I'm investigating an issue with SMTP AUTH, and I noticed that some mail servers advertise support for AUTH like this:
$ telnet myhost.com 25
Trying 127.0.0.1...
Connected to myhost.com.
Escape character is '^]'.
220 myhost.com ESMTP service ready
ehlo there
250-myhost.com says hello
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-AUTH CRAM-MD5
250-AUTH=CRAM-MD5
250-SIZE 100000000
250 DSN
I expected something like:
250-AUTH CRAM-MD5
but I didn't expect:
250-AUTH=CRAM-MD5
I've read RFC 4954 and some of the associated RFCs, but I didn't see an example with the "=" sign. Can someone tell me why this variant syntax exists, and where it is documented?
not all clients recognize the AUTH capability as defined by the SASL authentication RFC. Some historical implementations expect the server to send an "=" as separator between the AUTH verb and the list of mechanisms that follows it.
The "broken" clients include Outlook up to and including version 2003 and Outlook Express up to version 6.
See http://www.postfix.org/SASL_README.html#server_sasl_authc
Related
I have configured Mailgun for my domain: blog.kop.com (fake domain), I have reset my SMTP password for this domain on mailgun dashboard.
I usually use the Mailgun API, this is why I want to test the SMTP sending from command line to check that I have the correct credentials, as an example, I'll use the following password:
Username: postmaster#blog.kop.com (guessed by me)
Password: d3bec33d3bc3e333333b3e333a3e33-3a3aa3d3-333ddf3 (given by mailgun)
This is what I do:
Convert the username to base64:
$ echo postmaster#blog.kop.com | base64
cG9zdG1hc3RlckBibG9nLmtvcC5jb20K
Convert the password to base64:
$ echo d3bec33d3bc3e333333b3e333a3e33-3a3aa3d3-333ddf3 | base64
ZDNiZWMzM2QzYmMzZTMzMzMzM2IzZTMzM2EzZTMzLTNhM2FhM2QzLTMzM2RkZjMK
Test send email over SMTP on port 587 (STARTTLS) with telnet client:
$ telnet smtp.mailgun.org 587
Trying 3.93.221.84...
Connected to smtp.mailgun.org.
Escape character is '^]'.
220 Mailgun Influx ready
ehlo blog.kop.com
250-smtp-out-n01.prod.us-east-1.postgun.com
250-AUTH PLAIN LOGIN
250-SIZE 52428800
250-8BITMIME
250-SMTPUTF8
250-PIPELINING
250 STARTTLS
AUTH LOGIN
334 VXNlcm5hbWU6
cG9zdG1hc3RlckBibG9nLmtvcC5jb20K
334 UGFzc3dvcmQ6
ZDNiZWMzM2QzYmMzZTMzMzMzM2IzZTMzM2EzZTMzLTNhM2FhM2QzLTMzM2RkZjMK
535 Authentication failed
Connection closed by foreign host.
It seems that my credentials are incorrect, this is mailgun documentation for sending mail over SMTP: https://documentation.mailgun.com/en/latest/user_manual.html#sending-via-smtp
I also tried using there code snippet and their swaks program: https://documentation.mailgun.com/en/latest/quickstart-sending.html#send-via-smtp
I also have the wrong credentials. I copy pasted the credentials and aknowledged that they are correct.
I already got this issue using the API, the mailgun documentation was providing the wrong api address for europe region. I now believe smtp.mailgun.org is not the right server for Europe region but I can't find anything related to it.
What's wrong with those steps?
Why I am failing to send email?
How can I send email over SMTP with mailgun, starttls and telnet?
When you echo a string you include a newline, but the newline should not be included in the credentials you pass in to SMTP AUTH. Try
printf '%s' 'postmaster#blog.kop.com' | base64
and similarly for the password.
Using bare Telnet sounds like a pretty brittle approach; you really want to use a proper SMTP client to talk to the SMTP server.
For europe, the SMTP address is smtp.eu.mailgun.org.
I can see many ehlo command echo from mail server like this:
I want to know what's different between "250-AUTH LOGIN PLAIN" and "250-AUTH=LOGIN PLAIN"? Thanks
They mean the same thing, but one is for backwards compatibility.
The first one, 250-AUTH LOGIN PLAIN, is the modern RFC-compliant way for a mail server to announce what authentication methods it supports. Authenticated SMTP is used to allow valid remote users to send mail through an SMTP server while still preventing spammers from connecting and using it as a relay.
The second example, 250-AUTH=LOGIN PLAIN, is an identical command but is intended for non-RFC-compliant email clients. Older clients, such as Outlook 2003 and older, did not implement the AUTH command correctly and instead expected an equals sign between AUTH and the available authentication methods.
For backwards compatibility, it is possible to enable both the compliant and non-compliant AUTH commands. In Postfix, for example, you can enable the broken_sasl_auth_clients option to force Postfix to broadcast AUTH twice. Otherwise, only the RFC-compliant AUTH command should be used.
they mean the same thing, the first one is the proper one but some mail clients only recognize the second line
If a SSL SMTP server requires a STARTTLS command to be used (java mail property: mail.smtp.starttls.required), do we also need to enable Plaintext Authentication over TLS?
I'm not sure exactly what you mean by "plaintext authentication over TLS".
If the server requires STARTTLS, a plain text (non-SSL) connection is made to the server, TLS (SSL) is started on the connection, and then authentication is done. Authentication can use any authentication mechanisms supported by both client and server, including the PLAIN authentication mechanism.
Greetings!
This question pertains to Normal (or Plain) IMAP/SMTP Authentication.
Can we be sure that a user's IMAP username is exactly the same as his full email address? Can the two be different? What about his SMTP username? Can he have different passwords for IMAP and SMTP?
To make things concrete, consider a webmail user, John Doe:
Email address: john.doe#example.com
Login password: foo.bar.baz
Given that John uses the above credentials to sign in with his webmail provider, here's a series of yes–no questions:
Can we be certain that John's IMAP username is john.doe#example.com?
1.1. Could it be john.doe, john or something else?
Can we be certain that John's IMAP password is foo.bar.baz?
Can we be certain that John's SMTP username is john.doe#example.com?
Can we be certain that John's SMTP password is foo.bar.baz?
Can we be certain that John's IMAP password is the same as his SMTP password?
Can we be certain that John's IMAP username is the same as his SMTP username?
I've been looking for these answers for a while now. If you can link to an RFC, that'd be awesome.
Thanks in advance. :)
SMTP and IMAP can be handled by disjoint programs, so no assurances there. Dovecot IMAP for example lets you freely choose to map username against mailbox name.
Certain - no, you can't be certain, as the server administrator can set any policy they like regarding these things.
However, RFC 6186 gives some suggestions. It suggests that mail user agents (MUAs) should first try using the full email address as the username for authentication (in this case john.doe#example.com), and if authentication fails, try again with the "local-part" as username (in this case john.doe). It also suggests that service providers should support authenticating with either of those usernames. This applies to both SMTP and IMAP authentication.
The RFC doesn't say anything about whether the username should be the same for SMTP and IMAP (so if the IMAP server wants the username john.doe#example.com and the SMTP server wants john.doe, that would still be within what the RFC suggests), and it doesn't say anything at all about passwords.
The RFC also suggests using DNS SRV records to find the hostname of the IMAP and SMTP servers given an email address. You can see this in action for Gmail using the dig command line tool:
$ dig +short -t srv _imaps._tcp.gmail.com
5 0 993 imap.gmail.com.
$ dig +short -t srv _submission._tcp.gmail.com
5 0 587 smtp.gmail.com.
That is, the IMAPS server is on imap.gmail.com, port 993, and the SMTP server for mail submission is on smtp.gmail.com, port 587.
I have many domain on one server.
I want enable DKIM verification for each one. For do it, I follow this tutorial
Like said a the end of tutorial, I test my dkim DNS on http://dkimcore.org/c/keycheck
This is a valid DKIM key record
So it's supose to works right now, but when I send an email, there is no DKIM signature and only "domainkeys=neutral (no sig); dkim=neutral (no sig)". (tested on yahoo and gmail.)
So what's wrong with this method?
EDIT:
mail.log when I send a mail (with PHP) said:
opendkim[40952]: 628EF242A06: localhost [127.0.0.1] not internal
opendkim[40952]: 628EF242A06: not authenticated
opendkim[40952]: 628EF242A06: no signature data
other thing:
sudo opendkim-testkey -d mydomain.com -s default -k /etc/opendkim/keys/mydomain.com/default.private -v
response:
opendkim-testkey: key not secure
So it's the method to generate keys which is bad?
I add 127.0.0.1 and localhost to trusted host and used :
sudo service postfix reload
Now it's working... enjoy ;)