Subject: smarthost Outsmarting me so Far
You are reading this message because I hacked together a one-of
setup to post this message.
This system is running
Exim version 4.92 #5 built 01-May-2021 09:42:39 and was doing
just fine until March 14 of this year when my ISP, suddenlink.net
changed something on smtp.suddenlink.net which killed the
configuration I had been using for 7 years.
The smtp.suddenlink.net server used and, appears
to still be using TLS encryption for the login credentials and
this is good but something changed in the sequence of
events that constitutes a successful login since the login has
failed 100% of the time since March 14.
When it used to work, one established the session on TCP port
465 so the session was encrypted from the start. Encryption
continued until the session end so the transaction was quite
secure.
After the change, it appears that the waye the
server wants to start the session is on the traditional email
port of 25.
I've actually been able to use the swaks utility to send
a message through smtp.suddenlink.net using TLS after the initial
helo routine which is how the message you are reading got sent.
This totally bypasses what exim4 is doing and successfully starts
the message on it's way but that's a total Jake-leg way to do
things so I would like to be able to just send the message
normally, of course.
After the helo on port 25, swaks enables starttls and the
rest is obscured so only the bad guys really know what happened
and when but it does work.
The folks in far-off call centers at Suddenlink state
that it works fine with Outlook. I'm sure it does and they never
heard of exim so it's a dialog of the deaf as far as useful
details that might help script the authentication such that it
works again via exim.
Here is a wireshark trace of the successful sending of a
test message via swaks. The fact that it is successful proves
that there is nothing wrong with any of the login credentials
such as user ID and password. The Cname record resolves
smtp.suddenlink.net.
smtp.suddenlink.net CNAME smtp.mx-altice.prod.cloud.synchronoss.net
A 208.180.40.68 90 26.529173517 192.168.1.1 ? 192.168.1.64 DNS
212 Standard query response 0xcaa2 AAAA smtp.suddenlink.net CNAME
smtp.mx-altice.prod.cloud.synchronoss.net SOA ns-124.awsdns-15.com
Now here it all starts on P25.
192.168.1.64 ? 208.180.40.68 TCP 74 50518 ? 25
SMTP 247 S: 250-omta02.suddenlink.net | 250-HELP | 250-XREMOTEQUEUE |
250-ETRN | 250-AUTH=LOGIN PLAIN | 250-AUTH LOGIN PLAIN | 250-PIPELINING
| 250-DSN | 250-8BITMIME | 250-SIZE 52428800 | 250 STARTTLS 117
33.774814356 192.168.1.64 ? 208.180.40.68 SMTP 78 C: AUTH LOGIN 118
The next appears to be encrypted traffic and then it's
all in the clear again.
208.180.40.68 ? 192.168.1.64 SMTP 97 S: 235 Authentication successful
126 33.845629021 192.168.1.64 ? 208.180.40.68 SMTP 103 C: MAIL
FROM:<martin.m@suddenlink.net> 127 33.865203950 208.180.40.68 ?
One can read the message sent and responses from
smtp.suddenlink.net which were picked up by wireshark so only the
authentication is encrypted unless I am misreading the capture.
I can't change how it is done but exim needs to duplicate
this behavior in order to send messages out through it again.
I telnetted in to smtp.suddenlink.net on Port 25 and
tried to glean some ideas from what's there but this little gem
from one attempt says it all:
$ telnet smtp.suddenlink.net 25
Trying 208.180.40.68...
Connected to smtp.mx-altice.prod.cloud.synchronoss.net.
Escape character is '^]'.
220 omta03.suddenlink.net ESMTP server (InterMail vM.8.04.03.22.02 201-2389-100-169-20190213) ready Thu, 5 May 2022 07:48:47 -0500
helo martim.n
250 omta03.suddenlink.net
help login
214 No help information for 'LOGI'
help
214-This SMTP server is a part of the Email Mx E-mail system. For
214-information about Email Mx, please see http://www.owmessaging.com
I did just that, preparing to be enlightened to blinding
brilliance but the documentation appeared to be in some foreign
language I did not recognize much less know. The no-help continues:
214-
214- Supported commands:
214-
214- EHLO HELO MAIL RCPT DATA
214- VRFY RSET NOOP QUIT
help help
214-Usage: HELP [command]
214-
214-Without an argument, the HELP command lists all of the supported
214-SMTP commands. If a command is specified, then help about that
214 specific command is given (but you figured it out yourself :-)
Yup. I was roaring with laughter by this time. As a
smarthost, it's more like a smart-a--ed host but that's unkind, I
know.
What's needed is a modular approach to these things so
programs like exim can continue to do well and those of us who
appreciate all the hard work to create them can monitor and
script logins similar to what we do with expect and kermit,
(Remember that way of scripting logins and repetitive
activities?)
I don't think it's very broken, here, but I haven't got a
clue as to how to use exim's configuration capabilities to get
that same behavior with exim4 that I saw with swaks.
A good perl or python script should plug in to exim's
logic to make it possible to script and monitor authentication
and take care of that while exim can do the smtp activities as it
always has.
Any and all constructive ideas are much appreciated.
Since email is becoming more complex, my long-range plan
is to stop using smtp.suddenlink.net due to the opaqueness factor
and select another email provider which I know about who is run
by folks who actually know and care how it works. The
organization I retired from has such a mailer but I will need to
use thunderbird for that one due to it's use of multifactor
authentication but it's just down the street from where I live
for all practical purposes and the people one talks to live right
here also.
A modular authentication helper would be a tremendous
force multiplier since security issues have made things much more
complex then they were and a form of scripting similar to expect
should reduce the amount of head-banging necessary to solve minor
changes in authentication that totally stop the show right now.
At this time, I can still use fetchmail to retrieve
messages from pop and imap servers at suddenlink.net. I just
can't easily send anything out through this same address and must
use an icloud.com account.
Thanks to all.
Martin McCormick
You are reading this message because I hacked together a one-of
setup to post this message.
This system is running
Exim version 4.92 #5 built 01-May-2021 09:42:39 and was doing
just fine until March 14 of this year when my ISP, suddenlink.net
changed something on smtp.suddenlink.net which killed the
configuration I had been using for 7 years.
The smtp.suddenlink.net server used and, appears
to still be using TLS encryption for the login credentials and
this is good but something changed in the sequence of
events that constitutes a successful login since the login has
failed 100% of the time since March 14.
When it used to work, one established the session on TCP port
465 so the session was encrypted from the start. Encryption
continued until the session end so the transaction was quite
secure.
After the change, it appears that the waye the
server wants to start the session is on the traditional email
port of 25.
I've actually been able to use the swaks utility to send
a message through smtp.suddenlink.net using TLS after the initial
helo routine which is how the message you are reading got sent.
This totally bypasses what exim4 is doing and successfully starts
the message on it's way but that's a total Jake-leg way to do
things so I would like to be able to just send the message
normally, of course.
After the helo on port 25, swaks enables starttls and the
rest is obscured so only the bad guys really know what happened
and when but it does work.
The folks in far-off call centers at Suddenlink state
that it works fine with Outlook. I'm sure it does and they never
heard of exim so it's a dialog of the deaf as far as useful
details that might help script the authentication such that it
works again via exim.
Here is a wireshark trace of the successful sending of a
test message via swaks. The fact that it is successful proves
that there is nothing wrong with any of the login credentials
such as user ID and password. The Cname record resolves
smtp.suddenlink.net.
smtp.suddenlink.net CNAME smtp.mx-altice.prod.cloud.synchronoss.net
A 208.180.40.68 90 26.529173517 192.168.1.1 ? 192.168.1.64 DNS
212 Standard query response 0xcaa2 AAAA smtp.suddenlink.net CNAME
smtp.mx-altice.prod.cloud.synchronoss.net SOA ns-124.awsdns-15.com
Now here it all starts on P25.
192.168.1.64 ? 208.180.40.68 TCP 74 50518 ? 25
SMTP 247 S: 250-omta02.suddenlink.net | 250-HELP | 250-XREMOTEQUEUE |
250-ETRN | 250-AUTH=LOGIN PLAIN | 250-AUTH LOGIN PLAIN | 250-PIPELINING
| 250-DSN | 250-8BITMIME | 250-SIZE 52428800 | 250 STARTTLS 117
33.774814356 192.168.1.64 ? 208.180.40.68 SMTP 78 C: AUTH LOGIN 118
The next appears to be encrypted traffic and then it's
all in the clear again.
208.180.40.68 ? 192.168.1.64 SMTP 97 S: 235 Authentication successful
126 33.845629021 192.168.1.64 ? 208.180.40.68 SMTP 103 C: MAIL
FROM:<martin.m@suddenlink.net> 127 33.865203950 208.180.40.68 ?
One can read the message sent and responses from
smtp.suddenlink.net which were picked up by wireshark so only the
authentication is encrypted unless I am misreading the capture.
I can't change how it is done but exim needs to duplicate
this behavior in order to send messages out through it again.
I telnetted in to smtp.suddenlink.net on Port 25 and
tried to glean some ideas from what's there but this little gem
from one attempt says it all:
$ telnet smtp.suddenlink.net 25
Trying 208.180.40.68...
Connected to smtp.mx-altice.prod.cloud.synchronoss.net.
Escape character is '^]'.
220 omta03.suddenlink.net ESMTP server (InterMail vM.8.04.03.22.02 201-2389-100-169-20190213) ready Thu, 5 May 2022 07:48:47 -0500
helo martim.n
250 omta03.suddenlink.net
help login
214 No help information for 'LOGI'
help
214-This SMTP server is a part of the Email Mx E-mail system. For
214-information about Email Mx, please see http://www.owmessaging.com
I did just that, preparing to be enlightened to blinding
brilliance but the documentation appeared to be in some foreign
language I did not recognize much less know. The no-help continues:
214-
214- Supported commands:
214-
214- EHLO HELO MAIL RCPT DATA
214- VRFY RSET NOOP QUIT
help help
214-Usage: HELP [command]
214-
214-Without an argument, the HELP command lists all of the supported
214-SMTP commands. If a command is specified, then help about that
214 specific command is given (but you figured it out yourself :-)
Yup. I was roaring with laughter by this time. As a
smarthost, it's more like a smart-a--ed host but that's unkind, I
know.
What's needed is a modular approach to these things so
programs like exim can continue to do well and those of us who
appreciate all the hard work to create them can monitor and
script logins similar to what we do with expect and kermit,
(Remember that way of scripting logins and repetitive
activities?)
I don't think it's very broken, here, but I haven't got a
clue as to how to use exim's configuration capabilities to get
that same behavior with exim4 that I saw with swaks.
A good perl or python script should plug in to exim's
logic to make it possible to script and monitor authentication
and take care of that while exim can do the smtp activities as it
always has.
Any and all constructive ideas are much appreciated.
Since email is becoming more complex, my long-range plan
is to stop using smtp.suddenlink.net due to the opaqueness factor
and select another email provider which I know about who is run
by folks who actually know and care how it works. The
organization I retired from has such a mailer but I will need to
use thunderbird for that one due to it's use of multifactor
authentication but it's just down the street from where I live
for all practical purposes and the people one talks to live right
here also.
A modular authentication helper would be a tremendous
force multiplier since security issues have made things much more
complex then they were and a form of scripting similar to expect
should reduce the amount of head-banging necessary to solve minor
changes in authentication that totally stop the show right now.
At this time, I can still use fetchmail to retrieve
messages from pop and imap servers at suddenlink.net. I just
can't easily send anything out through this same address and must
use an icloud.com account.
Thanks to all.
Martin McCormick