Loading ...
Sorry, an error occurred while loading the content.

Re: SASL authentication and Windows Live Mail

Expand Messages
  • Jim Seymour
    On Tue, 31 Jan 2012 00:30:33 +0000 James Day wrote: [snip] ... [snip] IIRC, Relay access denied is a symptom of a non-SSL attempted
    Message 1 of 6 , Jan 30, 2012
    • 0 Attachment
      On Tue, 31 Jan 2012 00:30:33 +0000
      James Day <James.Day@...> wrote:

      [snip]
      > ... trying the same account details from Windows Live
      > Mail throws up a:
      >
      > "554 Relay Access denied" error message.
      [snip]

      IIRC, "Relay access denied" is a symptom of a non-SSL attempted
      connection/login when "disable_plaintext_auth = yes" in dovecot.conf.

      Regards,
      Jim
      --
      Note: My mail server employs *very* aggressive anti-spam
      filtering. If you reply to this email and your email is
      rejected, please accept my apologies and let me know via my
      web form at <http://jimsun.LinxNet.com/contact/scform.php>.
    • Noel Jones
      ... The error message means the mail was rejected by reject_unauth_destination, and that means the client didn t authenticate (or tried and failed). If AUTH
      Message 2 of 6 , Jan 30, 2012
      • 0 Attachment
        On 1/30/2012 9:32 PM, Jim Seymour wrote:
        > On Tue, 31 Jan 2012 00:30:33 +0000
        > James Day <James.Day@...> wrote:
        >
        > [snip]
        >> ... trying the same account details from Windows Live
        >> Mail throws up a:
        >>
        >> "554 Relay Access denied" error message.
        > [snip]
        >
        > IIRC, "Relay access denied" is a symptom of a non-SSL attempted
        > connection/login when "disable_plaintext_auth = yes" in dovecot.conf.

        The error message means the mail was rejected by
        reject_unauth_destination, and that means the client didn't
        authenticate (or tried and failed).

        If AUTH was tried and failed, it will be noted in the postfix and
        dovecot logs. If no failures are logged, AUTH wasn't attempted.

        This may or may not have anything to do with SSL/TLS. Another good
        guess is that dovecot needs to offer LOGIN and/or PLAIN mechanisms.

        But we're just guessing here. We need more details of the
        connection and configuration to give more concrete advice.

        http://www.postfix.org/DEBUG_README.html#mail


        -- Noel Jones
      • James Day
        Thanks for your input guys. As I suspected I need to dig a bit deeper. Here is the relevant portion of my mail log using Windows Live Mail to send: [...snip]
        Message 3 of 6 , Jan 30, 2012
        • 0 Attachment
          Thanks for your input guys. As I suspected I need to dig a bit deeper. Here is the relevant portion of my mail log using Windows Live Mail to send:

          [...snip]
          Jan 31 07:27:51 vps03 postfix/smtpd[3923]: connect from unknown[IP_REMOVED]
          Jan 31 07:27:51 vps03 postfix/smtpd[3923]: NOQUEUE: reject: RCPT from unknown[IP_REMOVED]: 554 5.7.1 <user@remotedomain>: Relay access denied; from=<dovecotuser@trusteddomain> to=<user@remotedomain> proto=ESMTP helo=<HOSTNAME>
          Jan 31 07:27:51 vps03 postfix/smtpd[3923]: disconnect from unknown[IP_REMOVED]
          Jan 31 07:27:54 vps03 dovecot: imap-login: Login: user=< dovecotuser@trusteddomain >, method=PLAIN, rip=IP_REMOVED, lip=IP_REMOVED, TLS
          Jan 31 07:27:54 vps03 dovecot: IMAP(dovecotuser@trusteddomain): Disconnected: Logged out bytes=712/6487
          [...snip]

          It seems to me that authentication isn't attempted until after the attempt to send fails.

          ...HOLD THE PRESS

          I added the LOGIN auth mechanism to my dovecot.conf and reloaded the service, the above was my first attempt to send this message again after doing so (which failed). Something must have taken some time to propagate because as I was typing this message the client connected again and sent successfully. Looks as though you were spot on Noel.

          Here is the log snipped for the successful send:

          Jan 31 07:35:47 vps03 postfix/smtpd[4049]: connect from unknown[IP_REMOVED]
          Jan 31 07:35:47 vps03 postfix/smtpd[4049]: BC1A1152601B2: client=unknown[IP_REMOVED], sasl_method=LOGIN, sasl_username= dovecotuser@trusteddomain
          Jan 31 07:35:48 vps03 postfix/cleanup[4052]: BC1A1152601B2: message-id=<FDCB00758C7446F28A755733616C9E39@remotedomain>
          Jan 31 07:35:48 vps03 postfix/qmgr[26598]: BC1A1152601B2: from=< dovecotuser@trusteddomain >, size=1261, nrcpt=1 (queue active)
          Jan 31 07:35:48 vps03 postfix/smtpd[4049]: disconnect from unknown[IP_REMOVED]
          Jan 31 07:35:48 vps03 dovecot: imap-login: Login: user=<dovecotuser@trusteddomain>, method=PLAIN, rip= IP_REMOVED, lip= IP_REMOVED, TLS
          Jan 31 07:35:48 vps03 postfix/smtp[4053]: BC1A1152601B2: to=<user@remotedomain>, relay=remote_mx_address[IP_REMOVED]:25, delay=0.79, delays=0.27/0/0.14/0.37, dsn=2.6.0, status=sent (250 2.6.0 <FDCB00758C7446F28A755733616C9E39@remotedomain> Queued mail for delivery)
          Jan 31 07:35:48 vps03 postfix/qmgr[26598]: BC1A1152601B2: removed

          The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful.

          Kind regards,

          James Day

          -----Original Message-----
          From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Noel Jones
          Sent: 31 January 2012 04:22
          To: postfix-users@...
          Subject: Re: SASL authentication and Windows Live Mail

          On 1/30/2012 9:32 PM, Jim Seymour wrote:
          > On Tue, 31 Jan 2012 00:30:33 +0000
          > James Day <James.Day@...> wrote:
          >
          > [snip]
          >> ... trying the same account details from Windows Live Mail throws up
          >> a:
          >>
          >> "554 Relay Access denied" error message.
          > [snip]
          >
          > IIRC, "Relay access denied" is a symptom of a non-SSL attempted
          > connection/login when "disable_plaintext_auth = yes" in dovecot.conf.

          The error message means the mail was rejected by reject_unauth_destination, and that means the client didn't authenticate (or tried and failed).

          If AUTH was tried and failed, it will be noted in the postfix and dovecot logs. If no failures are logged, AUTH wasn't attempted.

          This may or may not have anything to do with SSL/TLS. Another good guess is that dovecot needs to offer LOGIN and/or PLAIN mechanisms.

          But we're just guessing here. We need more details of the connection and configuration to give more concrete advice.

          http://www.postfix.org/DEBUG_README.html#mail


          -- Noel Jones
        • Noel Jones
          ... The way the username and password are encoded and sent on the wire is slightly different. Biggest visible difference is PLAIN sends the username and
          Message 4 of 6 , Jan 31, 2012
          • 0 Attachment
            On 1/31/2012 1:44 AM, James Day wrote:

            >
            > The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful.

            The way the username and password are encoded and sent on the wire
            is slightly different. Biggest visible difference is PLAIN sends
            the username and password together in the same command; LOGIN sends
            them separately.

            Some clients only support one of these methods. Broadly speaking,
            some Microsoft clients only support LOGIN, some third-party clients
            only support PLAIN.

            There's no reason to not offer both.


            -- Noel Jones
          • James Day
            ... Thanks Noel, as ever you ve provided valuable insight. Your help is very much appreciated. Kind regards, James Day
            Message 5 of 6 , Jan 31, 2012
            • 0 Attachment
              >
              > The only question that remains for me is, what is the difference between PLAIN and LOGIN mechanisms? I understand from http://wiki.dovecot.org/Authentication/Mechanisms that they are both plain text. Unfortunately google searches for login authentication aren't particularly helpful.

              >The way the username and password are encoded and sent on the wire is slightly different. Biggest visible difference is PLAIN sends the username and password together in the same command; LOGIN sends them separately.

              >Some clients only support one of these methods. Broadly speaking, some Microsoft clients only support LOGIN, some third-party clients only support PLAIN.

              >There's no reason to not offer both.


              > -- Noel Jones

              Thanks Noel, as ever you've provided valuable insight. Your help is very much appreciated.

              Kind regards,

              James Day
            Your message has been successfully submitted and would be delivered to recipients shortly.