Pkg exim4 users - Apr 2007 - smtp authentication (exim as a client) problem

Hello, i''ve configured exim4 on a sarge system to perform
authentication
with the smarthost used to relay all emails it processes.

I put username and password in passwd.client this way (fake data obviously):

*:theuser@thedomain.eu:thepassword

all is working fine until i switch the default gateway in order to route 
traffic on a different dsl provider. it seems absurd to me, it''s a 
matter of route add/del.

after changing the routing, smtp authentication fails regularly.
Please note that i am not using the provider smtp server as smarthost. 
I''m using an independent one not related to any provider.


i did a couple of tests this way:
exim4 -d+all marcopar@inwind.it

and i saved all the huge log here:
http://cl1p.net/athnoauth/

i really don''t understand what''s going on. it seems that exim
does not
send credentials when the traffic is routed via the new provider.

I''ve already tried to tweak exim4.conf.template, although i do not know
the language in which is written, to avoid passwd.client parsing and 
forcing the data to be used and that way works so i think it''s a script
problem but i cannot debug it because i don''t know enough about the 
language.

TIA
ciao

At 02:19 PM 4/4/2007 +0200, you wrote:
>Hello, i''ve configured exim4 on a sarge system to perform
authentication with the smarthost used to relay all emails it processes.
>
>I put username and password in passwd.client this way (fake data obviously):
>
>*:theuser@thedomain.eu:thepassword
>
>all is working fine until i switch the default gateway in order to route
traffic on a different dsl provider. it seems absurd to me, it''s a
matter of route add/del.
>
>after changing the routing, smtp authentication fails regularly.
>Please note that i am not using the provider smtp server as smarthost.
I''m using an independent one not related to any provider.
>
>
>i did a couple of tests this way:
>exim4 -d+all marcopar@inwind.it
>
>and i saved all the huge log here:
>http://cl1p.net/athnoauth/
>
>i really don''t understand what''s going on. it seems that
exim does not send credentials when the traffic is routed via the new provider.
>
>I''ve already tried to tweak exim4.conf.template, although i do not
know the language in which is written, to avoid passwd.client parsing and
forcing the data to be used and that way works so i think it''s a script
problem but i cannot debug it because i don''t know enough about the
language.

A couple of thoughts:

-maybe your new smarthost does not asks for for TLS - you need to explicitely
enable PLAIN authentication - see the Debian Exim specific FAQ
-maybe the smarthost advertises itself under a different name when you connect
to (though the * should catch everything)
-maybe the IP of the smarthost resolves to a different domain name (same obs)
-you want only as much debugging info as you need, something like
-d-all+transport - see the Debian Exim specific FAQ

Regards
e.

Aurelian Melinte wrote:
> -maybe your new smarthost does not asks for for TLS - you need to
explicitely enable PLAIN authentication - see the Debian Exim specific FAQ
i don''t think this is the case. as i said i tweaked the template. the
tweak consists in forcing the client_send variable at the end of the script:

==========================plain:
   driver = plaintext
   public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
#  client_send = "${if !eq{$tls_cipher}{}{\
#                     ^${extract{1}{::}\
#
{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
#                    ^${extract{2}{::}\
#
{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
#                  }fail}"


   client_send = *^theuser@thedomain.eu^thepassword
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


.else
   client_send
"^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
.endif
=============================
this way works so i think is a matter of how client_send is
initializated in the original script.
> -maybe the smarthost advertises itself under a different name when you
connect to (though the * should catch everything)
> -maybe the IP of the smarthost resolves to a different domain name (same
obs)
yes, the smarthost resolves to different ip but as i understood * should
take care of that. when using the new provider i only switch default
routing but not DNS so why the behaviour should be different?
> -you want only as much debugging info as you need, something like
-d-all+transport - see the Debian Exim specific FAQ
here''s the cleaned up log as you asked:
http://cl1p.net/lesslogsmtpauth/


ciao

On Wed, Apr 04, 2007 at 02:19:39PM +0200, marcopar@gmail.com
wrote:
> Hello, i''ve configured exim4 on a sarge system to perform
authentication
> with the smarthost used to relay all emails it processes.
> 
> I put username and password in passwd.client this way (fake data
obviously):
> 
> *:theuser@thedomain.eu:thepassword
> 
> all is working fine until i switch the default gateway in order to route 
> traffic on a different dsl provider. it seems absurd to me, it''s a
> matter of route add/del.
Is is possible that your smarthost authenticates you by virtue of IP
address if you use the "old" DSL provider so that your SMTP AUTH has
never actually work.

I suggest using swaks to send test e-mails with and without
authentication via both DSL providers to the same smarthost and find
out when the smarthost accepts your messages and when not.

Greetings
Marc


-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Marc Haber wrote:
> Is is possible that your smarthost authenticates you by virtue of IP
> address if you use the "old" DSL provider so that your SMTP AUTH
has
> never actually work.
> 
no. this email i''m writing to you now will be sent by exim via the new
DSL provider through the smarthost and with authentication (it does not
work without authentication).
Tweaking the script and forcing client_send value makes all things work.
This is the strange thing. It seems that client_send is not correctly
computed when my default routing is different. Maybe the problem is with
DNS but i''m using same dns for both providers and it is not giving any
other problem but i''m willing to investigate if someone gives me some 
guidance.

ciao

On Thu, Apr 05, 2007 at 11:29:24AM +0200, marcopar@gmail.com
wrote:
> Maybe the problem is with
> DNS but i''m using same dns for both providers and it is not giving
any
> other problem but i''m willing to investigate if someone gives me
some
> guidance.
I suggest using swaks to send test e-mails with and without
authentication via both DSL providers to the same smarthost and find
out when the smarthost accepts your messages and when not.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Marc Haber wrote:
> I suggest using swaks to send test e-mails with and without
> authentication via both DSL providers to the same smarthost and find
> out when the smarthost accepts your messages and when not.
> 
the smarthost works only with plain authentication.
using swaks directly on the smarthost as you suggests works well with 
both providers as far as you provide correct username and password.

# swaks -a -s smtp.smartres.eu
To: marcopar@inwind.it
Username: ----
Password: ----
=== Trying smtp.smartres.eu:25...
=== Connected to smtp.smartres.eu.
<-  220 smtp4.aruba.it ESMTP
  -> EHLO ciop.smartres.localdomain
<-  250-smtp4.aruba.it
<-  250-AUTH LOGIN PLAIN
<-  250-AUTH=LOGIN PLAIN
<-  250-PIPELINING
<-  250 8BITMIME
  -> AUTH PLAIN AHBvc3RhaW51c2NpdGFAc21hcnRyZXMuZXUAc210cG91dDk3Ng=<-  235
ok, go ahead (#2.0.0)
  -> MAIL FROM:<root@ciop.smartres.localdomain>
<-  250 ok
  -> RCPT TO:<marcopar@inwind.it>
<-  250 ok
  -> DATA
<-  354 go ahead
  -> Date: Thu, 05 Apr 2007 12:16:35 +0200
  -> To: marcopar@inwind.it
  -> From: root@ciop.smartres.localdomain
  -> Subject: test Thu, 05 Apr 2007 12:16:35 +0200
  -> X-Mailer: swaks v20040404.1 jetmore.org/john/code/#swaks
  ->
  -> This is a test mailing
  ->
  -> .
<-  250 ok 1175768210 qp 31988
  -> QUIT
<-  221 smtp4.aruba.it
=== Connection closed by foreign host.


as you can see the smarthost resolves to multiples ip:

# host smtp.smartres.eu
smtp.smartres.eu has address 62.149.128.203
smtp.smartres.eu has address 62.149.128.200
smtp.smartres.eu has address 62.149.128.201
smtp.smartres.eu has address 62.149.128.202

and if you reverse lookup one of the ip:
# host 62.149.128.200
200.128.149.62.in-addr.arpa domain name pointer smtpa3.aruba.it.

don''t know if this matters but if it does it would be interesting to 
know why it gives problems only with one of the providers.

ciao

On Thu, Apr 05, 2007 at 12:22:37PM +0200, marcopar@gmail.com
wrote:
> Marc Haber wrote:
> >I suggest using swaks to send test e-mails with and without
> >authentication via both DSL providers to the same smarthost and find
> >out when the smarthost accepts your messages and when not.
> >
> 
> the smarthost works only with plain authentication.
> using swaks directly on the smarthost as you suggests works well with 
> both providers as far as you provide correct username and password.
And do both smarthosts reject if you do _not_ try to authenticate?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Marc Haber wrote:
> And do both smarthosts reject if you do _not_ try to authenticate?
mmmmh... sorry i overlooked that part of the message, i should have 
checked the first time as it was the more important.

The smarthost rejects only the new provider wihout password...
I cannot say why because they are 3 independent entities and no per-ip 
configuration has been made on the smarthost (none declared to me by the 
smarthost owner at least).

So i redid all the tests suggested by you with swaks and with "exim -d 
..." with both providers and i found that:

1) authentication is never performed by exim. i read the logs the wrong way.
2) i can send emails without authentication with provider OLD but not 
with provider NEW (god only knows why (at this time) because it should 
work only with authentication)
3) if i force client_send variable in the script, exim then performs the 
authentication as expected.

Now the question is why exim does not want to authenticate when using 
the original script.

On Thu, Apr 05, 2007 at 01:28:03PM +0200, marcopar@gmail.com
wrote:
> Marc Haber wrote:
> >And do both smarthosts reject if you do _not_ try to authenticate?
> 
> mmmmh... sorry i overlooked that part of the message, i should have 
> checked the first time as it was the more important.
> 
> The smarthost rejects only the new provider wihout password...
So my gut feeling was right ;)
> So i redid all the tests suggested by you with swaks and with "exim -d
> ..." with both providers and i found that:
> 
> 1) authentication is never performed by exim. i read the logs the wrong
way.
> 2) i can send emails without authentication with provider OLD but not 
> with provider NEW (god only knows why (at this time) because it should 
> work only with authentication)
> 3) if i force client_send variable in the script, exim then performs the 
> authentication as expected.
> 
> Now the question is why exim does not want to authenticate when using 
> the original script.
Can you send me the output of exim -d+all of a _failed_ delivery
attempt in private Mail[1]? Let''s see why exim does not want to
authenticate.

Greetings
Marc

[1] the logs will include your authentication credentials in clear
text, please edit them out if you feel like it.

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

On Thu, Apr 05, 2007 at 01:44:35PM +0200, Marc Haber
wrote:
> Can you send me the output of exim -d+all of a _failed_ delivery
> attempt in private Mail[1]? Let''s see why exim does not want to
> authenticate.
Looks like what was suggested days ago, that you are missing
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS. See
http://pkg-exim4.alioth.debian.org/README/README.Debian.html, chapter
2.1.3.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Thanks to your help and in particular to the help of Marc Haber, i found
that i was confused and missing the configuration parameter to enable 
plain passwords  as clearly explained in README.Debian.
I know, it''s a FAQ... i was misleaded by my smarthost behavior
and thought there was some strange gremlin conspiring in my box.

ciao

On Thu, Apr 05, 2007 at 05:04:24PM +0200, marcopar@gmail.com
wrote:
> Thanks to your help and in particular to the help of Marc Haber, i found
> that i was confused and missing the configuration parameter to enable 
> plain passwords  as clearly explained in README.Debian.
You''re welcome.
> I know, it''s a FAQ... i was misleaded by my smarthost behavior
> and thought there was some strange gremlin conspiring in my box.
One strong argument for scientific debugging: Hypothesis,
Verification, and basing the next debugging step on the results. ;)

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190