No AUTH after EHLO

[jhuedder]

Hi there,

my QMail is confusing mail-clients like Outlook when trying to send mail with SMTP-Authentification.

My Outlook complains "Fehler (0x800CCC80) beim Ausführen der Aufgabe "[email protected] - Nachrichten werden gesendet": "Vom Server wird keine der von diesem Client unterstützten Authentifizierungsmethoden unterstützt." which means "The server doesn't support any authentication types supported by this client".

I read the SMTP-AUTH-RFC and found that the SMTP-server should answer "250 - AUTH PLAIN LOGIN ..." after the EHLO-command. But my server doesn't give any answer containing AUTH-types. This is the answer when I gave "telnet abc.xyz.net 25" at the command-prompt:

220 abc.xyz.net ESMTP
ehlo testcomputer
250-abc.xyz.net
250-STARTTLS
250-PIPELINING
250 8BITMIME

So right now I can only use POP-before-SMTP which is not supported by many mobile clients.

Any help appreciated.

Thanks, Joerg (info-at-hueddersen.de)

 

[keff]

I've got the same problem. Maybe You resolve It ?

 

[intosh]

I have the same problem.

This is big bug as Outlook 2007 cannot authenticate with Plesk now in any other way then through POP before SMTP. I don't want to use POP before SMTP as it is insecure and I am testing Spamdyke which will broke POP before SMTP anyway.

 

[intosh]

One more problem with no AUTH in EHLO.

Some servers require user email address verification when sending emails to their domains, as Plesk has no AUTH in ehlo that servers will not be able to verify user email address on server and will reject emails send to them from Plesk.

 

[sergius]

Gentlemen,

Thank you for the reports.

AUTH option will be absent in the response, if the IP address from which the connection is established is in Whitelist (Server> Mail> White List) or when POP3-Authentication is enabled, if there was a connection from this IP address via POP3 (temporary Whitelist).
You should either remove the credentials for SMTP-Authentication, or remove the appropriate IP addresses from Whitelist.

Any feedback is appreciated.

 

[faris]

Just to confirm what Sergius is saying:

If you have enabled pop-before-relay then (if the customer has collected email before trying to send) there will be no auth and Outlook 2007 will fall on its face. (The same goes for Apple Mail, Vista Mail and Entourage).

Similarly, if you have added the ip of the customer trying to auth to Plesk's whitelist, there will be no auth and Outlook 2007 (etc) will fall on its face.

It is not clear why older versions of Outlook don't suffer from the same problem.
It is not clear if it is possible to modify Qmail to get round this problem.

Simple Solution for now: Disabled pop-before-relay and remove any IPs in your whitelist that point to customer IPs.

Faris.

 

[intosh]

Hello,

I can confirm that this workaround works for me. Thanks for help. Hope for qmail update to fix that issue.

 

[intosh]

New Outlook evidently checks what response it get from server when connecting so best authorisation method could be choosed. When no auth is returned after ehlo command. Outlook do no try to authenticate.

 

[jhuedder]

@sergius: Thanks for your diagnosis. I have the problem that some of my clients use internal mailservers that pull mail every 15 minutes via fetchmail (POP3). This enables them through POP-before-SMTP with a time frame of 20 minutes to relay their mail to my server. On the other hand my private clients use SMTP-authentication, especially through their mobile clients. So I NEED BOTH!! I can't just switch POP-before-SMTP off (which indeed lets QMail send AUTH after EHLO).

Since you already know that the problem is about the temporary whitelist can't you give any advice how to fix the whole issue?

Joerg

 

[phaetons]

I got the same problem,
i can't disable pop befor smtp because some clients needs it and i also need smpt_auth for a lot of other clients.
This is a serious problem, not only for me.

This problem is known since November 2007 (http://forum.swsoft.com/showthread.php?t=38900&page=2&pp=15).

Sergius, or whoever from Plesk, do you think there is any chance to get a fix within the next year?

 

[faris]

You can still do both as long as you ask one set of customers to use, say, port 587 (submission port) and another set to use 25.

If you then remove the "relaylock" entry (/var/qmail/bin/relaylock) from the config file in /etc/xinet.d/ (or is it not /etc/indet.d for 8.6?) for port 587 then there will be no pop-before-relay on that port, but it will remain on port 25.

I'm sorry I'm not being terribly specific here but I don't have an 8.6 installation close to hand to check the files.

Also don't follow my advice blindly -- use at your own risk. It is past midnight as I type, I'm ill, and I'm working from memory.

Faris.

 

[phaetons]

Hi faris,
thanks fpr the hint. I already thought about something like that.

I will try to set "Pop before smtp" on 587 (because its just 2 customers that have to change the port) and remain smtp_auth on port 25.

I will let you know here, if it works.

 

[phaetons]

Ok, that seems to be easy.

I wanted to activate "POP before SMTP" only on Port 587 and SMTP_AUTH on Port 25.
System is Plesk 8.6.0 (SuSE).

In Plesk-Backend "Server > Mail" i set:
- "Submission" activated
- "Realying" activated, just for SMTP (not POP3)

Now there are config-files /etc/xinetd.d/smtp_psa (port 25) and /etc/xinetd.d/submission_psa (port 587).
Both ports are now Relay-Locked with SMTP_AUTH.

To change Port 587 from SMTP_AUTH to "POP before SMTP" i changed
env = SUBMISSION=1 SMTPAUTH=1 SHORTNAMES=1
to
env = SUBMISSION=1 POPAUTH=1 POPLOCK_TIME=20 SHORTNAMES=1
in /etc/xinetd.d/submission_psa.

Then restarted xinetd with "/etc/init.d/xinetd restart" and it works for me.

This Changes can be overwritten by Plesk-Backend or Plesk Updates, so if you do something like this, you do it on your own risk!

 

[limparty]

Dear Sergius,

As your suggestion, how can I know all my client IP address?

Due to I am new administrative, please give me more detail than usaual.

I do not understand "remove the credentials for SMTP-Authentication, or remove the appropriate IP addresses from Whitelist", please explain.

Thank you very much
Lim

 

[shima]

Hi,
After upgrading to 8.6 not only I can't use outlook (AUTH problem), but also my users can't login to the horde! In addition my poppasswd (qmail) is only 0 KB and even using mchk didn't change it.
Any Idea about it?