Loading ...
Sorry, an error occurred while loading the content.

SASL vs. M$ Outlook and Outlook Express

Expand Messages
  • Tom Kovar
    Hi community, I have been using successfully Postfix since good one year, and now I have extended it with SASL, using dovecot, with MySQL in the background for
    Message 1 of 25 , Jan 1, 2007
    View Source
    • 0 Attachment
      Hi community,
      I have been using successfully Postfix since good one year, and now I
      have extended it with SASL, using dovecot, with MySQL in the background
      for all authentications. Everything seems to be working fine, when I
      send the SMTP commands manually, authentication is successfull and
      sending e-mail works according to the rules.
      Not so from Micro$oft clients, where I always get "Relay access denied".
      Inspecting the Postfix-Syslog, after enabling debug, reveals the source
      of the problem - even if I enabled the "SMTP server requires
      authentification" check box in these clients, they still do not send the
      SMTP AUTH message. The sequence of SMTP messages is
      EHLO
      MAIL FROM:
      RCPT TO:
      and this inevitably leads to the failure.

      Can anybody help me what the problem with M$ might be?

      Thanks, and happy new year,
      --- Tom
    • Magnus Bäck
      On Monday, January 01, 2007 at 13:34 CET, ... Perhaps you re forgetting this: http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients -- Magnus Bäck
      Message 2 of 25 , Jan 1, 2007
      View Source
      • 0 Attachment
        On Monday, January 01, 2007 at 13:34 CET,
        Tom Kovar <postfix_list@...> wrote:

        > I have been using successfully Postfix since good one year, and now I
        > have extended it with SASL, using dovecot, with MySQL in the background
        > for all authentications. Everything seems to be working fine, when I
        > send the SMTP commands manually, authentication is successfull and
        > sending e-mail works according to the rules.
        > Not so from Micro$oft clients, where I always get "Relay access denied".
        > Inspecting the Postfix-Syslog, after enabling debug, reveals the source
        > of the problem - even if I enabled the "SMTP server requires
        > authentification" check box in these clients, they still do not send the
        > SMTP AUTH message. The sequence of SMTP messages is
        > EHLO
        > MAIL FROM:
        > RCPT TO:
        > and this inevitably leads to the failure.
        >
        > Can anybody help me what the problem with M$ might be?

        Perhaps you're forgetting this:
        http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients

        --
        Magnus Bäck
        magnus@...
      • Tom Kovar
        Would be too nice... No, I am not forgetting it - and also in the log file I see my server sending both 250 messages in reply to EHLO - the one with = and the
        Message 3 of 25 , Jan 1, 2007
        View Source
        • 0 Attachment
          Would be too nice... No, I am not forgetting it - and also in the log
          file I see my server sending both 250 messages in reply to EHLO - the
          one with = and the one without...

          -----Original Message-----
          From: owner-postfix-users@...
          [mailto:owner-postfix-users@...] On Behalf Of Magnus Bäck
          Sent: Monday, January 01, 2007 1:42 PM
          To: postfix-users@...
          Subject: Re: SASL vs. M$ Outlook and Outlook Express


          On Monday, January 01, 2007 at 13:34 CET,
          Tom Kovar <postfix_list@...> wrote:

          > I have been using successfully Postfix since good one year, and now I
          > have extended it with SASL, using dovecot, with MySQL in the
          background
          > for all authentications. Everything seems to be working fine, when I
          > send the SMTP commands manually, authentication is successfull and
          > sending e-mail works according to the rules.
          > Not so from Micro$oft clients, where I always get "Relay access
          denied".
          > Inspecting the Postfix-Syslog, after enabling debug, reveals the
          source
          > of the problem - even if I enabled the "SMTP server requires
          > authentification" check box in these clients, they still do not send
          the
          > SMTP AUTH message. The sequence of SMTP messages is
          > EHLO
          > MAIL FROM:
          > RCPT TO:
          > and this inevitably leads to the failure.
          >
          > Can anybody help me what the problem with M$ might be?

          Perhaps you're forgetting this:
          http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients

          --
          Magnus Bäck
          magnus@...
        • Tom Kovar
          Maybe a good idea to send the info on my config and the relevant parts of the log file: From main.cf: mynetworks = 192.168.0.0/24, 127.0.0.0/8
          Message 4 of 25 , Jan 1, 2007
          View Source
          • 0 Attachment
            Maybe a good idea to send the info on my config and the relevant parts
            of the log file:

            From main.cf:
            mynetworks = 192.168.0.0/24, 127.0.0.0/8

            smtpd_sasl_auth_enable = yes
            smtpd_recipient_restrictions = permit_mynetworks
            permit_sasl_authenticated reject_unauth_destination
            smtpd_sasl_authenticated_header = yes
            broken_sasl_auth_clients = yes
            smtpd_sasl_type = dovecot
            smtpd_sasl_path = private/auth
            debug_peer_list = 194.212.102.169

            And the relevant parts of the log file (skipping the address parsing and
            rewriting info) in attachment.

            Thanks again,
            --- Tom



            -----Original Message-----
            From: owner-postfix-users@...
            [mailto:owner-postfix-users@...] On Behalf Of Magnus Bäck
            Sent: Monday, January 01, 2007 1:42 PM
            To: postfix-users@...
            Subject: Re: SASL vs. M$ Outlook and Outlook Express


            On Monday, January 01, 2007 at 13:34 CET,
            Tom Kovar <postfix_list@...> wrote:

            > I have been using successfully Postfix since good one year, and now I
            > have extended it with SASL, using dovecot, with MySQL in the
            background
            > for all authentications. Everything seems to be working fine, when I
            > send the SMTP commands manually, authentication is successfull and
            > sending e-mail works according to the rules.
            > Not so from Micro$oft clients, where I always get "Relay access
            denied".
            > Inspecting the Postfix-Syslog, after enabling debug, reveals the
            source
            > of the problem - even if I enabled the "SMTP server requires
            > authentification" check box in these clients, they still do not send
            the
            > SMTP AUTH message. The sequence of SMTP messages is
            > EHLO
            > MAIL FROM:
            > RCPT TO:
            > and this inevitably leads to the failure.
            >
            > Can anybody help me what the problem with M$ might be?

            Perhaps you're forgetting this:
            http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients

            --
            Magnus Bäck
            magnus@...
          • Rene van Hoek
            ... Hi, I am also using Postfix as mta and have a lot of users with Microsoft Outlook / Outlook express. I require all my users to authenticate in order to
            Message 5 of 25 , Jan 1, 2007
            View Source
            • 0 Attachment
              Tom Kovar wrote:
              >
              > -----Original Message-----
              > From: owner-postfix-users@...
              > [mailto:owner-postfix-users@...] On Behalf Of Magnus Bäck
              > Sent: Monday, January 01, 2007 1:42 PM
              > To: postfix-users@...
              > Subject: Re: SASL vs. M$ Outlook and Outlook Express
              >
              >
              > On Monday, January 01, 2007 at 13:34 CET,
              > Tom Kovar <postfix_list@...> wrote:
              >
              >> I have been using successfully Postfix since good one year, and now I
              >> have extended it with SASL, using dovecot, with MySQL in the
              > background
              >> for all authentications. Everything seems to be working fine, when I
              >> send the SMTP commands manually, authentication is successfull and
              >> sending e-mail works according to the rules.
              >> Not so from Micro$oft clients, where I always get "Relay access
              > denied".
              >> Inspecting the Postfix-Syslog, after enabling debug, reveals the
              > source
              >> of the problem - even if I enabled the "SMTP server requires
              >> authentification" check box in these clients, they still do not send
              > the
              >> SMTP AUTH message. The sequence of SMTP messages is
              >> EHLO
              >> MAIL FROM:
              >> RCPT TO:
              >> and this inevitably leads to the failure.
              >>
              >> Can anybody help me what the problem with M$ might be?
              >
              > Perhaps you're forgetting this:
              > http://www.postfix.org/postconf.5.html#broken_sasl_auth_clients
              >

              > Would be too nice... No, I am not forgetting it - and also in the log
              > file I see my server sending both 250 messages in reply to EHLO - the
              > one with = and the one without...


              Hi,

              I am also using Postfix as mta and have a lot of users with Microsoft
              Outlook / Outlook express. I require all my users to authenticate in
              order to relay (with SASL). No problem so far.

              Do you require TLS? Otherwise, in Outlook you must specify that the
              password is send in clear-text. Check also this kind of settings.


              Did you reboot your Windows PC's?. When one of our customers have an
              'strange' problem (settings are ok, everything worked before) and the
              customer is using Windows, we always advice to reboot. This solves the
              problem in 9 of 10 cases.

              Greetings,

              rene at active8 nl
            • Rene van Hoek
              ... I did an telnet to your machine and that seems ok: Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25 Trying 194.212.102.169... Connected to
              Message 6 of 25 , Jan 1, 2007
              View Source
              • 0 Attachment
                Tom Kovar wrote:
                > Maybe a good idea to send the info on my config and the relevant parts
                > of the log file:
                >
                >>From main.cf:
                > mynetworks = 192.168.0.0/24, 127.0.0.0/8
                >
                > smtpd_sasl_auth_enable = yes
                > smtpd_recipient_restrictions = permit_mynetworks
                > permit_sasl_authenticated reject_unauth_destination
                > smtpd_sasl_authenticated_header = yes
                > broken_sasl_auth_clients = yes
                > smtpd_sasl_type = dovecot
                > smtpd_sasl_path = private/auth
                > debug_peer_list = 194.212.102.169
                >
                > And the relevant parts of the log file (skipping the address parsing and
                > rewriting info) in attachment.
                >
                > Thanks again,
                > --- Tom
                >
                I did an telnet to your machine and that seems ok:

                Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                Trying 194.212.102.169...
                Connected to bimbo.kovarovi.org.
                Escape character is '^]'.
                220 mail.kovarovi.org ESMTP Postfix
                EHLO test.a8.nl
                250-mail.kovarovi.org
                250-PIPELINING
                250-SIZE 10240000
                250-VRFY
                250-ETRN
                250-AUTH PLAIN
                250-AUTH=PLAIN
                250-ENHANCEDSTATUSCODES
                250-8BITMIME
                250 DSN


                Also according to the maillog, the client don't authenticate. So the
                problem is as far as I can see with the configuration of the client.

                As an test, did you try for yourself to relay mail through your mta with
                Windows and Outlook? In this way you can rule-out (or confirm) client
                configuration mistakes.

                Otherwise refer your client to Microsoft Support ;-)

                Greetings,

                rene at active8 nl
              • Michael Wang
                ... I don t believe Outlook handles PLAIN, I believe it needs to be LOGIN (or NTLM if that s checked in the client), so try modifying your dovecot.conf file
                Message 7 of 25 , Jan 1, 2007
                View Source
                • 0 Attachment
                  Rene van Hoek wrote:
                  > I did an telnet to your machine and that seems ok:
                  >
                  > Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                  > Trying 194.212.102.169...
                  > Connected to bimbo.kovarovi.org.
                  > Escape character is '^]'.
                  > 220 mail.kovarovi.org ESMTP Postfix
                  > EHLO test.a8.nl
                  > 250-mail.kovarovi.org
                  > 250-PIPELINING
                  > 250-SIZE 10240000
                  > 250-VRFY
                  > 250-ETRN
                  > 250-AUTH PLAIN
                  > 250-AUTH=PLAIN
                  > 250-ENHANCEDSTATUSCODES
                  > 250-8BITMIME
                  > 250 DSN

                  I don't believe Outlook handles PLAIN, I believe it needs to be LOGIN
                  (or NTLM if that's checked in the client), so try modifying your
                  dovecot.conf file and add that to the mechanisms parameter.

                  --
                  Michael Wang
                • Tony Earnshaw
                  Rene van Hoek wrote: [...] ... MS clients need AUTH LOGIN, PLAIN won t work; also it s a security mistake to offer AUTH PLAIN or LOGIN without first hiding
                  Message 8 of 25 , Jan 1, 2007
                  View Source
                  • 0 Attachment
                    Rene van Hoek wrote:


                    [...]

                    > I did an telnet to your machine and that seems ok:
                    >
                    > Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                    > Trying 194.212.102.169...
                    > Connected to bimbo.kovarovi.org.
                    > Escape character is '^]'.
                    > 220 mail.kovarovi.org ESMTP Postfix
                    > EHLO test.a8.nl
                    > 250-mail.kovarovi.org
                    > 250-PIPELINING
                    > 250-SIZE 10240000
                    > 250-VRFY
                    > 250-ETRN
                    > 250-AUTH PLAIN
                    > 250-AUTH=PLAIN
                    > 250-ENHANCEDSTATUSCODES
                    > 250-8BITMIME
                    > 250 DSN
                    >
                    >
                    > Also according to the maillog, the client don't authenticate. So the
                    > problem is as far as I can see with the configuration of the client.
                    >
                    > As an test, did you try for yourself to relay mail through your mta with
                    > Windows and Outlook? In this way you can rule-out (or confirm) client
                    > configuration mistakes.

                    MS clients need AUTH LOGIN, PLAIN won't work; also it's a security
                    mistake to offer AUTH PLAIN or LOGIN without first hiding them with
                    smtpd_use_tls = yes and smtpd_tls_auth_only = yes.

                    > Otherwise refer your client to Microsoft Support ;-)

                    After OP has waited his due time and paid his due he'll get to hear the
                    same from them.

                    --Tonni

                    --
                    Tony Earnshaw
                    Email: tonni at hetnet.nl
                  • Rene van Hoek
                    Maybe I am quite silly (I hope not :-) but I am an expressed enemy of M$ ... what? I am NOT using SSL (yet), so I have just checked the box for using
                    Message 9 of 25 , Jan 1, 2007
                    View Source
                    • 0 Attachment
                      Maybe I am quite silly (I hope not :-) but I am an expressed enemy of M$
                      :-)) - I also fear to have done something wrong on the client side - but
                      what?
                      I am NOT using SSL (yet), so I have just checked the box for using
                      authentification at SMTP - and tested both "use the same setting as for
                      IMAP" and used a separate setting - the behaviour is the same in both
                      cases: no AUTH message being sent.

                      Would you know some trick that might be forgotten when configuring the
                      clients? The only thing that comes into my mind is that the client
                      somehow (??) notices that its IP address is the same as the server's (it
                      is the external address of my NAT firewall, and I am using it so that
                      the Postfix-server does not get the connection from the local LAN, which
                      uses another configuration)...

                      Thankx anyhow,
                      --- Tom

                      -----Original Message-----
                      From: owner-postfix-users@...
                      [mailto:owner-postfix-users@...] On Behalf Of Rene van Hoek
                      Sent: Monday, January 01, 2007 2:32 PM
                      To: Postfix users; Postfix users
                      Subject: Re: SASL vs. M$ Outlook and Outlook Express


                      Tom Kovar wrote:
                      > > Maybe a good idea to send the info on my config and the relevant parts
                      > > of the log file:
                      > >
                      > >>From main.cf:
                      > > mynetworks = 192.168.0.0/24, 127.0.0.0/8
                      > >
                      > > smtpd_sasl_auth_enable = yes
                      > > smtpd_recipient_restrictions = permit_mynetworks
                      > > permit_sasl_authenticated reject_unauth_destination
                      > > smtpd_sasl_authenticated_header = yes
                      > > broken_sasl_auth_clients = yes
                      > > smtpd_sasl_type = dovecot
                      > > smtpd_sasl_path = private/auth
                      > > debug_peer_list = 194.212.102.169
                      > >
                      > > And the relevant parts of the log file (skipping the address parsing
                      and
                      > > rewriting info) in attachment.
                      > >
                      > > Thanks again,
                      > > --- Tom
                      > >
                      I did an telnet to your machine and that seems ok:

                      Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                      Trying 194.212.102.169...
                      Connected to bimbo.kovarovi.org.
                      Escape character is '^]'.
                      220 mail.kovarovi.org ESMTP Postfix
                      EHLO test.a8.nl
                      250-mail.kovarovi.org
                      250-PIPELINING
                      250-SIZE 10240000
                      250-VRFY
                      250-ETRN
                      250-AUTH PLAIN
                      250-AUTH=PLAIN
                      250-ENHANCEDSTATUSCODES
                      250-8BITMIME
                      250 DSN


                      Also according to the maillog, the client don't authenticate. So the
                      problem is as far as I can see with the configuration of the client.

                      As an test, did you try for yourself to relay mail through your mta with

                      Windows and Outlook? In this way you can rule-out (or confirm) client
                      configuration mistakes.

                      Otherwise refer your client to Microsoft Support ;-)

                      Greetings,

                      rene at active8 nl
                    • Tom Kovar
                      I have tried it with enabling PLAIN and LOGIN, nothing changed. If I remove PLAIN and have only LOGIN, the Outlook client exits immediately, stating that the
                      Message 10 of 25 , Jan 1, 2007
                      View Source
                      • 0 Attachment
                        I have tried it with enabling PLAIN and LOGIN, nothing changed. If I
                        remove PLAIN and have only LOGIN, the Outlook client exits immediately,
                        stating that the server does not offer a mechanism supported by Outlook
                        - so this will not be the problem, either.

                        Btw., with IMAP, Outlook sends "AUTH PLAIN" without any problem...

                        --- T

                        -----Original Message-----
                        From: owner-postfix-users@...
                        [mailto:owner-postfix-users@...] On Behalf Of Michael Wang
                        Sent: Monday, January 01, 2007 2:51 PM
                        To: Postfix users
                        Subject: Re: SASL vs. M$ Outlook and Outlook Express


                        Rene van Hoek wrote:
                        > I did an telnet to your machine and that seems ok:
                        >
                        > Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                        > Trying 194.212.102.169...
                        > Connected to bimbo.kovarovi.org.
                        > Escape character is '^]'.
                        > 220 mail.kovarovi.org ESMTP Postfix
                        > EHLO test.a8.nl
                        > 250-mail.kovarovi.org
                        > 250-PIPELINING
                        > 250-SIZE 10240000
                        > 250-VRFY
                        > 250-ETRN
                        > 250-AUTH PLAIN
                        > 250-AUTH=PLAIN
                        > 250-ENHANCEDSTATUSCODES
                        > 250-8BITMIME
                        > 250 DSN

                        I don't believe Outlook handles PLAIN, I believe it needs to be LOGIN
                        (or NTLM if that's checked in the client), so try modifying your
                        dovecot.conf file and add that to the mechanisms parameter.

                        --
                        Michael Wang
                      • Rene van Hoek
                        ... That s a good one. An telnet to my mta: Leto:/Volumes renevanhoek$ telnet mail.active8.nl 25 Trying 195.86.22.59... Connected to mail.active8.nl. Escape
                        Message 11 of 25 , Jan 1, 2007
                        View Source
                        • 0 Attachment
                          Michael Wang wrote:
                          > Rene van Hoek wrote:
                          >> I did an telnet to your machine and that seems ok:
                          >>
                          >> Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                          >> Trying 194.212.102.169...
                          >> Connected to bimbo.kovarovi.org.
                          >> Escape character is '^]'.
                          >> 220 mail.kovarovi.org ESMTP Postfix
                          >> EHLO test.a8.nl
                          >> 250-mail.kovarovi.org
                          >> 250-PIPELINING
                          >> 250-SIZE 10240000
                          >> 250-VRFY
                          >> 250-ETRN
                          >> 250-AUTH PLAIN
                          >> 250-AUTH=PLAIN
                          >> 250-ENHANCEDSTATUSCODES
                          >> 250-8BITMIME
                          >> 250 DSN
                          >
                          > I don't believe Outlook handles PLAIN, I believe it needs to be LOGIN
                          > (or NTLM if that's checked in the client), so try modifying your
                          > dovecot.conf file and add that to the mechanisms parameter.
                          >

                          That's a good one. An telnet to my mta:

                          Leto:/Volumes renevanhoek$ telnet mail.active8.nl 25
                          Trying 195.86.22.59...
                          Connected to mail.active8.nl.
                          Escape character is '^]'.
                          220 sem.active8.nl ESMTP Postfix
                          EHLO test
                          250-sem.active8.nl
                          250-PIPELINING
                          250-SIZE 26214400
                          250-AUTH LOGIN PLAIN
                          250-AUTH=LOGIN PLAIN
                          250-ENHANCEDSTATUSCODES
                          250-8BITMIME
                          250 DSN


                          That is AUTH LOGIN PLAIN

                          You are right I think. Good chance that that is the cause why outlook
                          doesn't authenticate.

                          Greetings,

                          rene at active8 nl
                        • Tom Kovar
                          As stated in my previous mail - offering LOGIN as authentication mechanism does not change anything on the problem. Offering both PLAIN and LOGIN does not
                          Message 12 of 25 , Jan 1, 2007
                          View Source
                          • 0 Attachment
                            As stated in my previous mail - offering LOGIN as authentication
                            mechanism does not change anything on the problem. Offering both PLAIN
                            and LOGIN does not change anything, offering only LOGIN leads to an
                            error message by the client that the server does not offer any mechanism
                            supported by Outlook Express. (After initial failure with both Outlook
                            and O.Express, I continue testing only with Express now).

                            So frankly I do not believe that Outlook Express really supports LOGIN
                            mechanism...

                            As to the TLS - I am aware that it is not quite the best way from
                            security perspective, but I do implement things stepwise. After I have
                            tested everything on open sockets, I will introduce SSL. For a short
                            time I do not see it such an issue.

                            Rgds,
                            --- Tom

                            -----Original Message-----
                            From: owner-postfix-users@...
                            [mailto:owner-postfix-users@...] On Behalf Of Tony Earnshaw
                            Sent: Monday, January 01, 2007 2:52 PM
                            To: Postfix users
                            Subject: Re: SASL vs. M$ Outlook and Outlook Express


                            Rene van Hoek wrote:


                            [...]

                            > I did an telnet to your machine and that seems ok:
                            >
                            > Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                            > Trying 194.212.102.169...
                            > Connected to bimbo.kovarovi.org.
                            > Escape character is '^]'.
                            > 220 mail.kovarovi.org ESMTP Postfix
                            > EHLO test.a8.nl
                            > 250-mail.kovarovi.org
                            > 250-PIPELINING
                            > 250-SIZE 10240000
                            > 250-VRFY
                            > 250-ETRN
                            > 250-AUTH PLAIN
                            > 250-AUTH=PLAIN
                            > 250-ENHANCEDSTATUSCODES
                            > 250-8BITMIME
                            > 250 DSN
                            >
                            >
                            > Also according to the maillog, the client don't authenticate. So the
                            > problem is as far as I can see with the configuration of the client.
                            >
                            > As an test, did you try for yourself to relay mail through your mta
                            with
                            > Windows and Outlook? In this way you can rule-out (or confirm) client
                            > configuration mistakes.

                            MS clients need AUTH LOGIN, PLAIN won't work; also it's a security
                            mistake to offer AUTH PLAIN or LOGIN without first hiding them with
                            smtpd_use_tls = yes and smtpd_tls_auth_only = yes.

                            > Otherwise refer your client to Microsoft Support ;-)

                            After OP has waited his due time and paid his due he'll get to hear the
                            same from them.

                            --Tonni

                            --
                            Tony Earnshaw
                            Email: tonni at hetnet.nl
                          • Rene van Hoek
                            ... We advice our customers to configure outlook in the following way (texts are in Dutch, but the screenshots should be clear):
                            Message 13 of 25 , Jan 1, 2007
                            View Source
                            • 0 Attachment
                              Tom Kovar wrote:
                              >
                              > --- T
                              >
                              > -----Original Message-----
                              > From: owner-postfix-users@...
                              > [mailto:owner-postfix-users@...] On Behalf Of Michael Wang
                              > Sent: Monday, January 01, 2007 2:51 PM
                              > To: Postfix users
                              > Subject: Re: SASL vs. M$ Outlook and Outlook Express
                              >
                              >
                              > Rene van Hoek wrote:
                              >> I did an telnet to your machine and that seems ok:
                              >>
                              >> Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                              >> Trying 194.212.102.169...
                              >> Connected to bimbo.kovarovi.org.
                              >> Escape character is '^]'.
                              >> 220 mail.kovarovi.org ESMTP Postfix
                              >> EHLO test.a8.nl
                              >> 250-mail.kovarovi.org
                              >> 250-PIPELINING
                              >> 250-SIZE 10240000
                              >> 250-VRFY
                              >> 250-ETRN
                              >> 250-AUTH PLAIN
                              >> 250-AUTH=PLAIN
                              >> 250-ENHANCEDSTATUSCODES
                              >> 250-8BITMIME
                              >> 250 DSN
                              >
                              > I don't believe Outlook handles PLAIN, I believe it needs to be LOGIN
                              > (or NTLM if that's checked in the client), so try modifying your
                              > dovecot.conf file and add that to the mechanisms parameter.
                              >

                              > I have tried it with enabling PLAIN and LOGIN, nothing changed. If I
                              > remove PLAIN and have only LOGIN, the Outlook client exits immediately,
                              > stating that the server does not offer a mechanism supported by Outlook
                              > - so this will not be the problem, either.
                              >
                              > Btw., with IMAP, Outlook sends "AUTH PLAIN" without any problem...


                              We advice our customers to configure outlook in the following way (texts
                              are in Dutch, but the screenshots should be clear):

                              http://support.active8.nl/index.srf?pkn=file_id&pkv=27&lang_id=360


                              I have a Windows machine near me. If you can send me an test-account, I
                              would be happy to test if I can authenticate with your mta. I assume you
                              don't have an Windows machine currently available?

                              By the way, please don't top-post. It makes this thread harder to follow.

                              Greetings,

                              rene at active8 nl
                            • mouss
                              ... - enable both PLAIN and LOGIN - telnet to your postfix and see what it offers (forward the result here) - post the output of postconf -n - try sending
                              Message 14 of 25 , Jan 1, 2007
                              View Source
                              • 0 Attachment
                                Tom Kovar wrote:
                                > I have tried it with enabling PLAIN and LOGIN, nothing changed. If I
                                > remove PLAIN and have only LOGIN, the Outlook client exits immediately,
                                > stating that the server does not offer a mechanism supported by Outlook
                                > - so this will not be the problem, either.
                                >


                                - enable both PLAIN and LOGIN
                                - telnet to your postfix and see what it offers (forward the result here)
                                - post the output of 'postconf -n'
                                - try sending mail with outlook. post the corresponding logs

                                > Btw., with IMAP, Outlook sends "AUTH PLAIN" without any problem...
                                >

                                This is unrelated. IMAP != ESMTP.
                              • Tony Earnshaw
                                ... Oh yes, it is. We have MS Outlook Express and Outlook clients and they connect without problems. Do two things: 1: telnet mail.barlaeus.nl 25 ehlo
                                Message 15 of 25 , Jan 1, 2007
                                View Source
                                • 0 Attachment
                                  Tom Kovar wrote:

                                  > I have tried it with enabling PLAIN and LOGIN, nothing changed. If I
                                  > remove PLAIN and have only LOGIN, the Outlook client exits immediately,
                                  > stating that the server does not offer a mechanism supported by Outlook
                                  > - so this will not be the problem, either.

                                  Oh yes, it is. We have MS Outlook Express and Outlook clients and they
                                  connect without problems. Do two things:

                                  1: telnet mail.barlaeus.nl 25
                                  ehlo mydomain.net

                                  See what it says.

                                  2: openssl s_client -starttls smtp -connect mail.barlaeus.nl:25

                                  See what it says.

                                  You need the "AUTH=LOGIN" for the MS client to recognize it. You
                                  therefore need broken_sasl_auth_clients = yes in main.cf.

                                  > Btw., with IMAP, Outlook sends "AUTH PLAIN" without any problem...

                                  What the bleeding heck does that have to do with the price of fish?

                                  --Tonni

                                  --
                                  Tony Earnshaw
                                  Email: tonni at hetnet.nl
                                • Rene van Hoek
                                  ... I am aware that in my configuration, usernames and passwords are sent in clear-text. That is an security-risk, I am aware. On the other hand, I have to
                                  Message 16 of 25 , Jan 1, 2007
                                  View Source
                                  • 0 Attachment
                                    Tony Earnshaw wrote:
                                    > Rene van Hoek wrote:
                                    >
                                    >
                                    > [...]
                                    >
                                    >> I did an telnet to your machine and that seems ok:
                                    >>
                                    >> Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                                    >> Trying 194.212.102.169...
                                    >> Connected to bimbo.kovarovi.org.
                                    >> Escape character is '^]'.
                                    >> 220 mail.kovarovi.org ESMTP Postfix
                                    >> EHLO test.a8.nl
                                    >> 250-mail.kovarovi.org
                                    >> 250-PIPELINING
                                    >> 250-SIZE 10240000
                                    >> 250-VRFY
                                    >> 250-ETRN
                                    >> 250-AUTH PLAIN
                                    >> 250-AUTH=PLAIN
                                    >> 250-ENHANCEDSTATUSCODES
                                    >> 250-8BITMIME
                                    >> 250 DSN
                                    >>
                                    >>
                                    >> Also according to the maillog, the client don't authenticate. So the
                                    >> problem is as far as I can see with the configuration of the client.
                                    >>
                                    >> As an test, did you try for yourself to relay mail through your mta
                                    >> with Windows and Outlook? In this way you can rule-out (or confirm)
                                    >> client configuration mistakes.
                                    >
                                    > MS clients need AUTH LOGIN, PLAIN won't work; also it's a security
                                    > mistake to offer AUTH PLAIN or LOGIN without first hiding them with
                                    > smtpd_use_tls = yes and smtpd_tls_auth_only = yes.
                                    >

                                    I am aware that in my configuration, usernames and passwords are sent in
                                    clear-text. That is an security-risk, I am aware.

                                    On the other hand, I have to deal with a lot of customers which find it
                                    difficult already to configure their e-mail client in the most simple form.

                                    I had to balance these two issues and therefore came up with this
                                    solution for our situation. Don't worry, we don't experience any
                                    security issues and we monitor our logs closely for unwanted relaying.


                                    >> Otherwise refer your client to Microsoft Support ;-)
                                    >
                                    > After OP has waited his due time and paid his due he'll get to hear the
                                    > same from them.

                                    I know, it was also a joke.

                                    >
                                    > --Tonni
                                    >

                                    Greetings,

                                    Rene at active8 nl
                                  • Michael Wang
                                    ... I fiddled with Outlook 2002 (don t have Express) and my Postfix setup which is also running Dovecot for both IMAP and SASL and the only way I was able to
                                    Message 17 of 25 , Jan 1, 2007
                                    View Source
                                    • 0 Attachment
                                      Tom Kovar wrote:
                                      > As stated in my previous mail - offering LOGIN as authentication
                                      > mechanism does not change anything on the problem. Offering both PLAIN
                                      > and LOGIN does not change anything, offering only LOGIN leads to an
                                      > error message by the client that the server does not offer any mechanism
                                      > supported by Outlook Express. (After initial failure with both Outlook
                                      > and O.Express, I continue testing only with Express now).
                                      >
                                      > So frankly I do not believe that Outlook Express really supports LOGIN
                                      > mechanism...

                                      I fiddled with Outlook 2002 (don't have Express) and my Postfix setup
                                      which is also running Dovecot for both IMAP and SASL and the only way I
                                      was able to get the Outlook not to send the AUTH command is if I turned
                                      off the "My Outgoing server (SMTP) requires authentication" check box.
                                      Are these Windows machines that are trying to connect personal machines
                                      or are they setup in some sort of managed environment where perhaps
                                      something is overriding that setting? I don't know enough about Outlook
                                      to suggest where to look for that sort of thing.

                                      Oh and Outlook 2002 does handle PLAIN only (but it prefers LOGIN if both
                                      are offered) so that's definitely not the issue.

                                      --
                                      Michael Wang
                                    • Magnus Bäck
                                      On Monday, January 01, 2007 at 14:32 CET, ... No, that s not okay. The Microsoft-style LOGIN mechanism is missing. More recent Microsoft clients may support
                                      Message 18 of 25 , Jan 1, 2007
                                      View Source
                                      • 0 Attachment
                                        On Monday, January 01, 2007 at 14:32 CET,
                                        Rene van Hoek <rene@...> wrote:

                                        > I did an telnet to your machine and that seems ok:
                                        >
                                        > Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                                        > Trying 194.212.102.169...
                                        > Connected to bimbo.kovarovi.org.
                                        > Escape character is '^]'.
                                        > 220 mail.kovarovi.org ESMTP Postfix
                                        > EHLO test.a8.nl
                                        > 250-mail.kovarovi.org
                                        > 250-PIPELINING
                                        > 250-SIZE 10240000
                                        > 250-VRFY
                                        > 250-ETRN
                                        > 250-AUTH PLAIN
                                        > 250-AUTH=PLAIN
                                        > 250-ENHANCEDSTATUSCODES
                                        > 250-8BITMIME
                                        > 250 DSN

                                        No, that's not okay. The Microsoft-style LOGIN mechanism is missing.
                                        More recent Microsoft clients may support the PLAIN mechansim as well,
                                        but since people may be running older software I'd say it's a
                                        requirement to provide both PLAIN and LOGIN.

                                        While the OP is fixing LOGIN, I suggest he fixes support for CRAM-MD5
                                        and DIGEST-MD5 as well so that clients won't be forced to send passwords
                                        in the clear.

                                        [...]

                                        --
                                        Magnus Bäck
                                        magnus@...
                                      • Tom Kovar
                                        So, thank you all. Problem solved, it is really the LOGIN method, that is required for SMTP SASL. But the key thing is the broken_sasl_auth_clients story,
                                        Message 19 of 25 , Jan 1, 2007
                                        View Source
                                        • 0 Attachment
                                          So, thank you all.
                                          Problem solved, it is really the LOGIN method, that is required for SMTP
                                          SASL. But the key thing is the "broken_sasl_auth_clients" story, i.e.
                                          what matters is the **order** of proposed methods. The M$ clients really
                                          need to see 250-AUTH=LOGIN in the message.

                                          What I tried earlier was dovecot proposing methods "PLAIN" and "LOGIN".
                                          This leads to the SMTP server response to client's EHLO message
                                          250-AUTH=PLAIN LOGIN
                                          which is not recognised by the M$ clients (without any comment or
                                          message, anyway) - even if broken_sasl_auth_clients is set to yes all
                                          the time. If my dovecot proposes the methods in the reversed order, i.e.
                                          "LOGIN" and "PLAIN", Bill Gates seems satisfied.

                                          My love towards this damned Micro$oft grows stronger and deeper. Cashing
                                          big money for delivering scrap. Well well.

                                          Once again, thanks for the extensive help.

                                          Best regards,
                                          --- Tom

                                          -----Original Message-----
                                          From: owner-postfix-users@...
                                          [mailto:owner-postfix-users@...] On Behalf Of Tony Earnshaw
                                          Sent: Monday, January 01, 2007 3:09 PM
                                          To: postfix-users@...
                                          Subject: Re: SASL vs. M$ Outlook and Outlook Express


                                          Tom Kovar wrote:

                                          > I have tried it with enabling PLAIN and LOGIN, nothing changed. If I
                                          > remove PLAIN and have only LOGIN, the Outlook client exits
                                          immediately,
                                          > stating that the server does not offer a mechanism supported by
                                          Outlook
                                          > - so this will not be the problem, either.

                                          Oh yes, it is. We have MS Outlook Express and Outlook clients and they
                                          connect without problems. Do two things:

                                          1: telnet mail.barlaeus.nl 25
                                          ehlo mydomain.net

                                          See what it says.

                                          2: openssl s_client -starttls smtp -connect mail.barlaeus.nl:25

                                          See what it says.

                                          You need the "AUTH=LOGIN" for the MS client to recognize it. You
                                          therefore need broken_sasl_auth_clients = yes in main.cf.

                                          > Btw., with IMAP, Outlook sends "AUTH PLAIN" without any problem...

                                          What the bleeding heck does that have to do with the price of fish?

                                          --Tonni

                                          --
                                          Tony Earnshaw
                                          Email: tonni at hetnet.nl
                                        • Tom Kovar
                                          Yeah, Magnus, very much right. But not only that: LOGIN apparently has to be the **FIRST** method proposed by the server - if not, M$ does neither find nor
                                          Message 20 of 25 , Jan 1, 2007
                                          View Source
                                          • 0 Attachment
                                            Yeah, Magnus, very much right. But not only that: LOGIN apparently has
                                            to be the **FIRST** method proposed by the server - if not, M$ does
                                            neither find nor recognise it.

                                            Tack så mycket,
                                            --- Tom

                                            -----Original Message-----
                                            From: owner-postfix-users@...
                                            [mailto:owner-postfix-users@...] On Behalf Of Magnus Bäck
                                            Sent: Monday, January 01, 2007 7:00 PM
                                            To: postfix-users@...
                                            Subject: Re: SASL vs. M$ Outlook and Outlook Express


                                            On Monday, January 01, 2007 at 14:32 CET,
                                            Rene van Hoek <rene@...> wrote:

                                            > I did an telnet to your machine and that seems ok:
                                            >
                                            > Leto:/Volumes renevanhoek$ telnet mail.kovarovi.org 25
                                            > Trying 194.212.102.169...
                                            > Connected to bimbo.kovarovi.org.
                                            > Escape character is '^]'.
                                            > 220 mail.kovarovi.org ESMTP Postfix
                                            > EHLO test.a8.nl
                                            > 250-mail.kovarovi.org
                                            > 250-PIPELINING
                                            > 250-SIZE 10240000
                                            > 250-VRFY
                                            > 250-ETRN
                                            > 250-AUTH PLAIN
                                            > 250-AUTH=PLAIN
                                            > 250-ENHANCEDSTATUSCODES
                                            > 250-8BITMIME
                                            > 250 DSN

                                            No, that's not okay. The Microsoft-style LOGIN mechanism is missing.
                                            More recent Microsoft clients may support the PLAIN mechansim as well,
                                            but since people may be running older software I'd say it's a
                                            requirement to provide both PLAIN and LOGIN.

                                            While the OP is fixing LOGIN, I suggest he fixes support for CRAM-MD5
                                            and DIGEST-MD5 as well so that clients won't be forced to send passwords
                                            in the clear.

                                            [...]

                                            --
                                            Magnus Bäck
                                            magnus@...
                                          • Tom Kovar
                                            So, thank you all. Problem solved, it is really the LOGIN method, that is required for SMTP SASL. But the key thing is the broken_sasl_auth_clients story,
                                            Message 21 of 25 , Jan 1, 2007
                                            View Source
                                            • 0 Attachment
                                              So, thank you all.
                                              Problem solved, it is really the LOGIN method, that is required for SMTP
                                              SASL. But the key thing is the "broken_sasl_auth_clients" story, i.e.
                                              what matters is the **order** of proposed methods. The M$ clients really
                                              need to see 250-AUTH=LOGIN in the message.

                                              What I tried earlier was dovecot proposing methods "PLAIN" and "LOGIN".
                                              This leads to the SMTP server response to client's EHLO message
                                              250-AUTH=PLAIN LOGIN
                                              which is not recognised by the M$ clients (without any comment or
                                              message, anyway) - even if broken_sasl_auth_clients is set to yes all
                                              the time. If my dovecot proposes the methods in the reversed order, i.e.
                                              "LOGIN" and "PLAIN", Bill Gates seems satisfied.

                                              My love towards this damned Micro$oft grows stronger and deeper. Cashing
                                              big money for delivering scrap. Well well.

                                              Once again, thanks for the extensive help.

                                              Best regards,
                                              --- Tom


                                              -----Original Message-----
                                              From: owner-postfix-users@...
                                              [mailto:owner-postfix-users@...] On Behalf Of Tony Earnshaw
                                              Sent: Monday, January 01, 2007 3:09 PM
                                              To: postfix-users@...
                                              Subject: Re: SASL vs. M$ Outlook and Outlook Express


                                              Tom Kovar wrote:

                                              > I have tried it with enabling PLAIN and LOGIN, nothing changed. If I
                                              > remove PLAIN and have only LOGIN, the Outlook client exits
                                              immediately,
                                              > stating that the server does not offer a mechanism supported by
                                              Outlook
                                              > - so this will not be the problem, either.

                                              Oh yes, it is. We have MS Outlook Express and Outlook clients and they
                                              connect without problems. Do two things:

                                              1: telnet mail.barlaeus.nl 25
                                              ehlo mydomain.net

                                              See what it says.

                                              2: openssl s_client -starttls smtp -connect mail.barlaeus.nl:25

                                              See what it says.

                                              You need the "AUTH=LOGIN" for the MS client to recognize it. You
                                              therefore need broken_sasl_auth_clients = yes in main.cf.

                                              > Btw., with IMAP, Outlook sends "AUTH PLAIN" without any problem...

                                              What the bleeding heck does that have to do with the price of fish?

                                              --Tonni

                                              --
                                              Tony Earnshaw
                                              Email: tonni at hetnet.nl
                                            • Bill Landry
                                              ... The order presented doesn t matter. I have: 220 mail.inetmsg.com - INetMsg ESMTP Mail Service - UCE Not Permitted! ehlo test.net 250-mail.inetmsg.com
                                              Message 22 of 25 , Jan 1, 2007
                                              View Source
                                              • 0 Attachment
                                                Tom Kovar wrote the following on 1/1/2007 10:06 AM -0800:
                                                > Yeah, Magnus, very much right. But not only that: LOGIN apparently has
                                                > to be the **FIRST** method proposed by the server - if not, M$ does
                                                > neither find nor recognise it.

                                                The order presented doesn't matter. I have:

                                                220 mail.inetmsg.com - INetMsg ESMTP Mail Service - UCE Not Permitted!
                                                ehlo test.net
                                                250-mail.inetmsg.com
                                                250-PIPELINING
                                                250-SIZE 10240000
                                                250-ETRN
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250 DSN
                                                quit
                                                221 2.0.0 Bye

                                                and it works fine with both Outlook and Outlook Express clients.

                                                Bill
                                              • Tony Earnshaw
                                                Magnus Bäck wrote: [...] ... Yep ... Sending passwords in the clear can be avoided with TLS c.q. SSL. Also, unfortunately at the last count (beta
                                                Message 23 of 25 , Jan 1, 2007
                                                View Source
                                                • 0 Attachment
                                                  Magnus Bäck wrote:

                                                  [...]

                                                  > No, that's not okay. The Microsoft-style LOGIN mechanism is missing.
                                                  > More recent Microsoft clients may support the PLAIN mechansim as well,
                                                  > but since people may be running older software I'd say it's a
                                                  > requirement to provide both PLAIN and LOGIN.

                                                  Yep

                                                  > While the OP is fixing LOGIN, I suggest he fixes support for CRAM-MD5
                                                  > and DIGEST-MD5 as well so that clients won't be forced to send passwords
                                                  > in the clear.

                                                  Sending passwords in the clear can be avoided with TLS c.q. SSL.

                                                  Also, unfortunately at the last count (beta < 1) Dovecot didn't support
                                                  CRAM-MD5 or DIGEST-MD5 - just as it didn't support many of the things
                                                  that are possible with Cyrus and on the IMAP level Courier
                                                  IMAP/maildrop. Getting CRAM-MD5 and DIGEST-MD5 to work with Postfix (at
                                                  least with Cyrus SASL) means using auxprop and in our case with an LDAP
                                                  base, ldapdb.

                                                  I'd be happy to learn that things on the Dovecot front have improved
                                                  since last April or so and that it now does support both, though without
                                                  LDAP-based maildrop (and the underlying authlib service) the mail
                                                  service that we offer at our site would be impossible.

                                                  --Tonni

                                                  --
                                                  Tony Earnshaw
                                                  Email: tonni at hetnet.nl
                                                • James Turnbull
                                                  ... Hash: SHA1 ... Only the 1.0 release candidates support CRAM-MD5 and DIGEST-MD5. I can say that I have been running RC15 in a couple of places as
                                                  Message 24 of 25 , Jan 1, 2007
                                                  View Source
                                                  • 0 Attachment
                                                    -----BEGIN PGP SIGNED MESSAGE-----
                                                    Hash: SHA1

                                                    Tony Earnshaw wrote:
                                                    > Also, unfortunately at the last count (beta < 1) Dovecot didn't support
                                                    > CRAM-MD5 or DIGEST-MD5 - just as it didn't support many of the things
                                                    > that are possible with Cyrus and on the IMAP level Courier
                                                    > IMAP/maildrop. Getting CRAM-MD5 and DIGEST-MD5 to work with Postfix (at
                                                    > least with Cyrus SASL) means using auxprop and in our case with an LDAP
                                                    > base, ldapdb.

                                                    Only the 1.0 release candidates support CRAM-MD5 and DIGEST-MD5. I can
                                                    say that I have been running RC15 in a couple of places as production
                                                    without issue. YMMV. I've also had no issues with the LDAP backend for
                                                    authentication - though that's not in production for us.

                                                    Regards

                                                    James Turnbull

                                                    - --
                                                    James Turnbull <james@...>
                                                    - ---
                                                    Author of Pro Nagios 2.0
                                                    (http://www.amazon.com/gp/product/1590596099/)

                                                    Hardening Linux
                                                    (http://www.amazon.com/gp/product/1590594444/)
                                                    - ---
                                                    PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
                                                    -----BEGIN PGP SIGNATURE-----
                                                    Version: GnuPG v1.4.6 (MingW32)
                                                    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

                                                    iD8DBQFFmYEC9hTGvAxC30ARAk1BAKCGThP2jc9/V6olnNGSkn4KE4v7rQCfZZEu
                                                    vno8BpHeWSWcVBH6Ah9fYMg=
                                                    =Wc17
                                                    -----END PGP SIGNATURE-----
                                                  • Robert Schetterer
                                                    ... Hi, i have postfix, saslauthd , mysql, dovecot running on many servers ( suse 10.1), i have no problem, using outlook express, outlook, thunderbird (
                                                    Message 25 of 25 , Jan 1, 2007
                                                    View Source
                                                    • 0 Attachment
                                                      Michael Wang schrieb:
                                                      > Tom Kovar wrote:
                                                      >> As stated in my previous mail - offering LOGIN as authentication
                                                      >> mechanism does not change anything on the problem. Offering both PLAIN
                                                      >> and LOGIN does not change anything, offering only LOGIN leads to an
                                                      >> error message by the client that the server does not offer any mechanism
                                                      >> supported by Outlook Express. (After initial failure with both Outlook
                                                      >> and O.Express, I continue testing only with Express now).
                                                      >>
                                                      >> So frankly I do not believe that Outlook Express really supports LOGIN
                                                      >> mechanism...
                                                      >
                                                      > I fiddled with Outlook 2002 (don't have Express) and my Postfix setup
                                                      > which is also running Dovecot for both IMAP and SASL and the only way I
                                                      > was able to get the Outlook not to send the AUTH command is if I turned
                                                      > off the "My Outgoing server (SMTP) requires authentication" check box.
                                                      > Are these Windows machines that are trying to connect personal machines
                                                      > or are they setup in some sort of managed environment where perhaps
                                                      > something is overriding that setting? I don't know enough about Outlook
                                                      > to suggest where to look for that sort of thing.
                                                      >
                                                      > Oh and Outlook 2002 does handle PLAIN only (but it prefers LOGIN if both
                                                      > are offered) so that's definitely not the issue.
                                                      >
                                                      Hi,
                                                      i have postfix, saslauthd , mysql, dovecot running on
                                                      many servers ( suse 10.1), i have no problem, using
                                                      outlook express, outlook, thunderbird
                                                      ( latest versions )
                                                      whatever pop3, imap, imaps, pop3s
                                                      smtp, smtps
                                                      with virtual domain postfixadmin
                                                      so in my eyses problems are a configure issue
                                                      i configured saslauthd to ask imap dovecot with plaintext passwords
                                                      ( plain is not not nice but needed for other stuff in my case )
                                                      Regards and happy new year

                                                      --
                                                      Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
                                                      und ist - aktuelle Virenscanner vorausgesetzt - sauber.
                                                    Your message has been successfully submitted and would be delivered to recipients shortly.