Mailing List Archive

On Mon, Feb 19, 2024 at 04:51:30PM -0700, Eric Kingston via Exim-users wrote:

> I am having trouble getting exim to authenticate to a SMTP relay. I
> have made the appropriate entry in passwd.client as per the manual,
> but am using the wildcard (*) considering the reverse DN lookup
> implications. I have configured the appropriate smarthost options.
> I have followed all of the configuration guides I can find, yet exim
> still refuses to authenticate to my SMTP relay. The SMTP relay
> keeps coming back with an authentication error. I have even tried
> using exim -v <email address> and followed through with the FROM and
> SUBJECT. I can see the communication between my server and the SMTP
> relay and do not see any authentication being sent, yielding the
> "Please authenticate first." error message. I am using Ubuntu 22.04
> and Exim 4.95. Can anyone offer any suggestions as to what I might
> be doing wrong?

Looks like client_condition on the authenticators is not satisfied?

This is often or even traditionally configured as

${if def:tls_out_cipher}

which leads me to suspect your connection to the relay is plaintext
contrary to your expectation.

BTW, the passwd.client file is specific to the Debian style of
configuration. It may benefit you to read the upstream Exim doc to see
how the Debian and upstream mechanisms relate.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

I should have asked what auth mechanisms you see in the relay EHLO
response? A good way to test this (or any issue with SMTP
communication in fact) is with the swaks tool.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hello Ian,

Thank you for your reply.

I get the following from the exim mainlog....

2024-02-22 18:32:54.272 [42047] 1rdKQn-000AwA-Mt ** ericnk321@gmail.com
F=<noal@noalmusic.com> P=<noal@noalmusic.com> R=smarthost
T=remote_smtp_smarthost H=smtp-relay.brevo.com [1.179.119.1]:587
I=[10.32.0.41]:33824
X=TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=yes
DN="CN=*.brevo.com": SMTP error from remote mail server after pipelined
end of data: 502 5.7.0 Please authenticate first DT=0.240s

Below is a communication log directly from the command-line....

exim -v ericnk321@gmail.com
From: noal@noalmusic.com
Subject:  SMTP Relay test
This is a test of a SMTP relay.
LOG: MAIN
  <= root@noalmusic.com U=root P=local S=356 M8S=0 RT=23s
id*=E1rdKtc-000BJx-3F@mail.noalmusic.com
root@mail:/etc/exim4# delivering 1rdKtc-000BJx-3F
R: smarthost for ericnk321@gmail.com
T: remote_smtp_smarthost for ericnk321@gmail.com
Transport port=25 replaced by host-specific port=587
Connecting to smtp-relay.brevo.com [1.179.119.1]:587 ...  TFO mode
sendto, no data: EINPROGRESS
 connected
  SMTP<< 220 smtp-relay.brevo.com ESMTP Service Ready
  SMTP>> EHLO mail.noalmusic.com
  SMTP<< 250-Hello mail.noalmusic.com
         250-PIPELINING
         250-8BITMIME
         250-ENHANCEDSTATUSCODES
         250-CHUNKING
         250-STARTTLS
         250-AUTH PLAIN LOGIN CRAM-MD5
         250 SIZE 20971520
  SMTP>> STARTTLS
  SMTP<< 220 2.0.0 Ready to start TLS
  SMTP>> EHLO mail.noalmusic.com
  SMTP<< 250-Hello mail.noalmusic.com
         250-PIPELINING
         250-8BITMIME
         250-ENHANCEDSTATUSCODES
         250-CHUNKING
         250-AUTH CRAM-MD5 PLAIN LOGIN
         250 SIZE 20971520
  SMTP|> MAIL FROM:<root@noalmusic.com> SIZE=1390
  SMTP|> RCPT TO:<ericnk321@gmail.com>
         will write message using CHUNKING
  SMTP+> BDAT 367 LAST
  SMTP>> QUIT
  SMTP<< 502 5.7.0 Please authenticate first
  SMTP<< 502 5.5.1 Missing MAIL FROM command.
  SMTP<< 502 5.5.1 Missing RCPT TO command.
  SMTP(close)>>
LOG: MAIN
  ** ericnk321@gmail.com F=<root@noalmusic.com> P=<root@noalmusic.com>
R=smarthost T=remote_smtp_smarthost H=smtp-relay.brevo.com
[1.179.119.1]:587 I=[10.32.0.41]:52460
X=TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=yes
DN="CN=*.brevo.com": SMTP error from remote mail server after pipelined
end of data: 502 5.7.0 Please authenticate first DT=0.253s
LOG: MAIN
  <= <> R=1rdKtc-000BJx-3F U=Debian-exim P=local S=1849 M8S=0 RT=0.019s
id*=E1rdKu0-000BK1-Eg@mail.noalmusic.com


It looks like the authentication methods are CRAM-MD5 PLAIN LOGIN.  Any
ideas?


On 2/21/2024 9:33 PM, Ian Z via Exim-users wrote:
> I should have asked what auth mechanisms you see in the relay EHLO
> response? A good way to test this (or any issue with SMTP
> communication in fact) is with the swaks tool.
>

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2024-02-23 Eric Kingston via Exim-users <exim-users@lists.exim.org> wrote:
[...]
> Below is a communication log directly from the command-line....

> exim -v ericnk321@gmail.com
[...]

echo blah | /usr/sbin/exim -d+all ericnk321@gmail.com

should give you a lot more information on where things go wrong;
especially why exim is not authenticating to the remote.

Please be super careful when sharing this, triplechecking it for passwd
and such (even in base64 encoded data).

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Thu, Feb 22, 2024 at 07:15:48PM -0700, Eric Kingston via Exim-users wrote:

> It looks like the authentication methods are CRAM-MD5 PLAIN
> LOGIN. Any ideas?

I'll only be able to help further if you provide the native Exim
configuration file, which (IIRC) Debian generates somewhere under
/var. It is OK to obscure identifying data, of course. But if you'd
like to discuss this in terms of the Debian meta-configuration,
I suggest taking it to debian-user.

It definitely looks like the client_condition in your authentication
config is not being satisfied, because the server offers
authentication and the session is TLS encrypted.

Meanwhile I got a private reply suggesting to adjust your transport
from remote_smtp to remote_smtp_smarthost, but it doesn't seem to
apply to your situation, maybe because you have already done that?

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hello Ian,

I appreciate any help you can offer.  My OS is the Debian variant
Ubuntu.  For exim4 on Ubuntu, there is a configuration file
(update-exim4.conf.conf) in which I specify the smart host.  From this,
a script (update-exim4.conf) auto generates the configuration file
(config.autogenerated) located in /var/lib/exim4 that I have attached to
this email.  In addition, I have included an excerpt from exim debug
output that may be relevant to the problem ...

16:48:51.076 57957 1.179.119.1 in hosts_require_auth? no (option unset)
16:48:51.076 57957  ?considering: <; ${if exists{passwd.client}
{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }
16:48:51.076 57957   ?considering: passwd.client}
{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }
16:48:51.076 57957   ???expanding: passwd.client
16:48:51.076 57957   ??????result: passwd.client
16:48:51.076 57957  ???condition: exists{passwd.client}
16:48:51.076 57957  ??????result: false
16:48:51.076 57957   ????scanning:
${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }
16:48:51.076 57957    ????scanning:
$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }
16:48:51.076 57957    ???expanding: $host
16:48:51.076 57957    ??????result:
16:48:51.076 57957    ????skipping: result is not used
16:48:51.076 57957    ????scanning:
/etc/exim4/passwd.client}{$host_address}}}{} }
16:48:51.076 57957    ???expanding: /etc/exim4/passwd.client
16:48:51.076 57957    ??????result: /etc/exim4/passwd.client
16:48:51.076 57957    ????skipping: result is not used
16:48:51.076 57957    ????scanning: $host_address}}}{} }
16:48:51.076 57957    ???expanding: $host_address
16:48:51.076 57957    ??????result:
16:48:51.076 57957    ????skipping: result is not used
16:48:51.076 57957   ???expanding:
${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}
16:48:51.076 57957   ??????result:
16:48:51.076 57957   ????skipping: result is not used
16:48:51.076 57957   ?considering: } }
16:48:51.076 57957   ???expanding:
16:48:51.076 57957   ??????result:
16:48:51.076 57957  ???expanding: <; ${if exists{passwd.client}
{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }
16:48:51.076 57957  ??????result: <;
16:48:51.076 57957 1.179.119.1 in hosts_try_auth? no (end of list)

It seems that the check if passwd.client exists may be failing...

16:48:51.076 57957  ???condition: exists{passwd.client}
16:48:51.076 57957  ??????result: false


But the path it lists is correct and the file does exist....

16:48:51.076 57957  ?considering: <; ${if exists{passwd.client}
{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }
16:48:51.076 57957   ?considering: passwd.client}
{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }


Also, the smart host router is being used....

16:48:50.845 57956 routed by smarthost router
16:48:50.845 57956   envelope to: ericnk321@gmail.com
16:48:50.845 57956   transport: remote_smtp_smarthost
16:48:50.845 57956   host smtp-relay.brevo.com [1.179.119.1] port=587

Again, thanks for your help.


On 2/23/2024 10:27 AM, Ian Z via Exim-users wrote:
> On Thu, Feb 22, 2024 at 07:15:48PM -0700, Eric Kingston via Exim-users wrote:
>
>> It looks like the authentication methods are CRAM-MD5 PLAIN
>> LOGIN. Any ideas?
> I'll only be able to help further if you provide the native Exim
> configuration file, which (IIRC) Debian generates somewhere under
> /var. It is OK to obscure identifying data, of course. But if you'd
> like to discuss this in terms of the Debian meta-configuration,
> I suggest taking it to debian-user.
>
> It definitely looks like the client_condition in your authentication
> config is not being satisfied, because the server offers
> authentication and the session is TLS encrypted.
>
> Meanwhile I got a private reply suggesting to adjust your transport
> from remote_smtp to remote_smtp_smarthost, but it doesn't seem to
> apply to your situation, maybe because you have already done that?
>

Good morning,

On 2024-02-24 Eric Kingston via Exim-users <exim-users@lists.exim.org> wrote:
[...]
> 16:48:51.076 57957  ?considering: <; ${if exists{passwd.client}
[...]
> 16:48:51.076 57957  ???condition: exists{passwd.client}
> 16:48:51.076 57957  ??????result: false
[...]
> It seems that the check if passwd.client exists may be failing...

> 16:48:51.076 57957  ???condition: exists{passwd.client}
> 16:48:51.076 57957  ??????result: false

exactly.

> But the path it lists is correct and the file does exist....

It tests for "exists{passwd.client}" instead of
"exists{/etc/exim4/passwd.client}" i.e. it will search in the current
working directory instead of below /etc.

[...]
> remote_smtp_smarthost:
> debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
> driver = smtp
> multi_domain
> hosts_try_auth = <; ${if exists{passwd.client} \
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> {\
> ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
^^^^^^^^^^^^^^^^^^^^^

Note the difference.

cu Andreas

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/