Loading ...
Sorry, an error occurred while loading the content.
 

Re: SASL forward problem

Expand Messages
  • kapetr
    ... Hello. ... 220 mailout1.t-email.cz ESMTP EHLO 251-43-13-46.tmcz.cz 250-mailout1.t-email.cz 250-PIPELINING 250-SIZE 15360000 250-VRFY 250-ETRN 250-AUTH
    Message 1 of 5 , Nov 2 10:21 AM
      ----- PŮVODNÍ ZPRÁVA -----
      > Date: Tue, 1 Nov 2011 20:23:08 -0400 (EDT)
      > From: Wietse Venema <wietse@...>
      > Subject: Re: SASL forward problem
      >
      > kapetr:
      > > Hello,
      > >
      > > I use posfix as forwarder.
      > >
      > > The target server is connected via stunnel4. It
      > > was working, but now
      > > > I have changed ISP and the new smpt server has
      > > problem with Posfix
      > > > as client.
      > >
      > > Here is TCP stream from Wireshark:
      > >
      > > xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      > > 220 mailout2.t-email.cz ESMTP
      > > EHLO 251-43-13-46.tmcz.cz
      > > 250-mailout2.t-email.cz
      > > 250-PIPELINING
      > > 250-SIZE 15360000
      > > 250-VRFY
      > > 250-ETRN
      > > 250-AUTH LOGIN PLAIN
      > > 250-ENHANCEDSTATUSCODES
      > > 250-8BITMIME
      > > 250 DSN
      > > AUTH LOGIN
      > > 334 XXXXXXXXXX
      > > YYYYYYY
      > > 334 XXXXXXXXX
      > > YYYYYYY
      > > 235 2.7.0 Authentication successful (this is the
      > > final reply to AUTH)
      > > > MAIL FROM:<jiri.panek@...> SIZE=517 AUTH=<>
      > > RCPT TO:<jipan@...>
      > > ORCPT=rfc822;jipan@...
      > > > DATA
      > > 250 2.1.0 Ok (this is the reply to *what*?)
      > > 555 5.5.4 Unsupported option: AUTH=<> (this
      > > would be the reply to MAIL FROM)
      > > (there should be an RCPT TO reply here)
      > > 554 5.5.1 Error: no valid recipients (this is
      > > the reply to DATA)
      > >
      > Are you sure that the replies are received in this
      > order?
      >
      > If that is the case, then the server
      > mis-implements SMTP command
      > pipelining. To turn that feature off in Postfix:
      >
      > /etc/postfix/main.cf:
      > smtp_discard_ehlo_keywords = pipelining
      >
      > Do "postfix reload" and try again.
      >
      > Wietse
      >

      Hello.

      The result is:

      ------------
      220 mailout1.t-email.cz ESMTP

      EHLO 251-43-13-46.tmcz.cz

      250-mailout1.t-email.cz

      250-PIPELINING

      250-SIZE 15360000

      250-VRFY

      250-ETRN

      250-AUTH LOGIN PLAIN

      250-ENHANCEDSTATUSCODES

      250-8BITMIME

      250 DSN

      AUTH LOGIN

      334 xxxxxxxxxx
      yyyyyyy

      334 xxxxxxxxxxxx

      yyyyyyy
      235 2.7.0 Authentication successful

      MAIL FROM:<jiri.panek@...> SIZE=519 AUTH=<>

      250 2.1.0 Ok

      RCPT TO:<jipan@...> ORCPT=rfc822;jipan@...

      555 5.5.4 Unsupported option: AUTH=<>
      ----- (why sends it ISPs smpt now ?!
      RSET
      ------- (send by my postfix == out)
      250 2.0.0 Ok

      QUIT

      221 2.0.0 Bye


      ------
      Now is it <one command > <one replay>, but as you can see, id
      didn't help.
      Can this something to do with another packeting of stream against
      direct connection ?

      I thing, my Postfix should ignore the "555 5.5.4 Unsupported option:
      AUTH=<>" and continue.
      Or better do not send it at all - what is it at all?

      As you wrote: "If that is the case, then the server
      mis-implements SMTP command
      pipelining."

      Did you mean my server (my postfix) or ISPs server ?


      --kapetr

      P.S: the outputs are from wireshark (not edited from me) , so I
      thing "replies are received in this order". I have also checked by
      examining packets manually.



      --
      Jak se vyhnout nachlazení a dalším zdravotním potížím v nepříjemném
      podzimním období? Čtěte speciál Zdraví na podzim na
      http://web.volny.cz/data/click.php?id=1290
    • Wietse Venema
      ... This SMTP server has an interesting way to report errors. ... Postfix cannot ignore 555 after RCPT TO. And we already know that the server would not accept
      Message 2 of 5 , Nov 2 12:41 PM
        kapetr:
        > 220 mailout1.t-email.cz ESMTP
        > EHLO 251-43-13-46.tmcz.cz
        > 250-mailout1.t-email.cz
        > 250-PIPELINING
        > 250-SIZE 15360000
        > 250-VRFY
        > 250-ETRN
        > 250-AUTH LOGIN PLAIN
        > 250-ENHANCEDSTATUSCODES
        > 250-8BITMIME
        > 250 DSN
        > AUTH LOGIN
        > 334 xxxxxxxxxx
        > yyyyyyy
        > 334 xxxxxxxxxxxx
        > yyyyyyy
        > 235 2.7.0 Authentication successful
        > MAIL FROM:<jiri.panek@...> SIZE=519 AUTH=<>
        > 250 2.1.0 Ok
        > RCPT TO:<jipan@...> ORCPT=rfc822;jipan@...
        > 555 5.5.4 Unsupported option: AUTH=<>

        This SMTP server has an interesting way to report errors.

        > I thing, my Postfix should ignore the "555 5.5.4 Unsupported option:
        > AUTH=<>" and continue.

        Postfix cannot ignore 555 after RCPT TO. And we already know that
        the server would not accept the mail (in your earlier email it
        replied with "554 5.5.1 Error: no valid recipients" to the DATA
        command).

        > Or better do not send it at all - what is it at all?

        Postfix is not written by imitation. It is written by implementing
        mail standards. The AUTH command and the AUTH= option are defined
        in RFC 2554 which was written many years ago.

        Unfortunately, not sending AUTH= involves editing Postfix source
        code or using a proxy that removes the AUTH= option. There is no
        feature to filter the commands that Postfix sends, like there is
        for the replies that Postfix receives.

        A third option is to edit the Postfix smtp executable file. Look
        for the string " AUTH=<>" and replace the space with a null byte.

        As for editing source code, this is in src/smtp/smtp_proto.c.
        Just delete the portion with:

        /*
        * We authenticate the local MTA only, but not the sender.
        */
        #ifdef USE_SASL_AUTH
        if (var_smtp_sasl_enable
        && (session->features & SMTP_FEATURE_AUTH))
        vstring_strcat(next_command, " AUTH=<>");
        #endif

        > As you wrote: "If that is the case, then the server
        > mis-implements SMTP command
        > pipelining."
        >
        > Did you mean my server (my postfix) or ISPs server ?

        Your machine is the SMTP client. The ISP is the SMTP server.

        Wietse
      • kapetr
        Hello, I didn t thing, that my Postfix is the bad guy, but if the client is Evolution (in SSL+SASL connection with the ISPs server), the messages goes out
        Message 3 of 5 , Nov 5 3:46 AM
          Hello,

          I didn't thing, that my Postfix is the bad guy, but if the client is
          Evolution (in SSL+SASL connection with the ISPs server), the
          messages goes out without problem.

          The problem is only if Postfix is the client ?!
          Why ?

          I have try yours "to modify executable" way.

          The "AUTH=<>" is in /usr/lib/postfix/smtp - I had edit it in "mc"
          and have replaced it with " " and left the "^@" (this is probably
          the NULL byte).

          But it just give an error in log:
          Nov 5 11:24:05 zly-hugo postfix/master[1418]: warning:
          /usr/lib/postfix/smtp: bad command startup -- throttling
          Nov 5 11:25:05 zly-hugo postfix/master[1418]: warning: process
          /usr/lib/postfix/smtp pid 2633 killed by signal 11

          Thank you

          --kapetr



          -------------------------
          >Date: Wed, 2 Nov 2011 15:41:04 -0400 (EDT)
          >From: Wietse Venema <wietse@...>
          >Subject: Re: SASL forward problem
          >
          >kapetr:
          >> 220 mailout1.t-email.cz ESMTP
          >> EHLO 251-43-13-46.tmcz.cz
          >> 250-mailout1.t-email.cz
          >> 250-PIPELINING
          >> 250-SIZE 15360000
          >> 250-VRFY
          >> 250-ETRN
          >> 250-AUTH LOGIN PLAIN
          >> 250-ENHANCEDSTATUSCODES
          >> 250-8BITMIME
          >> 250 DSN
          >> AUTH LOGIN
          >> 334 xxxxxxxxxx
          >> yyyyyyy
          >> 334 xxxxxxxxxxxx
          >> yyyyyyy
          >> 235 2.7.0 Authentication successful
          >> MAIL FROM:<jiri.panek@...> SIZE=519 AUTH=<>
          >> 250 2.1.0 Ok
          >> RCPT TO:<jipan@...> ORCPT=rfc822;jipan@...
          >> 555 5.5.4 Unsupported option: AUTH=<>
          >
          >This SMTP server has an interesting way to report errors.
          >
          >> I thing, my Postfix should ignore the "555 5.5.4 Unsupported
          >> option:
          >> >> AUTH=<>" and continue.
          >
          >Postfix cannot ignore 555 after RCPT TO. And we already know that
          >the server would not accept the mail (in your earlier email it
          >replied with "554 5.5.1 Error: no valid recipients" to the DATA
          >command).
          >
          >> Or better do not send it at all - what is it at all?
          >
          >Postfix is not written by imitation. It is written by implementing
          >mail standards. The AUTH command and the AUTH= option are defined
          >in RFC 2554 which was written many years ago.
          >
          >Unfortunately, not sending AUTH= involves editing Postfix source
          >code or using a proxy that removes the AUTH= option. There is no
          >feature to filter the commands that Postfix sends, like there is
          >for the replies that Postfix receives.
          >
          >A third option is to edit the Postfix smtp executable file. Look
          >for the string " AUTH=<>" and replace the space with a null byte.
          >
          >As for editing source code, this is in src/smtp/smtp_proto.c.
          >Just delete the portion with:
          >
          >/*
          >* We authenticate the local MTA only, but not the sender.
          >*/
          >#ifdef USE_SASL_AUTH
          >if (var_smtp_sasl_enable
          >&& (session->features & SMTP_FEATURE_AUTH))
          >vstring_strcat(next_command, " AUTH=<>");
          >#endif
          >
          >> As you wrote: "If that is the case, then the server
          >> mis-implements SMTP command
          >> pipelining."
          >>
          >> Did you mean my server (my postfix) or ISPs server ?
          >
          >Your machine is the SMTP client. The ISP is the SMTP server.
          >
          >Wietse



          --
          Jak co nejlépe přichystat automobil na provoz v nadcházející zimní
          sezóně? Čtěte speciál Příprava auta na zimu na
          http://web.volny.cz/data/click.php?id=1292
        • kapetr
          Hello, I didn t thing, that my Postfix is the bad guy, but I have to say - if the client is Evolution (in SSL+SASL connection with the ISPs server), the
          Message 4 of 5 , Nov 12 2:01 AM
            Hello,

            I didn't thing, that my Postfix is the bad guy, but I have to say -
            if the client is
            Evolution (in SSL+SASL connection with the ISPs server), the
            messages goes out without problem.

            The problem is only if Postfix is the client ?!
            Why ?

            I have try yours "to modify executable" way.

            The "AUTH=<>" is in /usr/lib/postfix/smtp - I had edit it in "mc"
            and have replaced it with " " and left the "^@" (this is probably
            the NULL byte).

            But it just give an error in log:
            Nov 5 11:24:05 zly-hugo postfix/master[1418]: warning:
            /usr/lib/postfix/smtp: bad command startup -- throttling
            Nov 5 11:25:05 zly-hugo postfix/master[1418]: warning: process
            /usr/lib/postfix/smtp pid 2633 killed by signal 11

            Thank you

            --kapetr



            -------------------------
            >Date: Wed, 2 Nov 2011 15:41:04 -0400 (EDT)
            >From: Wietse Venema <wietse@...>
            >Subject: Re: SASL forward problem
            >
            >kapetr:
            >> 220 mailout1.t-email.cz ESMTP
            >> EHLO 251-43-13-46.tmcz.cz
            >> 250-mailout1.t-email.cz
            >> 250-PIPELINING
            >> 250-SIZE 15360000
            >> 250-VRFY
            >> 250-ETRN
            >> 250-AUTH LOGIN PLAIN
            >> 250-ENHANCEDSTATUSCODES
            >> 250-8BITMIME
            >> 250 DSN
            >> AUTH LOGIN
            >> 334 xxxxxxxxxx
            >> yyyyyyy
            >> 334 xxxxxxxxxxxx
            >> yyyyyyy
            >> 235 2.7.0 Authentication successful
            >> MAIL FROM:<jiri.panek@...> SIZE=519 AUTH=<>
            >> 250 2.1.0 Ok
            >> RCPT TO:<jipan@...> ORCPT=rfc822;jipan@...
            >> 555 5.5.4 Unsupported option: AUTH=<>
            >
            >This SMTP server has an interesting way to report errors.
            >
            >> I thing, my Postfix should ignore the "555 5.5.4 Unsupported
            >> option:
            >> >> AUTH=<>" and continue.
            >
            >Postfix cannot ignore 555 after RCPT TO. And we already know that
            >the server would not accept the mail (in your earlier email it
            >replied with "554 5.5.1 Error: no valid recipients" to the DATA
            >command).
            >
            >> Or better do not send it at all - what is it at all?
            >
            >Postfix is not written by imitation. It is written by implementing
            >mail standards. The AUTH command and the AUTH= option are defined
            >in RFC 2554 which was written many years ago.
            >
            >Unfortunately, not sending AUTH= involves editing Postfix source
            >code or using a proxy that removes the AUTH= option. There is no
            >feature to filter the commands that Postfix sends, like there is
            >for the replies that Postfix receives.
            >
            >A third option is to edit the Postfix smtp executable file. Look
            >for the string " AUTH=<>" and replace the space with a null byte.
            >
            >As for editing source code, this is in src/smtp/smtp_proto.c.
            >Just delete the portion with:
            >
            >/*
            >* We authenticate the local MTA only, but not the sender.
            >*/
            >#ifdef USE_SASL_AUTH
            >if (var_smtp_sasl_enable
            >&& (session->features & SMTP_FEATURE_AUTH))
            >vstring_strcat(next_command, " AUTH=<>");
            >#endif
            >
            >> As you wrote: "If that is the case, then the server
            >> mis-implements SMTP command
            >> pipelining."
            >>
            >> Did you mean my server (my postfix) or ISPs server ?
            >
            >Your machine is the SMTP client. The ISP is the SMTP server.
            >
            >Wietse




            sezóně? Čtěte speciál Příprava auta na zimu na
            http://web.volny.cz/data/click.php?id=1292




            --
            Jak co nejlépe přichystat automobil na provoz v nadcházející zimní
            sezóně? Čtěte speciál Příprava auta na zimu na
            http://web.volny.cz/data/click.php?id=1292
          • Wietse Venema
            ... Please complain to the vendor of the software that announces AUTH support and that fails to implement the AUTH= option. You may refer them to RFC 4954
            Message 5 of 5 , Nov 12 5:19 AM
              kapetr:
              > Hello,
              >
              > I didn't thing, that my Postfix is the bad guy, but I have to say -
              > if the client is
              > Evolution (in SSL+SASL connection with the ISPs server), the
              > messages goes out without problem.
              >
              > The problem is only if Postfix is the client ?!
              > Why ?

              Please complain to the vendor of the software that announces AUTH
              support and that fails to implement the AUTH=<> option. You may
              refer them to RFC 4954 which has all the details.

              > I have try yours "to modify executable" way.
              >
              > The "AUTH=<>" is in /usr/lib/postfix/smtp - I had edit it in "mc"
              > and have replaced it with " " and left the "^@" (this is probably
              > the NULL byte).
              >
              > But it just give an error in log:
              > Nov 5 11:24:05 zly-hugo postfix/master[1418]: warning:
              > /usr/lib/postfix/smtp: bad command startup -- throttling
              > Nov 5 11:25:05 zly-hugo postfix/master[1418]: warning: process
              > /usr/lib/postfix/smtp pid 2633 killed by signal 11

              The file size must be the same before and after editing.

              $ cp /usr/libexec/postfix/smtp smtp.new
              $ perl -pi -e 's/ AUTH=/\0AUTH=/' smtp.new
              $ ls -l /usr/libexec/postfix/smtp smtp.new
              -rwxr-xr-x 2 root wheel 1700160 Nov 8 20:12 /usr/libexec/postfix/smtp
              -rwxr-xr-x 1 wietse wheel 1700160 Nov 12 08:13 smtp.new
              $ cmp -l /usr/libexec/postfix/smtp smtp.new
              313969 40 0

              The numbers 1700160 and 313969 will be different on your system
              (unless you use the same FreeBSD version and the same compiler
              options as I did).

              Wietse
            Your message has been successfully submitted and would be delivered to recipients shortly.