Mailing List Archive: exim: users

smarthost login failing

Index | Next | Previous | View Threaded

paul at woolsack

Apr 9, 2012, 9:26 AM

Post #1 of 4 (615 views)
Permalink

smarthost login failing

thanks - its now trying to send through the smtp hosts

but its trying and failing . The lookups for auth_name and auth_pass (
as defined in the authenticator section) from the command line are
return the correct values .Its trying to connct to the remote SMTP
server but i think the authentication is failing

2012-04-09 16:30:24 [27645] 1SHGXw-0007Bt-2e <= mxxxxx [at] gmail
H=twelve-m266.local [192.168.2.5]:38529 I=[192.168.2.20]:25 P=esmtp
S=582 id=4F83008F.6010404 [at] gmail T="test7" from <mxxxx [at] gmail> for
pxxxxx [at] xxx
2012-04-09 16:30:24 [27645] SMTP connection from twelve-m266.local
[192.168.2.5]:38529 I=[192.168.2.20]:25 closed by QUIT
2012-04-09 16:30:24 [27646] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4
-Mc 1SHGXw-0007Bt-2e
2012-04-09 16:30:25 [27646] 1SHGXw-0007Bt-2e **pxxxxx [at] xxx
F=<mxxx [at] gmail> P=<mxxx [at] gmail> R=smarthost_auto T=remote_smtp:
SMTP error from remote mail server after MAIL FROM:<mxxxxxo [at] gmail>
SIZE=1621: host gmail-smtp-msa.l.google.com [173.194.78.108]: 530-5.5.1
Authentication Required. Learn more at\n530 5.5.1
http://support.google.com/mail/bin/answer.py?answer=14257 ca3sm22329641wib.6
2012-04-09 16:30:25 [27648] cwd=/var/spool/exim4 7 args: /usr/sbin/exim4
-t -oem -oi -f <> -E1SHGXw-0007Bt-2e
2012-04-09 16:30:25 [27648] 1SHGXx-0007Bw-Jn <= <> R=1SHGXw-0007Bt-2e
U=Debian-exim P=local S=1641 T="Mail delivery failed: returning message
to sender" from <> for mxxxx [at] gmail
2012-04-09 16:30:25 [27649] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4
-Mc 1SHGXx-0007Bw-Jn
2012-04-09 16:30:25 [27646] 1SHGXw-0007Bt-2e Completed QT=1s

root [at] server:/etc/exim4# exim -Mvl 1SHFho-00076u-4p
2012-04-09 15:36:32 Received from paul [at] isp H=twelve-m266.local
[192.168.2.5]:38205 I=[192.168.2.20]:25 P=esmtp S=592
id=4F82F3EF.4000304 [at] isp T="test5"
2012-04-09 15:39:17 Remote host isp.org [91.xx.xx.x] closed connection
in response to initial connection

root [at] server:/etc/exim4# grep 'begin routers' -A 400 /etc/exim4/exim4.conf
begin routers

smarthost_auto:
debug_print ="T. auto_route remote_smtp for $local_part@$domain from
$sender_address "
self = send
condition =
${extract{smarthost}{${lookup{$sender_address}wildlsearch*@{/etc/exim4/smarthosts}{$value}fail}}}
driver = manualroute
transport = remote_smtp
route_list = *
"${extract{smarthost}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}"
domains = ! +local_domains

by_route:
debug_print ="T. remote_smtp for $local_part@$domain"
driver = manualroute
domains = ! +local_domains
transport =by_relay
route_list = * smtp.blueyonder.co.uk

real_user:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe

userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

##################TRANSPORTS#################
begin transports

remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain and $host_address"
driver = smtp
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
hosts_require_auth = smtp.gmail.com::587 gmail-smtp.l.google.com::587
mail.isp.org::465
hosts_require_tls = smtp.gmail.com::587 gmail-smtp.l.google.com::587
mail.isp.org::465

by_relay :
driver = smtp
port = 25

local_delivery:
driver = appendfile
directory = $home/Maildir
maildir_format
maildir_use_size_file
delivery_date_add
envelope_to_add
return_path_add

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite

begin authenticators

login:
driver = plaintext
public_name=LOGIN
client_send = :
"${extract{auth_name}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}"
:
"${extract{auth_pass}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}"

root [at] server:/etc/exim4#

On 09/04/12 02:27, Phil Pennock wrote:
> On 2012-04-07 at 17:19 +0100, p cooper wrote:
>> :~# cat /etc/exim4/smarthosts
>> @isp.org: smarthost=mail.isp.org::465 auth_name=me [at] isp=xxxxx
>> @gmail.com: smarthost=smtp.gmail.com::587 auth_name=xxxx [at] gmail
>> auth_pass=xxxx
>>
>> root [at] server:~#
>> but emails sent from the remote client isp.org are routed through my
>> default smarthost ( defined separately )
>>
>> I dont think the lookup is working
>>
>> ~# exim -be
>> '${extract{smarthost}{${lookup{isp.org}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}'
>> Failed: "lookup" failed and "fail" requested
>> root [at] server:~#
> You want the keys in /etc/exim4/smarthosts to be *@isp.org with the "*"
> at the beginning, and the lookup type to be "wildlsearch*@" instead of
> "wildlsearch".
>
> There are more possibilities. See "9.3 Single-key lookup types" and
> "9.6 Default values in single-key lookups".
>
> -Phil
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Apr 9, 2012, 5:32 PM

Post #2 of 4 (596 views)
Permalink

Re: smarthost login failing [In reply to]

On 2012-04-09 at 17:26 +0100, p cooper wrote:
> thanks - its now trying to send through the smtp hosts
>
> but its trying and failing . The lookups for auth_name and auth_pass (
> as defined in the authenticator section) from the command line are
> return the correct values .Its trying to connct to the remote SMTP
> server but i think the authentication is failing

You have "hosts_require_auth" on the transport, but it's set only for
submission/smtps ports; here, you're connecting on port 25.

I would:
* use "address_data = ${the wildlsearch stuff}" on the Router
* use a Transport which, if it can ${extract...} a "usercode" field
from $address_data, tries connecting to port 587 (or even a port
field extracted from $address_data)
* use "hosts_require_auth = *" on the Transport triggered for this
authenticated connection
* avoid port numbers in hosts_require_auth, it takes hostnames only
* add "client_condition = ${if def:tls_cipher}" to your login
authenticator, to ensure you don't send credentials over cleartext
(even if server identity is still not verified, you're at least
protected against passive attacks)

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

pdcooper at blueyonder

Apr 16, 2012, 10:32 AM

Post #3 of 4 (576 views)
Permalink

Re: smarthost login failing [In reply to]

this is way outside my comfort zone :-0

ive set up a test version on my local machine and when i send from a
client

2012-04-16 18:15:59 [4252] SMTP connection from [::1]:51631 I=[::1]:25
(TCP/IP connection count = 1)
2012-04-16 18:16:00 [4259] 1SJpWy-00016h-Ow <= paul [at] woolsack
H=twelve-m266 [::1]:51631 I=[::1]:25 P=esmtp S=541
id=1334596559.3882.1 [at] twelve-M26 T="test" from <me [at] isp> for
pxxxx [at] yahoo
2012-04-16 18:16:00 [4259] SMTP connection from twelve-m266 [::1]:51631
I=[::1]:25 closed by QUIT
2012-04-16 18:16:00 [4262] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4
-Mc 1SJpWy-00016h-Ow
2012-04-16 18:16:02 [4262] 1SJpWy-00016h-Ow == pxxxx [at] yahoo
R=smarthost_auto T=remote_smtp defer (-53): retry time not reached for
any host
2012-04-16 18:16:26 [4379] cwd=/home/mars 2 args: exim -bp
2012-04-16 18:16:36 [4380] cwd=/home/mars 3 args: exim -M 1SJpWy-00016h-Ow
2012-04-16 18:19:22 [4381] 1SJpWy-00016h-Ow Remote host isp.org
xx.xx.xx.xx] closed connection in response to initial connection
2012-04-16 18:19:22 [4380] 1SJpWy-00016h-Ow == pdc124 [at] yahoo
R=smarthost_auto T=remote_smtp defer (-18): Remote host isp.org
[xx.xx.xx.xx] closed connection in response to initial connection

How can I debug this fro my end ?
Do i need to tell the authenticator to encrypt the username/password it
retrieves from the lookup ?

thanks for any pointers

Ive added a port variable to the data file and can look it up
exim -be
'${extract{port}{${lookup{me [at] isp}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}'
465

config is now

begin routers

smarthost_auto:
debug_print ="T. auto_route remote_smtp for $local_part@$domain from
$sender_address "
self = send
condition =
${extract{smarthost}{${lookup{$sender_address}wildlsearch*@{/etc/exim4/smarthosts}{$v
alue}fail}}}
driver = manualroute
transport = remote_smtp
route_list = *
"${extract{smarthost}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}
{$value}fail}}}"
domains = ! +local_domains

begin transports

remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain and $host_address"
driver = smtp
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
hosts_require_auth = *
port =
${extract{port}{${lookup{me [at] isp}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}

begin authenticators

login:
driver = plaintext
public_name=LOGIN
client_send = :
"${extract{auth_name}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}"
:
"${extract{auth_pass}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}"

On 10/04/12 01:32, Phil Pennock wrote:
> On 2012-04-09 at 17:26 +0100, p cooper wrote:
>> thanks - its now trying to send through the smtp hosts
>>
>> but its trying and failing . The lookups for auth_name and auth_pass (
>> as defined in the authenticator section) from the command line are
>> return the correct values .Its trying to connct to the remote SMTP
>> server but i think the authentication is failing
> You have "hosts_require_auth" on the transport, but it's set only for
> submission/smtps ports; here, you're connecting on port 25.
>
> I would:
> * use "address_data = ${the wildlsearch stuff}" on the Router
> * use a Transport which, if it can ${extract...} a "usercode" field
> from $address_data, tries connecting to port 587 (or even a port
> field extracted from $address_data)
> * use "hosts_require_auth = *" on the Transport triggered for this
> authenticated connection
> * avoid port numbers in hosts_require_auth, it takes hostnames only
> * add "client_condition = ${if def:tls_cipher}" to your login
> authenticator, to ensure you don't send credentials over cleartext
> (even if server identity is still not verified, you're at least
> protected against passive attacks)
>
> -Phil
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Apr 16, 2012, 6:07 PM

Post #4 of 4 (573 views)
Permalink

Re: smarthost login failing [In reply to]

On 2012-04-16 at 18:32 +0100, paul cooper wrote:
> ive set up a test version on my local machine and when i send from a
> client

Not enough data visible. In the main section of your configuration,
add:

log_selector = +outgoing_port

(or amend the existing rule if you already set log_selector).

> begin routers
>
> smarthost_auto:
> debug_print ="T. auto_route remote_smtp for $local_part@$domain from
> $sender_address "
> self = send
> condition =
> ${extract{smarthost}{${lookup{$sender_address}wildlsearch*@{/etc/exim4/smarthosts}{$v
> alue}fail}}}
> driver = manualroute
> transport = remote_smtp
> route_list = *
> "${extract{smarthost}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}
> {$value}fail}}}"
> domains = ! +local_domains

The route_list lookup is still "wildlsearch", not "wildlsearch*@".

(You might also use route_data instead of route_list, and drop the
leading "*", so that you're just saying "everything goes to this
destination I give here").

If you add:
address_data = ${lookup{$sender_address}wildlsearch*@{/etc/exim4/smarthosts}{$value}fail}

to the Router, then in Transports (and Authenticators and later Routers)
you can reference "$address_data" instead of that lookup, and cut down
on the potential for mistakes (plus some efficiency benefits, deriving
in part from how Exim caches lookup results).

> begin transports
>
> remote_smtp:
> debug_print = "T: remote_smtp for $local_part@$domain and $host_address"
> driver = smtp
> tls_certificate = /etc/exim4/exim.crt
> tls_privatekey = /etc/exim4/exim.key
> hosts_require_auth = *
> port =
> ${extract{port}{${lookup{me [at] isp}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}

Again, you omit "*@" from the end of "wildlsearch*@". Also, you're now
specifying "me [at] isp" instead of "$sender_address".

If you use address_data, then you can write this, which also provides a
default port, while being much easier to read:

port = ${extract{port}{$address_data}{$value}{25}}

> begin authenticators
>
> login:
> driver = plaintext
> public_name=LOGIN
> client_send = :
> "${extract{auth_name}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}"
> :
> "${extract{auth_pass}{${lookup{$sender_address}wildlsearch{/etc/exim4/smarthosts}{$value}fail}}}"

Same missing "*@" here.

client_send = : \
${extract{auth_name}{$address_data}{$value}fail} : \
${extract{auth_pass}{$address_data}{$value}fail}

Again, by using address_data, you confine all of the lookups to the
Router which set that, keeping everything in one place and making it
easier to do things like change the source of the data, spot missing
modifiers on the lookup type, etc.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads