Authenticated Exchange SMTP server problem

Discussion:

Michael Williams

2010-09-18 19:20:21 UTC

Hi,

I'm trying to get mutt's smtp support to work with my department's new Exchange server.

According to the current draft documentation, Thunderbird can be configured as follows: <http://www.physics.ox.ac.uk/it/email/exchange/2010/ThunderbirdSetup.htm>. I have confirmed that this configuration works.

So, having read Kyle Wheeler's very useful post <http://marc.info/?l=mutt-users&m=124285017604463&w=2>, I have turned the Thunderbird instructions into the following smtp_url:

set smtp_url="smtp://***@physics.ox.ac.uk@mail.physics.ox.ac.uk:587"

With this configuration, when I send mail in mutt, the status bar says "SSL connection using TLSv1/SSLv3 (AES128-SHA)" (which sounds promising) then "Authenticating (NTLM)", then prompts me for my password. I give this, but after a suspiciously long delay ~10s, I get the error "SASL authentication failed".

I emphasize that the server appears to work as described in the instructions for configuring SMTP for Thunderbird. I'm using the same username and password in mutt. This is the same username and password I use to make the IMAP connection; I also have 'set imap_user="***@physics.ox.ac.uk"' and that works fine. The server is configured to check that mail is coming from a registered address, and I'm setting the From: header appropriately in mutt. I'm stumped. Does anyone have any ideas?

-- Mike

Jostein Berntsen

2010-09-18 20:16:09 UTC

Permalink

Post by Michael Williams
Hi,
I'm trying to get mutt's smtp support to work with my department's new Exchange server.
According to the current draft documentation, Thunderbird can be configured as follows: <http://www.physics.ox.ac.uk/it/email/exchange/2010/ThunderbirdSetup.htm>. I have confirmed that this configuration works.
With this configuration, when I send mail in mutt, the status bar says "SSL connection using TLSv1/SSLv3 (AES128-SHA)" (which sounds promising) then "Authenticating (NTLM)", then prompts me for my password. I give this, but after a suspiciously long delay ~10s, I get the error "SASL authentication failed".

Does your /var/log/mail gives any more clues?

Jostein

Michael Williams

2010-09-18 20:26:56 UTC

Permalink

Post by Jostein Berntsen
Does your /var/log/mail gives any more clues?

On the client machine? Apparently I don't have one (this is a vanilla mutt build +tokyocabinet running on OS X.

John J. Foster

2010-09-19 01:26:21 UTC

Permalink

Post by Michael Williams

Post by Jostein Berntsen
Does your /var/log/mail gives any more clues?

On the client machine? Apparently I don't have one (this is a vanilla mutt build +tokyocabinet running on OS X.

it's /private/var/log/mail.log on a MAC

festus

--
We have constructed a world in which the potential for high-tech
catastrophe is embedded in the fabric of day-to-day life.
Malcolm Gladwell

Michael Williams

2010-09-19 08:02:41 UTC

Permalink

Post by John J. Foster

Post by Michael Williams

Post by Jostein Berntsen
Does your /var/log/mail gives any more clues?

On the client machine? Apparently I don't have one (this is a vanilla mutt build +tokyocabinet running on OS X.

it's /private/var/log/mail.log on a MAC

/var is symlinked to /private/var on OS X. At any rate, there is no mail.log.

Michael Williams

2010-09-19 17:29:08 UTC

Permalink

Post by Michael Williams
I'm trying to get mutt's smtp support to work with my department's new Exchange server.
According to the current draft documentation, Thunderbird can be configured as follows: <http://www.physics.ox.ac.uk/it/email/exchange/2010/ThunderbirdSetup.htm>. I have confirmed that this configuration works.
With this configuration, when I send mail in mutt, the status bar says "SSL connection using TLSv1/SSLv3 (AES128-SHA)" (which sounds promising) then "Authenticating (NTLM)", then prompts me for my password. I give this, but after a suspiciously long delay ~10s, I get the error "SASL authentication failed".

In further testing, I have confirmed SMTP connections to this server work with msmtp. Here is my very short .msmtprc:

defaults
tls on
tls_certcheck off
account default
host mail.domain.com
from ***@domain.com
auth on
user ***@domain.com

(Where domain.com is my real domain, etc.)

This works on the command line as follows:

$ echo "hello" | msmtp ***@test.com
password for ***@domain.com at mail.domain.com: [I type my password]
$

A full verbose log of the communication between msmtp and the server is at the end of this email.

So I just want to translate that .msmtprc into a .muttrc. I have

set smtp_url="smtp://***@physics.ox.ac.uk@mail.physics.ox.ac.uk"

Does anyone know why this doesn't work ("SASL authentication failed" as described above)?

To anticipate some questions, my installation of mutt was built with the necessary SSL/SASL support:

+USE_SSL_OPENSSL -USE_SSL_GNUTLS +USE_SASL +USE_GSS

(which makes sense as I am able to connect to this server via IMAPS:993.)

Any ideas very welcome. msmtp log below.

-- Mike

$ echo "hello" | msmtp -v ***@domain.com
ignoring system configuration file /Users/mike/.homebrew/Cellar/msmtp/1.4.20/etc/msmtprc: No such file or directory
loaded user configuration file /Users/mike/.msmtprc
using account default from /Users/mike/.msmtprc
host = mail.domain.com
port = 25
timeout = off
protocol = smtp
domain = localhost
auth = choose
user = ***@domain.com
password = (not set)
ntlmdomain = (not set)
tls = on
tls_starttls = on
tls_trust_file = (not set)
tls_crl_file = (not set)
tls_fingerprint = (not set)
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = off
tls_force_sslv3 = off
tls_min_dh_prime_bits = (not set)
tls_priorities = (not set)
auto_from = off
maildomain = (not set)
from = ***@domain.com
dsn_notify = (not set)
dsn_return = (not set)
keepbcc = off
logfile = (not set)
syslog = (not set)
reading recipients from the command line
<-- 220 mail.physics.ox.ac.uk Microsoft ESMTP MAIL Service ready at Sun, 19 Sep 2010 18:19:25 +0100
--> EHLO localhost
<-- 250-mail.domain.com Hello
<-- 250-SIZE 20971520
<-- 250-PIPELINING
<-- 250-DSN
<-- 250-ENHANCEDSTATUSCODES
<-- 250-STARTTLS
<-- 250-AUTH NTLM
<-- 250-8BITMIME
<-- 250-BINARYMIME
<-- 250 CHUNKING
--> STARTTLS
<-- 220 2.0.0 SMTP server ready
TLS certificate information:

[snip certificate info]

--> EHLO localhost
<-- 250-mail.domain.com Hello
<-- 250-SIZE 20971520
<-- 250-PIPELINING
<-- 250-DSN
<-- 250-ENHANCEDSTATUSCODES
<-- 250-AUTH NTLM LOGIN
<-- 250-8BITMIME
<-- 250-BINARYMIME
<-- 250 CHUNKING
password for ***@domaon.com at mail.domain.com:
--> AUTH LOGIN
<-- 235 2.7.0 Authentication successful
--> MAIL FROM:<***@domain.com>
--> RCPT TO:<***@domain.com>
--> DATA
<-- 250 2.1.0 Sender OK
<-- 250 2.1.5 Recipient OK
<-- 354 Start mail input; end with <CRLF>.<CRLF>
--> hello
--> .
<-- 250 2.6.0 <47f24188-a0fe-4c12-bfb7-***@EXCHANGE-CAS2.physics.ox.ac.uk> [InternalId=3817] Queued mail for delivery
--> QUIT
<-- 221 2.0.0 Service closing transmission channel
$

.

Brendan Cully

2010-09-19 20:40:23 UTC

Permalink

If your mutt was built with --enable-debug (mutt -v will include the
line +DEBUG if so), you can run mutt -d2 to get a trace of mutt's
conversation with the SMTP server in ~/.muttdebug0. There should be
more clues in there.

Brendan Cully

2010-09-19 20:43:52 UTC

Permalink

Post by Brendan Cully

By the way, if I had to guess I'd say that the problem is that the
server is advertising NTLM authentication but really only wants a
plain password. You can fix this by setting
smtp_authenticators="plain" in your muttrc, instead of letting SASL
pick the strongest it can find.

Michael Williams

2010-09-19 21:21:35 UTC

Permalink

Hi Brendan,

thanks very much for these suggestions.

Post by Brendan Cully

Post by Brendan Cully
If your mutt was built with --enable-debug (mutt -v will include the
line +DEBUG if so), you can run mutt -d2 to get a trace of mutt's
conversation with the SMTP server in ~/.muttdebug0. There should be
more clues in there.

I've rebuilt (and upgraded from 1.5.20 to 1.5.21). Here's the log. I don't see anything unusual.

2010-09-19 23:14:38] Sending message...
[2010-09-19 23:14:38] Looking up mail.physics.ox.ac.uk...
[2010-09-19 23:14:38] Connecting to mail.physics.ox.ac.uk...
[2010-09-19 23:14:38] Connected to mail.physics.ox.ac.uk:587 on fd=6
[2010-09-19 23:14:39] 6< 220 mail.physics.ox.ac.uk Microsoft ESMTP MAIL Service ready at Sun, 19 Sep 2010 22:15:25 +0100
[2010-09-19 23:14:39] 6> EHLO astro.ox.ac.uk^M
[2010-09-19 23:14:39] 6< 250-mail.physics.ox.ac.uk Hello [77.4.235.134]
[2010-09-19 23:14:39] 6< 250-SIZE 20971520
[2010-09-19 23:14:39] 6< 250-PIPELINING
[2010-09-19 23:14:39] 6< 250-DSN
[2010-09-19 23:14:39] 6< 250-ENHANCEDSTATUSCODES
[2010-09-19 23:14:39] 6< 250-STARTTLS
[2010-09-19 23:14:39] 6< 250-AUTH NTLM
[2010-09-19 23:14:39] 6< 250-8BITMIME
[2010-09-19 23:14:39] 6< 250-BINARYMIME
[2010-09-19 23:14:39] 6< 250 CHUNKING
[2010-09-19 23:14:39] 6> STARTTLS^M
[2010-09-19 23:14:39] 6< 220 2.0.0 SMTP server ready
[2010-09-19 23:14:39] ssl_check_preauth: hostname check passed
[2010-09-19 23:14:39] X509_verify_cert: unable to get local issuer certificate (20)
[2010-09-19 23:14:39] [/CN=winfe.physics.ox.ac.uk/CN=thphys.ox.ac.uk/CN=teaching.physics.ox.ac.uk/CN=smtps.physics.ox.ac.uk/CN=physics.ox.ac.uk/CN=imaps.physics.ox.ac.uk/CN=exchange.physics.ox.ac.uk/CN=exchange-cas3.physics.ox.ac.uk/CN=exchange-cas2.physics.ox.ac.uk/CN=exchange-cas1.physics.ox.ac.uk/CN=autodiscover.thphys.ox.ac.uk/CN=autodiscover.physics.ox.ac.uk/CN=autodiscover.atm.ox.ac.uk/CN=autodiscover.astro.ox.ac.uk/CN=atm.ox.ac.uk/CN=astro.ox.ac.uk/C=GB/ST=Oxfordshire/L=Oxford/O=University of Oxford/OU=Physics/CN=mail.physics.ox.ac.uk]
[2010-09-19 23:14:39] X509_verify_cert: unable to get local issuer certificate (20)
[2010-09-19 23:14:39] [/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware]
[2010-09-19 23:14:39] ssl_check_preauth: digest check passed
[2010-09-19 23:14:39] trusted: /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
[2010-09-19 23:14:39] ssl_check_preauth: hostname check passed
[2010-09-19 23:14:39] ssl_check_preauth: signer check passed
[2010-09-19 23:14:39] SSL connection using TLSv1/SSLv3 (AES128-SHA)
[2010-09-19 23:14:40] 6> EHLO astro.ox.ac.uk^M
[2010-09-19 23:14:40] 6< 250-mail.physics.ox.ac.uk Hello [77.4.235.134]
[2010-09-19 23:14:40] 6< 250-SIZE 20971520
[2010-09-19 23:14:40] 6< 250-PIPELINING
[2010-09-19 23:14:40] 6< 250-DSN
[2010-09-19 23:14:40] 6< 250-ENHANCEDSTATUSCODES
[2010-09-19 23:14:40] 6< 250-AUTH NTLM LOGIN
[2010-09-19 23:14:40] 6< 250-8BITMIME
[2010-09-19 23:14:40] 6< 250-BINARYMIME
[2010-09-19 23:14:40] 6< 250 CHUNKING
[2010-09-19 23:14:40] SASL local ip: 192.168.1.36;64383, remote ip:163.1.74.81;587
[2010-09-19 23:14:40] External SSF: 128
[2010-09-19 23:14:40] External authentication name: ***@physics.ox.ac.uk
[2010-09-19 23:14:40] Authenticating (NTLM)...
[2010-09-19 23:14:40] 6> AUTH NTLM [snip hash]
[2010-09-19 23:14:40] 6< 334 [snip long hash]
[2010-09-19 23:14:40] mutt_sasl_cb_authname: getting authname for mail.physics.ox.ac.uk:587
[2010-09-19 23:14:40] mutt_sasl_cb_pass: getting password for ***@physics.ox.ac.uk@mail.physics.ox.ac.uk:587
[2010-09-19 23:14:43] 6> [snip long hash]
[2010-09-19 23:14:48] 6< 535 5.7.3 Authentication unsuccessful
[2010-09-19 23:14:48] SASL authentication failed

Post by Brendan Cully
By the way, if I had to guess I'd say that the problem is that the
server is advertising NTLM authentication but really only wants a
plain password. You can fix this by setting
smtp_authenticators="plain" in your muttrc, instead of letting SASL
pick the strongest it can find.

With smtp_authenticators="plain", authorization fails and .muttdebug0 ends with:

2010-09-19 23:10:21] smtp_authenticate: Trying method plain
[...]
[2010-09-19 23:10:25] Authenticating (PLAIN)...
[2010-09-19 23:10:25] 6> AUTH PLAIN [snip hash]
[2010-09-19 23:10:30] 6< 504 5.7.4 Unrecognized authentication type
[2010-09-19 23:10:30] SASL authentication failed

so I assume that plain is not right. (This ties in with the NLTM method Apple Mail autoselects and successfully uses for this server following a test connection.)

Any ideas?

-- Mike

Brendan Cully

2010-09-19 21:42:02 UTC

Permalink

Post by Michael Williams
Hi Brendan,
thanks very much for these suggestions.

Post by Brendan Cully

I've rebuilt (and upgraded from 1.5.20 to 1.5.21). Here's the log. I don't see anything unusual.
2010-09-19 23:14:38] Sending message...
[2010-09-19 23:14:38] Looking up mail.physics.ox.ac.uk...
[2010-09-19 23:14:38] Connecting to mail.physics.ox.ac.uk...
[2010-09-19 23:14:38] Connected to mail.physics.ox.ac.uk:587 on fd=6
[2010-09-19 23:14:39] 6< 220 mail.physics.ox.ac.uk Microsoft ESMTP MAIL Service ready at Sun, 19 Sep 2010 22:15:25 +0100
[2010-09-19 23:14:39] 6> EHLO astro.ox.ac.uk^M
[2010-09-19 23:14:39] 6< 250-mail.physics.ox.ac.uk Hello [77.4.235.134]
[2010-09-19 23:14:39] 6< 250-SIZE 20971520
[2010-09-19 23:14:39] 6< 250-PIPELINING
[2010-09-19 23:14:39] 6< 250-DSN
[2010-09-19 23:14:39] 6< 250-ENHANCEDSTATUSCODES
[2010-09-19 23:14:39] 6< 250-STARTTLS
[2010-09-19 23:14:39] 6< 250-AUTH NTLM
[2010-09-19 23:14:39] 6< 250-8BITMIME
[2010-09-19 23:14:39] 6< 250-BINARYMIME
[2010-09-19 23:14:39] 6< 250 CHUNKING
[2010-09-19 23:14:39] 6> STARTTLS^M
[2010-09-19 23:14:39] 6< 220 2.0.0 SMTP server ready
[2010-09-19 23:14:39] ssl_check_preauth: hostname check passed
[2010-09-19 23:14:39] X509_verify_cert: unable to get local issuer certificate (20)
[2010-09-19 23:14:39] [/CN=winfe.physics.ox.ac.uk/CN=thphys.ox.ac.uk/CN=teaching.physics.ox.ac.uk/CN=smtps.physics.ox.ac.uk/CN=physics.ox.ac.uk/CN=imaps.physics.ox.ac.uk/CN=exchange.physics.ox.ac.uk/CN=exchange-cas3.physics.ox.ac.uk/CN=exchange-cas2.physics.ox.ac.uk/CN=exchange-cas1.physics.ox.ac.uk/CN=autodiscover.thphys.ox.ac.uk/CN=autodiscover.physics.ox.ac.uk/CN=autodiscover.atm.ox.ac.uk/CN=autodiscover.astro.ox.ac.uk/CN=atm.ox.ac.uk/CN=astro.ox.ac.uk/C=GB/ST=Oxfordshire/L=Oxford/O=University of Oxford/OU=Physics/CN=mail.physics.ox.ac.uk]
[2010-09-19 23:14:39] X509_verify_cert: unable to get local issuer certificate (20)
[2010-09-19 23:14:39] [/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware]
[2010-09-19 23:14:39] ssl_check_preauth: digest check passed
[2010-09-19 23:14:39] trusted: /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
[2010-09-19 23:14:39] ssl_check_preauth: hostname check passed
[2010-09-19 23:14:39] ssl_check_preauth: signer check passed
[2010-09-19 23:14:39] SSL connection using TLSv1/SSLv3 (AES128-SHA)
[2010-09-19 23:14:40] 6> EHLO astro.ox.ac.uk^M
[2010-09-19 23:14:40] 6< 250-mail.physics.ox.ac.uk Hello [77.4.235.134]
[2010-09-19 23:14:40] 6< 250-SIZE 20971520
[2010-09-19 23:14:40] 6< 250-PIPELINING
[2010-09-19 23:14:40] 6< 250-DSN
[2010-09-19 23:14:40] 6< 250-ENHANCEDSTATUSCODES
[2010-09-19 23:14:40] 6< 250-AUTH NTLM LOGIN
[2010-09-19 23:14:40] 6< 250-8BITMIME
[2010-09-19 23:14:40] 6< 250-BINARYMIME
[2010-09-19 23:14:40] 6< 250 CHUNKING
[2010-09-19 23:14:40] SASL local ip: 192.168.1.36;64383, remote ip:163.1.74.81;587
[2010-09-19 23:14:40] External SSF: 128
[2010-09-19 23:14:40] Authenticating (NTLM)...
[2010-09-19 23:14:40] 6> AUTH NTLM [snip hash]
[2010-09-19 23:14:40] 6< 334 [snip long hash]
[2010-09-19 23:14:40] mutt_sasl_cb_authname: getting authname for mail.physics.ox.ac.uk:587
[2010-09-19 23:14:43] 6> [snip long hash]
[2010-09-19 23:14:48] 6< 535 5.7.3 Authentication unsuccessful
[2010-09-19 23:14:48] SASL authentication failed

2010-09-19 23:10:21] smtp_authenticate: Trying method plain
[...]
[2010-09-19 23:10:25] Authenticating (PLAIN)...
[2010-09-19 23:10:25] 6> AUTH PLAIN [snip hash]
[2010-09-19 23:10:30] 6< 504 5.7.4 Unrecognized authentication type
[2010-09-19 23:10:30] SASL authentication failed
so I assume that plain is not right. (This ties in with the NLTM method Apple Mail autoselects and successfully uses for this server following a test connection.)

try "login" instead of plain. The server is advertising "AUTH NTLM
LOGIN" above.

Michael Williams

2010-09-19 21:45:01 UTC

Permalink

Post by Brendan Cully
try "login" instead of plain. The server is advertising "AUTH NTLM
LOGIN" above.

That's it! Thanks very much!

-- Mike

Continue reading on narkive:

Search results for 'Authenticated Exchange SMTP server problem' (Questions and Answers)

replies

What's the meaning of http. in the Internet?

started 2007-02-15 00:59:53 UTC

internet