
Here's a more recent fragment with DNS debugging on:
finding IP address for mail.ucsf.edu
calling host_find_byname
gethostbyname2(af=inet6) returned 4 (NO_DATA)
fully qualified name = mail.ucsf.edu
gethostbyname2 looked up these IP addresses:
  name=mail.ucsf.edu address=64.54.247.179
I'm baffled that the IP is not what I get using dig.  I added a line
with the IP to passwd.client; no change.

2. "login authenticator yielded 13" might indicate the host wasn't
matching in the passwd.client file according to the internet.
This and the discussion of passwd.client in the man page was the basis
of trying to expand the entries in passwd.client.
I also speculated it might mean there were no matching authenticators,
leading to ..

3. The authenticators listed, "AUTH GSSAPI NTLM LOGIN", appear not to
match those configured.  Login would probably work if the connection
were encrypted, which it doesn't seem to be.  I added a sap
authenticator for NTLM.  No change in the results.

Ross

On Tue, Jan 12, 2016 at 1:10 AM, Ross Boylan
<rossboylan at stanfordalumni.org> wrote:
> I am try to send mail via a smarthost that requires authentication.
> Some documentation (dated, I suspect) indicates I should be using port
> 465, but I am able to connect via 25.  The smarthost advertises
> STARTTLS and various authentication mechanisms, and my local exim
> seems to recognize that it should try to authenticate.  But as far as
> I can tell it neither negotiates TLS nor attempts to authenticate.  It
> just tries to deliver the email, which is rejected as unauthenticated.
>
> I would appreciate any help.
> <update-exim4.conf.conf>
> dc_eximconfig_configtype='smarthost'
> dc_other_hostnames='ross-sas.psg.net ross-sas.epi-ucsf.org'
> dc_local_interfaces='127.0.0.1 ; ::1'
> dc_readhost='ucsf.edu'
> dc_relay_domains=''
> dc_minimaldns='false'
> dc_relay_nets=''
> dc_smarthost='mail.ucsf.edu:465'
> CFILEMODE='644'
> dc_use_split_config='true'
> dc_hide_mailname='true'
> dc_mailname_in_oh='true'
> dc_localdelivery='mail_spool'
> </update-exim4.conf.conf>
> I have made no customizations beyond running dpkg-reconfigure
> exim4-config and putting an entry in passwd.client.
>
> Something, possibly the debconf questions, made me think the single
> colon in the smarthost was the proper syntax for specifying an
> alternate port.  It seems to have been interpreted as a list separator
> and ignored instead; I have since doubled it.  Results at the bottom.
>
> I think the smarthost is running MS Exchange 2012.
> # exim -v -t -bm -f "" -d < test.msg
> produced lots of output, finally ending up in the
> remote_smtp_smarthost transport.  Here's the key section, with my
> comments added after the #
>
> Connecting to mail.ucsf.edu [64.54.247.179]:25 ... connected  # Port
> 25, not the 465 I requested
> waiting for data on socket
> read response data: size=95
>   SMTP<< 220 exht05.net.ucsf.edu Microsoft ESMTP MAIL Service ready at
> Mon, 11 Jan 2016 23:00:50 -0800
> 64.54.247.179 in hosts_avoid_esmtp? no (option unset)  # remote host
> name does not match what I used to find it
>   SMTP>> EHLO ross-sas  # my local system has no FQDN
> waiting for data on socket
> read response data: size=201
>   SMTP<< 250-STARTTLS
>          250-exht05.net.ucsf.edu Hello [64.54.171.2]
>          250-SIZE 141557760
>          250-PIPELINING
>          250-DSN
>          250-ENHANCEDSTATUSCODES
>          250-AUTH GSSAPI NTLM LOGIN
>          250-8BITMIME
>          250-BINARYMIME
>          250 CHUNKING
> 64.54.247.179 in hosts_require_tls? no (option unset)
> 64.54.247.179 in hosts_avoid_pipelining? no (option unset)
> using PIPELINING
> 64.54.247.179 in hosts_require_auth? no (option unset)
> search_open: nwildlsearch "/etc/exim4/passwd.client"
> search_find: file="/etc/exim4/passwd.client"
>   key="mail.ucsf.edu" partial=-1 affix=NULL starflags=0
> LRU list:
>   >/etc/exim4/passwd.client
>   End
> internal_search_find: file="/etc/exim4/passwd.client"
>   type=nwildlsearch key="mail.ucsf.edu"
> file lookup required for mail.ucsf.edu
>   in /etc/exim4/passwd.client
> mail.ucsf.edu in "mail.ucsf.edu"? yes (matched "mail.ucsf.edu")
> lookup yielded: SomeAccount:SomePasword  # Recognizes as configured
> for authentication
> 64.54.247.179 in hosts_try_auth? yes (matched "64.54.247.179")
> scanning authentication mechanisms
> login authenticator yielded 13   # Not sure what that means
> # I would expect the next messages to the smarthost to establish TLS
> # and then authenticate.
> # But instead, we jump right to a mail command.
> # Maybe such negotiations are note reported in the debug output?
> # However, the failure of the MAIL command suggests the problem is
> # that the commands  were never issued.
>   SMTP>> MAIL FROM:<> SIZE=1716
>   SMTP>> RCPT TO:<ross.boylan at ucsf.edu>
>   SMTP>> DATA
> waiting for data on socket
> read response data: size=40
>   SMTP<< 530 5.7.1 Client was not authenticated
> waiting for data on socket
> ok=0 send_quit=1 send_rset=1 continue_more=0 yield=0 first_address is not NULL
>   SMTP>> QUIT
>
> Thanks.
> Ross Boylan
>
> P.S. Running
> exim4-daemon-heavy                           4.82-3ubuntu2
> exim4-config                                 4.82-3ubuntu2
>
>
> Doubling the colon in the smarthost spescification gets exim to use
> port 465, but:
> mail.ucsf.edu [64.54.247.179]:465 status = usable
> 64.54.247.179 in serialize_hosts? no (option unset)
> delivering 1aIufG-00024b-Sq to mail.ucsf.edu [64.54.247.179]
> (ross.boylan at ucsf.edu)
> set_process_info:  7977 delivering 1aIufG-00024b-Sq to mail.ucsf.edu
> [64.54.247.179] (ross.boylan at ucsf.edu)
> Transport port=25 replaced by host-specific port=465
> Connecting to mail.ucsf.edu [64.54.247.179]:465 ... connected
> waiting for data on socket
> ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
> LOG: MAIN
>   Remote host mail.ucsf.edu [64.54.247.179] closed connection in
> response to initial connection
> set_process_info:  7977 delivering 1aIufG-00024b-Sq: just tried
> mail.ucsf.edu [64.54.247.179] for ross.boylan at ucsf.edu: result DEFER
> added retry item for T:mail.ucsf.edu:64.54.247.179:465: errno=-18
> more_errno=0,A flags=2
> all IP addresses skipped or deferred at least one address

More information about the Pkg-exim4-users mailing list