I'm trying to send an email via SMTP using telnet. I have to authenticate (I'm interested now in AUTH LOGIN method). Here is output:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP service ready
ehlo localhost
250-localhost
250-STARTTLS
250-AUTH PLAIN LOGIN
250-PIPELINING
250 8BITMIME
auth login
334 VXNlcm5hbWU6
bXl1c2VybmFtZQ
334 UGFzc3dvcmQ6
bXlwYXNzd29yZA
535 invalid authentication
With example above all is fine - server understands my login and passwords (there are wrong but it's not important right now). Here is another example:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP service ready
ehlo localhost
250-localhost
250-STARTTLS
250-AUTH PLAIN LOGIN
250-PIPELINING
250 8BITMIME
auth login bXl1c2VybmFtZQ
334 UGFzc3dvcmQ6
bXlwYXNzd29yZA
500 Unrecognized command
My question is - am I able to send AUTH LOGIN user_name command and then password? Or should I always send just AUTH LOGIN and then separately user name and separately password?
I have plesk 12.5.30 on my server which is often blacklisted on Symantec Mail Security reputation.
The ip is new (I have purchased the server on 13.02.2017).
Also my ip is blacklisted on BACKSCATTERER.
Seeing the log of postfix I have a lot of entries like
Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]
I have
Changed the smtp port to a non standard one (9456)
Installed firewall and fail2ban on plesk and setted as in image
Setted mail settings of plesk as in image
Installed a spamassasin
I have noticed also that some days ago i have lines in log like these
Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e#www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226#brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office#angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
And i noticed a very long mail queue in plesk settings (i have deleted all mail in queue)
Any advice to block this attack??
Thanks in advance
Edit: I want to share my plesk-postfix settings
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
There is somenthing can i improve here?
You might consider to use a Fail2Ban - filter with the following regex - expressions:
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
If you need further Fail2Ban regex - expressions, pls. consider to ADD the corresponding log - file entries, because some general standart ones may not suit your needs or/and your qmail/postfix/imap-courier/dovecot version, installed on your server. ;-)
Edit:
In order to be more precise, I now add the full suggestion, incl. the regex, that #MattiaDiGiuseppe already used in his comments - it's just a bit better formatted this way.
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Pls. consider to have a look at all standart filters ( for Fail2Ban 0.10 AND older versions), by visiting:
=> https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d
If you desire to view the standarts for older versions, just click on the "Branch: 0.10" dropdpwn - button, pls.
I am designing a website on aliyun.com. This website includes a function to send emails with PHPMailer. It perfectly works on my laptop (a Mac Book Air running XAMPP) but not on the live server (a fresh CentOS 6) with exactly the same php files (SMTP host, password, ...). Here is below the log I got from PHPMailer in verbose mode:
2015-04-08 02:59:42 Connection: opening to smtp.mywebsite.com:587, t=300, opt=array (
)
2015-04-08 02:59:42 Connection: opened
2015-04-08 02:59:42 SERVER -> CLIENT: 220 smtp.aliyun-inc.com MX AliMail Server(10.194.100.112)
2015-04-08 02:59:42 CLIENT -> SERVER: EHLO mywebsite.com
2015-04-08 02:59:42 SERVER -> CLIENT: 250-smtp.aliyun-inc.com
250-8BITMIME
250-AUTH=PLAIN LOGIN XALIOAUTH
250-AUTH PLAIN LOGIN XALIOAUTH
250-PIPELINING
250 DSN
2015-04-08 02:59:42 CLIENT -> SERVER: STARTTLS
2015-04-08 02:59:42 SERVER -> CLIENT: 220 Ready to start TLS
2015-04-08 02:59:42 CLIENT -> SERVER: QUIT
2015-04-08 02:59:44 SERVER -> CLIENT: ��:%4P���pGC#mLa+�%YF�l �0���I
2015-04-08 02:59:44 SMTP ERROR: QUIT command failed: ��:%4P���pGC#mLa+�%YF�l �0���I
2015-04-08 02:59:44 Connection: closed
2015-04-08 02:59:44 SMTP connect() failed.
Although I spent many hours on internet looking for a solution, I cannot figure out where the problem comes from... I am using the latest release of PHPMailer and the function mail in command lines works well (I mean I receive them), so where the problem could from?
Thanks a lot in advance!
Alplob
Perhaps, the openssl PHP extension is not installed on the Centos server. You should make sure the openssl extension is installed. To check the installed extensions, try the following command on Centos:
php -i
and look for openssl in the resulting text.
Recently, I've been experiencing problems with my email setup using Emacs (24.4.2) + Gnus (0.12). It seems that the TSL connection is not working:
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly terminated.
gnutls.el: (err=[-110] The TLS connection was non-properly terminated.) boot: (:priority NORMAL :hostname smtp.me.com :loglevel 0 :min-prime-bits 256 :trustfiles nil :crlfiles nil :keylist nil :verify-flags nil :verify-error nil :callbacks nil)
smtpmail-send-it: Sending failed: 530 5.7.0 No STARTTLS command has been given.
Is it a Gnus or Openssl problem? How should I debug and fix it?
Here is the output of the smtp trace buffer:
220 nk11p00mm-asmtp003.example.com -- Server ESMTP (Oracle Communications Messaging Server 7u4-27.10(7.0.4.27.9) 64bit (built Jun 6 2014))
250-nk11p00mm-asmtp003.example.com
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-EXPN
250-HELP
250-XADR
250-XSTA
250-XCIR
250-XGEN
250-XLOOP 098E7F59418D8F04E0C7135651497A4E
250-STARTTLS
250-NO-SOLICITING
250 SIZE 28311552
220 2.5.0 Go ahead with TLS negotiation.
Process smtpmail deleted
220 nk11p00mm-asmtp003.example.com -- Server ESMTP (Oracle Communications Messaging Server 7u4-27.10(7.0.4.27.9) 64bit (built Jun 6 2014))
MAIL FROM:<john.doe#example.com>
250-nk11p00mm-asmtp003.example.com
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-EXPN
250-HELP
250-XADR
250-XSTA
250-XCIR
250-XGEN
250-XLOOP 098E7F59418D8F04E0C7135651497A4E
250-STARTTLS
250-NO-SOLICITING
250 SIZE 28311552
RCPT TO:<john.doe#example.com>
530 5.7.0 No STARTTLS command has been given.
QUIT
503 5.5.0 No MAIL FROM command has been issued.
I am trying to set up my university smtp server with wanderlust/emacs, and on getting a repeated error decided to have a look via telnet.
the only trouble is, knowing next to nothing about smtp, I can't understand the output:
telnet pod51016.outlook.com 587
Trying 157.56.253.22...
Connected to pod51031.outlook.com.
Escape character is '^]'.
220 DBXPR06CA012.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 30 Sep 2014 16:44:11 +0000
ehlo test
250-DBXPR06CA012.outlook.office365.com Hello [129.234.0.21]
250-SIZE 78643200
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250 CHUNKING
I had expected to see an auth line as 250-AUTH LOGIN PLAIN --- II am just missing something? How do I see what authentication the server supports?
Alternatively, I have it working with thunderbird, so if anyone knows how to extract it from prefs.js that would do.
many thanks, and apologies for the lack of specificity in the question,
John
The server requires you to use establish a secure connection: Use STARTTLS, and the auth methods will appear.
You can test this with openssl:
openssl s_client -starttls smtp -connect server:587