1 (edited by ghaecker 2015-06-25 17:39:43)

Topic: SMTP authentication fails from application server

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: RHEL 6.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? SQL-2.1.2
- Related log if you're reporting an issue: ???
====

The reason we set up an iRedMail server is so that the accounts defined on it could be used to send application notices to our customers and to their third parties.

1. We set up iRedMail accounts for our customers.
2. Our application originates notices to our customers and to our customers' third parties recipients.
3. Web application server, via local postfix, makes TLS connection to iRedMail server.
4. Over this TLS connection, our server presents login credentials to one of our customer's iRedMail account.
5. After successful authentication, the iRedMail account is used to send/relay the notice to our customer or our customer's third party recipient via the authenticated iRedMail account.

Question 1: How do we get this to succeed from our application server?

Question 2: How do we limit which servers (two) can relay messages through iRedMail accounts on our mail server?

Currently, our attempts to complete proof-of-concept test messages have all failed to authenticate.  The TLS connection is successful, but a password command failure results even when the correct username and password are provided.

Here's a typical dialog:

2015-06-25 09:04:23    SERVER -> CLIENT: 220 dev.securimate.com ESMTP Postfix
2015-06-25 09:04:23    CLIENT -> SERVER: EHLO 703672-ma.securimate.com
2015-06-25 09:04:23    SERVER -> CLIENT: 250-dev.securimate.com
                                         250-PIPELINING
                                         250-SIZE 10240000
                                         250-VRFY
                                         250-ETRN
                                         250-STARTTLS
                                         250-AUTH LOGIN PLAIN
                                         250-ENHANCEDSTATUSCODES
                                         250-8BITMIME
                                         250 DSN
2015-06-25 09:04:23    CLIENT -> SERVER: STARTTLS
2015-06-25 09:04:23    SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2015-06-25 09:04:23    CLIENT -> SERVER: EHLO 703672-ma.securimate.com
2015-06-25 09:04:23    SERVER -> CLIENT: 250-dev.securimate.com
                                         250-PIPELINING
                                         250-SIZE 10240000
                                         250-VRFY
                                         250-ETRN
                                         250-AUTH LOGIN PLAIN
                                         250-ENHANCEDSTATUSCODES
                                         250-8BITMIME
                                         250 DSN
2015-06-25 09:04:23    CLIENT -> SERVER: AUTH LOGIN
2015-06-25 09:04:23    SERVER -> CLIENT: 334 VXNlcm5hbWU6
2015-06-25 09:04:23    CLIENT -> SERVER: *** CONFIRMED base64 encoded username ***
2015-06-25 09:04:23    SERVER -> CLIENT: 334 UGFzc3dvcmQ6
2015-06-25 09:04:23    CLIENT -> SERVER: *** CONFIRMED base64 encoded password ***
2015-06-25 09:04:25    SERVER -> CLIENT: 535 5.7.8 Error: authentication failed: authentication failure
2015-06-25 09:04:25    SMTP ERROR: Password command failed: 535 5.7.8 Error: authentication failed: authentication failure
2015-06-25 09:04:25    CLIENT -> SERVER: QUIT
2015-06-25 09:04:25    SERVER -> CLIENT: 221 2.0.0 Bye
2015-06-25 09:04:25    SMTP connect() failed.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SMTP authentication fails from application server

Looks like you provided incorrectly encoded username/password. You can try to setup a mail client application (e.g. Thunderbird) with correct username/password for testing.

3

Re: SMTP authentication fails from application server

I don't see how configuring Thunderbird will help solve our problem, but I'll do it anyway.  The problem with the above dialog was using AUTH LOGIN instead of AUTH PLAIN.  I've corrected that as shown by the following dialog.

2015-06-26 00:34:01    SERVER -> CLIENT: 220 dev.securimate.com ESMTP Postfix
2015-06-26 00:34:01    CLIENT -> SERVER: EHLO 703672-ma.securimate.com
2015-06-26 00:34:01    SERVER -> CLIENT: 250-dev.securimate.com
                                         250-PIPELINING
                                         250-SIZE 10240000
                                         250-VRFY
                                         250-ETRN
                                         250-STARTTLS
                                         250-AUTH PLAIN
                                         250-ENHANCEDSTATUSCODES
                                         250-8BITMIME
                                         250 DSN
2015-06-26 00:34:01    CLIENT -> SERVER: STARTTLS
2015-06-26 00:34:01    SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2015-06-26 00:34:01    CLIENT -> SERVER: EHLO 703672-ma.securimate.com
2015-06-26 00:34:01    SERVER -> CLIENT: 250-dev.securimate.com
                                         250-PIPELINING
                                         250-SIZE 10240000
                                         250-VRFY
                                         250-ETRN
                                         250-AUTH PLAIN
                                         250-ENHANCEDSTATUSCODES
                                         250-8BITMIME
                                         250 DSN
2015-06-26 00:34:01    CLIENT -> SERVER: AUTH PLAIN
2015-06-26 00:34:01    SERVER -> CLIENT: 334
2015-06-26 00:34:01    CLIENT -> SERVER: *** CONFIRMED base64 encoded UsernamePassword ***
2015-06-26 00:34:06    SERVER -> CLIENT: 535 5.7.8 Error: authentication failed:
2015-06-26 00:34:06    SMTP ERROR: User & Password command failed: 535 5.7.8 Error: authentication failed:
2015-06-26 00:34:06    CLIENT -> SERVER: QUIT
2015-06-26 00:34:06    SERVER -> CLIENT: 221 2.0.0 Bye
2015-06-26 00:34:06    SMTP connect() failed.

I decoded the username password from the dialog and used the results to login to the account on the iRedMail server.  methodology PLAIN is what is the only methodology defined in dovecot on the iRedMail and postfix is configured to call on dovecot for account authentication.  The "User & Password command" failure is happening on the iRedMail server.  I feel I'm very close to having this work the way it should.  Can you tell me what log file(s) to look in for more details about the authentication failure or other parts that could be keeping it from working?  maillog and dovecot.log over no help.  My conclusion that the authentication command failure is happening on the iRedMail server is based on the timestamps in the dialog.  They are UTC, the time zone of the iRedMail server.  Our dev server is American/Chicago time zone.

I'll report back on the Thunderbird experiment.

4

Re: SMTP authentication fails from application server

ghaecker wrote:

I don't see how configuring Thunderbird will help solve our problem

Well, IMO, it helps a lot. It helps avoid mistake like improperly encoded username/password, and in your testing, encoded username/password is the key.

5 (edited by ghaecker 2015-06-26 11:52:44)

Re: SMTP authentication fails from application server

And if I get that working in Tbird, can we see how it's done?

6

Re: SMTP authentication fails from application server

ghaecker wrote:

And if I get that working in Tbird, can we see how it's done?

If Thunderbird works with the same username/password, that means there's something during your testing with pure IMAP commands. We'd better avoid possible human mistakes like improperly encoded username/passwords and let mature software (like Thunderbird) does it.

By the way, we have tutorials to help you setup mail clients:
http://www.iredmail.org/docs/index.html … plications

iRedMail enables port 587 with STARTTLS/TLS for users (or your applications) to send email, you should use it.
If your application doesn't support STARTTLS/TLS, you can follow this tutorial to enable depreciated SMTPS (port 465) with SSL support:
http://www.iredmail.org/docs/enable.smtps.html

7

Re: SMTP authentication fails from application server

Ok, I have it working in Tbird.  imap port 143, smtp port 587, STARTTLS, plain password

In Tbird I have 3 identities

1. Company email (ms exchange)
2. Personal email (gmail)
3. IRedMail Test email (iredmail)

The test iredmail acct is playing well with the gmail and exchange accounts, both ways from Tbird and both ways from the iredmail web mail.  They're all imap.

Still no joy from the dev server to the iredmail server via smtp
Dev server is also using postfix for MTA.
If I attempt to connect from dev server over port 587 I get "connection refused"

What's next, please?

8

Re: SMTP authentication fails from application server

I logged the SMTP dialog from sending two emails from Thunderbird.  both servers suppressed the encoding for username and password.  I'm still stuck with the same authentication failure from the dev server.

9

Re: SMTP authentication fails from application server

if Thunderbird works fine, that means iRedMail is working as expected.
I'm not quite sure how you test with "dev server". If you use standard port + correct username/password, it should work fine.

10

Re: SMTP authentication fails from application server

The issue has been resolved.  Thank you.

11

Re: SMTP authentication fails from application server

Would you mind sharing how you solved this issue?

12

Re: SMTP authentication fails from application server

I don't mind, but to be honest, I tried and changed so many things I doubt I remember everything.
Here's what I do remember.

1. Cisco firewall.  Enabled all relevant ports for the dev server and the iredmail server.
2. iredmail server: postfix/main.cf.  If I remember correctly, everything was already set up for smtpd and dovecot sasl auth.
3. iredmail server: postfix/master.cf.  Uncommented the submission and smtps sections.
4. iredmail server: dovecot/dovecot.conf.  Add LOGIN to auth_mechanisms, although PLAIN is now working, too, from the dev server. So, this is unnecessary.
5. dev server:  Figured out which phpMailer properties to set.  The most significant failing was not understanding there is a Host and Hostname property.  Hostname is for the connection to the iredmail server. Host is for the smtp on the iredmail server.

Here's what finally worked for me:

$mailer = new PhpMailer();
$mailer->Mailer = 'smtp';
$mailer->XMailer = ' ';  // whitespace for none
// $mailer->do_verp = true; // variable envelope return path NOT SUPPORTED
// leave default Timeout(300)  and Timelimit (30) alone for smtp
$mailer->Hostname = $server; // hostname of iredmail server
$mailer->Port = $port;  // 587
$mailer->Host = $smtp; // from dev server, this is also hostname of iredmail server
$mailer->Username = $user; // iredmail user account username
$mailer->Password = $pass; // iredmail user account password
$mailer->SMTPAuth = true;
$mailer->SMTPSecure = $proto; // tls
$mailer->AuthType = 'LOGIN';  // PLAIN works, too, if added to dovecot mechanisms
$mailer->SMTPDebug = 2; // during development only
$mailer->addAddress('recipient@example.com', 'Recipient Name');
$mailer->addCC('someone@another.com', 'Another Recipient');
$mailer->Encoding = 'base64';
$mailer->CharSet = 'utf-8';
$mailer->Subject = 'Test from notification mail server';
$mailer->Body = 'This message is testing a faux application notification via SMTP from Development';
$mailer->Sender = ''; // setFrom won't set Sender if it isn't empty
$mailer->setFrom(iredmail-account-email, iredmail-account-name); // also sets Sender by default
$mailer->Send();

13

Re: SMTP authentication fails from application server

ghaecker wrote:

3. iredmail server: postfix/master.cf.  Uncommented the submission and smtps sections.

Submission is enabled by iRedMail by default. but smtps isn't.

ghaecker wrote:

4. iredmail server: dovecot/dovecot.conf.  Add LOGIN to auth_mechanisms, although PLAIN is now working, too, from the dev server. So, this is unnecessary.

Both 'PLAIN' and 'LOGIN' are enabled by default. Note: iRedMail configures dovecot to force secure connection with TLS, so you must use PLAIN with TLS, otherwise it doesn't work.