Response decoding failed with xmpp sasl authentication - xmpp

I am trying complete the SASL authentication in XMPP server.
I have connected to the xmpp server using gen_tcp socket
I have registered a user 'test4' with password '123'
Encode the username password using... :base64.encode_to_string('test4')
Then sent the encoded string i.e dGVzdDQ= to SASL authentication
Using the command:
:gen_tcp.send(socket, "<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>dGVzdDQ=</auth>")
But the server is giving error "<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><bad-protocol/><text xml:lang='en'>Response decoding failed</text></failure>"
Note: I also tried to send :base64.encode_to_string(' test4 123') to server

As per RFC 4616, you need to put a NUL character before the username and the password. Try this:
iex(1)> :base64.encode_to_string([0] ++ 'test4' ++ [0] ++ '123')
'AHRlc3Q0ADEyMw=='

Related

KeyCloak fails to send email using SMTP with status 500

I have Keycloak running in a Kubernetes cluster. Authentication works but I need to set up e-mail to be able to send e-mails for verification and password reset.
I have SendGrid set up as an SMTP Relay. These settings (host, port and api key) work when I send mail using the SendGrid java client. However, when pressing Test connection in KeyCloak I get:
[Error] Failed to load resource: the server responded with a status of 500 ()
[Debug] Remove message (services.js, line 14)
[Debug] Added message (services.js, line 15)
[Error] Can't find variable: error
https://<domain>/auth/resources/ong8v/admin/keycloak/js/controllers/realm.js:76 – "Possibly unhandled rejection: {}"
[Debug] Remove message (services.js, line 14)
There isn't much to go on here. I have an e-mail address set up for the currently logged in user. I've also tried resetting the password in case the Test connection functionality was broken but that didn't work either.
The Realm Settings settings user for email are as such:
host: smtp.sendgrid.net
port: 587
from: test#<domain>
Enable StartTLS: true
Username: "apikey"
Password: <api key>
Any idea what can be wrong? Or how to find out? For instance, maybe I can get a more meaningful error message somehow.
Edit:
I got the server logs.
Failed to send email: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: smtp.sendgrid.net, 587; timeout 10000;
nested exception is: java.net.SocketTimeoutException: connect timed out
Edit 2:
I've tried sending mail using Telnet using the exact same settings and that works. So apparently it's something with Keycloak or its underlying Java libraries that's causing issues sending e-mail.
Turns out that Keycloak works and that emails were blocked by the hosting provider.

SFTP connection failure with Perl "Net::SFTP" module

I am trying to connect to SFTP server using Perl but I get the following connection error: Permission denied at /app/perl-5.24.3/lib/site_perl/5.24.3/Net/SFTP.pm line 63.
My connection code 'sftp_test2.pl':
use strict;
use warnings;
use Net::SFTP;
my $server = 'downloads-server';
my $user = 'user';
my $port = "10022";
my $password = '';
my %args = (
user => "$user",
port => "$port",
ssh_args => {
user => "$user",
identity_files => [ 'path/sftp_download'],
port => "$port",
protocol=>'2,1',
debug => 1,
}
);
my $sftp=Net::SFTP->new($server, %args) or die "could not open connection to $server\n";
execution:
$>perl sftp_test2.pl
Reading configuration data path/home/.ssh/config
Reading configuration data /etc/ssh_config
Connecting to downloads-server, port 10022.
Remote version string: SSH-2.0-CrushFTPSSHD
Remote protocol version 2.0, remote software version CrushFTPSSHD
Net::SSH::Perl Version 2.14, protocol version 2.0.
No compat match: CrushFTPSSHD.
Connection established.
Sent key-exchange init (KEXINIT), waiting for response.
Using diffie-hellman-group-exchange-sha256 for key exchange
Host key algorithm: ssh-rsa
Algorithms, c->s: aes256-ctr hmac-sha2-512-etm#openssh.com none
Algorithms, s->c: aes256-ctr hmac-sha2-512-etm#openssh.com none
Entering Diffie-Hellman Group Exchange.
SSH2_MSG_KEX_DH_GEX_REQUEST(2048<4096<8192) sent
Sent DH Group Exchange request, waiting for reply.
Received 4096 bit DH Group Exchange reply.
Generating new Diffie-Hellman keys.
Entering Diffie-Hellman key exchange.
Sent DH public key, waiting for reply.
Received host key, type 'ssh-rsa'.
Host 'downloads-server' is known and matches the host key.
Verifying server signature.
Send NEWKEYS.
Waiting for NEWKEYS message.
Enabling encryption/MAC/compression.
Sending request for user-authentication service.
Service accepted: ssh-userauth.
Trying empty user-authentication request.
Authentication methods that can continue: password,publickey,keyboard-interactive.
Next method to try is password.
Trying password authentication.
Will not query passphrase in batch mode.
Authentication methods that can continue: password,publickey,keyboard-interactive.
Next method to try is password.
Trying password authentication.
Will not query passphrase in batch mode.
Authentication methods that can continue: password,publickey,keyboard-interactive.
Next method to try is password.
Trying password authentication.
Will not query passphrase in batch mode.
Authentication methods that can continue: password,publickey,keyboard-interactive.
Next method to try is password.
Next method to try is publickey.
Publickey: testing agent key 'my-server'
Authentication methods that can continue: password,publickey,keyboard-interactive.
Next method to try is password.
Next method to try is publickey.
Publickey: testing agent key 'path/home/.ssh/id_rsa'
Authentication methods that can continue: password,publickey,keyboard-interactive.
Next method to try is password.
Next method to try is publickey.
Trying pubkey authentication with key file 'path/sftp_download'
Authentication methods that can continue: password,publickey,keyboard-interactive.
Next method to try is password.
Next method to try is publickey.
Permission denied at /app/perl-5.24.3/lib/site_perl/5.24.3/Net/SFTP.pm line 63.
I thought that it is related to my private key, but I can connect via unix command:
sftp -oPort=10022 -oIdentityFile=path/sftp_download user#downloads-server
Connecting to downloads-server...
sftp>
I tried to find a solution in many articles and also tried few code variations, but without a success.
Am I doing something wrong?
Is it a known bug? any workaround?
How can I debug it to find the reason (I am not very well familiar with SSH/FTP).
EDIT:
I suspected that it may be related to multiple connection failing attempts with password so I removed the password authentication from "%AUTH_MAP" in the file "app/perl-5.24.3/lib/site_perl/5.24.3/x86_64-linux/Net/SSH/Perl/AuthMgr.pm" and it connected as expected!
Is there a way to force using only/first key authentication?
Thanks in advance!
Mike
The code to disable password authentication (only authentication key) is:
ssh_args => {
user => $user,
options => [ 'PasswordAuthentication no' ],
identity_files => [ 'path/sftp_download'],
port => $port,
protocol =>'2,1',
debug => 1,
}

Not able to authenticate SMTP clients on Debian+Postfix+SASL with rimap

I'm having a strange problem. I followed few guides from the net. My goal is to create a SMTP postfix that will use Cyrus SASL to authenticate users upon sending email with different imap server.
Making all more simple: have to transfer/replace current smtp server with new one as current is on public cloud and gets on black lists pretty often.
What I managed so far is:
Working Postfix
Authentication working when using :
testsaslauthd -u user#domain.com -p password
I'm getting Ok "Success" so I assume sasl itself work.
When I invoke saslfinger -s
I'm getting:
There is no smtpd.conf that defines what SASL should do for Postfix.
SMTP AUTH can't work!
but it seems that all is fine within the configuration files:
/etc/postfix/sasls/smtp.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/postfix/main.cf:
smtpd_recipient_restrictions = reject_invalid_hostname,
permit permit_mynetworks,
permit_sasl_authenticated
disable_vrfy_command = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
/etc/default/saslauthd-postfix:
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="domain.com -r"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
I'm running postfix chroot'ed so had to create a symlink but like I said. It all seems to work independently, just need to be linked somehow.
When I try to setup account in outlook, I got wrong name or password.
The log on Debian says:
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL NTLM authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: SASL authentication failure: unable to canonify user and get auxprops
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL DIGEST-MD5 authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL LOGIN authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: lost connection after AUTH from unknown[192.168.108.1]
May 11 23:35:43 smtp-test postfix/smtpd[741]: disconnect from unknown[192.168.108.1]
Strange thing is it tries NTLM(not mentioned anywhere) instead of RIMAP. And cannot make canonical name of user even after adding -r switch that should combine name and realm/domain name.
I guess that is related to first warning from saslfinger but cannot find the cause.
All updated to newest available versions.
Any help?

SMTP Error <<: 503 AUTH command used when not advertised

I am facing this error in Webmail Lite.
I have Exim installed. Here is a snippet of the auth block:
PLAIN:
driver = plaintext
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
server_condition = “${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{/etc/$domain/passwd}{$value}{*:*}}}}}{1}{0}}”
I have the passwd stored in the following format:
username:{MD5}asddfasdlasdkandlanskfdaf
How do I get AUTH enabled and working ?
Thanks in advance.
One reason for this error message is sending HELO instead of EHLO, or sending EHLO in the wrong order.
But this message can occur even if EHLO is used, when the server is running Exim.
On my server, I found the solution. In WHM > Home > Service Configuration > Exim
Configuration Manager, the option "Require clients to connect with SSL
or issue the STARTTLS command before they are allowed to authenticate
with the server" was set to the default (On). I'm not sure if I did this
or not, and it is ordinarily a great idea for security, but forces the
mailserver to enable (advertise) only the STARTTLS command, not AUTH. So
when my script sends AUTH, the error message the server sends is correct.
Further information is at http://blog.networkpresence.co/?p=8923 .
Someday when I have time I will find out how to change my script to use
TLS, so I can turn that Exim option On for security.
In my case,this error not coming regularly.some time it works but some time it gives this error.(SMTP Error: Could not authenticate.)
I debug this then I found this
SMTP -> get_lines(): $data was ""
SMTP -> get_lines(): $str is "503 AUTH command used when not advertised "
SMTP -> get_lines(): $data is "503 AUTH command used when not advertised "
SMTP -> FROM SERVER:503 AUTH command used when not advertised
SMTP -> ERROR: RSET failed: 503 AUTH command used when not advertised
SMTP Error: Could not authenticate.

How do you fix 550 must be authenticated sending Mail using Grails?

I'm using Grails Mail plugin and trying to send email and keep getting:
Error 500: Executing action [sendInvite] of controller
[RegisterController] caused exception: Failed messages:
javax.mail.SendFailedException: Invalid Addresses; nested exception
is: com.sun.mail.smtp.SMTPAddressFailedException: 550 must be
authenticated
I'm properly following the instructions at: http://www.grails.org/Mail+plugin
The mail server is returning an error when you try to send out the mail. 550 is a generic SMTP failure code; in this case it looks like you are missing a username and password. Some SMTP servers to not require authentication but most do, especially if they're publicly available on the internet. It's also possible that your SMTP server requires an SSL connection and you're connecting with an unsecured socket.
The example config for gmail shows how to set all the mail server authentication options in Config.groovy:
grails {
mail {
host = "smtp.gmail.com"
port = 465
username = "youracount#gmail.com"
password = "yourpassword"
props = ["mail.smtp.auth":"true",
"mail.smtp.socketFactory.port":"465",
"mail.smtp.socketFactory.class":"javax.net.ssl.SSLSocketFactory",
"mail.smtp.socketFactory.fallback":"false"]
}
}
Add "mail.debug": "true" to props to turn on JavaMail debugging to get a better picture of what is happening before the failure.
In my case the 550 error was caused by me having accidentally selected and IMAP account as the default account but sending emails from my Outlook Connector Account (which has no authentication settings to make).
I changed the Outlook Connector Account to default. Resent the emails and no errors.
So check that the correct email account is set up as the default also