Categories: Alternative - Computer - Microsoft - Miscellaneous - Recreational - Science - Society - Talk - Other - Search


Computer Discussion: Saslauth Interaction With Apple IPadGroup: comp.mail.sendmail
Discussion: Saslauth Interaction With Apple IPad
Add this discussion to your Favorites
Posts: 10

Page: 1 2   Next  (First | Last)

Tim Daneliuk
Sun, 14 Aug 2011 10:52:10 -0500
I have a sendmail FreeBSD installation that has worked fine for some
y***s. Internal and external users are able to connect and send mail
without any authentication if the destination is an internal user and
authenticate if they wish to relay.

I have a new situation, however, that is maddening - an new Apple iPad 2.
If I set up its mail client to talk to port 587 without login
credentials or SSL, I can send mail to local recipients. This doesn't
work, of course, if I attempt to relay... So, then I add login creds
but in every case, I get an error back from the iPad mail client
telling me the user name/password is invalid. What sendmail says
when this is attempted is:

....did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA

?????

Like I said, I can use saslauth with login creds from a variety of
internal and external systems with, say, Thunderbird, no problem. The
relevant portion of the .mc file follow. (The first two lines
commented out were what I started with. The corresponding lines below
are what I'm using currently for testing.) Any help on this would be
most appreciated:


dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

define(`confAUTH_OPTIONS',`A p')dnl

define(`CERT_DIR', `/usr/local/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mailcert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mailcert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mailkey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mailcert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mailkey.pem')dnl

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl






Doug Hardie
Aug 14, 2011 - 01:54:29 pm EST
In article ,
Tim Daneliuk wrote:

> I have a sendmail FreeBSD installation that has worked fine for some
> y***s. Internal and external users are able to connect and send mail
> without any authentication if the destination is an internal user and
> authenticate if they wish to relay.
>
> I have a new situation, however, that is maddening - an new Apple iPad 2.
> If I set up its mail client to talk to port 587 without login
> credentials or SSL, I can send mail to local recipients. This doesn't
> work, of course, if I attempt to relay... So, then I add login creds
> but in every case, I get an error back from the iPad mail client
> telling me the user name/password is invalid. What sendmail says
> when this is attempted is:
>
> ....did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
>
> ?????
>
> Like I said, I can use saslauth with login creds from a variety of
> internal and external systems with, say, Thunderbird, no problem. The
> relevant portion of the .mc file follow. (The first two lines
> commented out were what I started with. The corresponding lines below
> are what I'm using currently for testing.) Any help on this would be
> most appreciated:
>
>
> dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
> dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
> PLAIN')dnl
>
> define(`confAUTH_OPTIONS',`A p')dnl
>
> define(`CERT_DIR', `/usr/local/certs')dnl
> define(`confCACERT_PATH', `CERT_DIR')dnl
> define(`confCACERT', `CERT_DIR/mailcert.pem')dnl
> define(`confSERVER_CERT', `CERT_DIR/mailcert.pem')dnl
> define(`confSERVER_KEY', `CERT_DIR/mailkey.pem')dnl
> define(`confCLIENT_CERT', `CERT_DIR/mailcert.pem')dnl
> define(`confCLIENT_KEY', `CERT_DIR/mailkey.pem')dnl
>
> DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

Every time I have encountered that error message the client has not
issued a STARTTLS command. Instead they have used an SSL tunnel to
mail. You can verify this by doing a tcpdump on the connection. When
the tunnel is used, there are no mail commands sent in the clear.
Sendmail finds nothing usable.

I have often found (pc clients) that using a completely non-standard
port will cause them to actually use STARTTLS rather than the tunnel. I
have not encountered this problem with Apple's mail.app on a Mac. It
does STARTTLS normally on any port. Apparently the iPad is different.
There may be a setting for it that will affect that but I don't know of
any for the Mac.



Andrzej Adam Filip
Aug 14, 2011 - 02:23:46 pm EST
Doug Hardie wrote:
> In article ,
> Tim Daneliuk wrote:
>
>> I have a sendmail FreeBSD installation that has worked fine for some
>> y***s. Internal and external users are able to connect and send mail
>> without any authentication if the destination is an internal user and
>> authenticate if they wish to relay.
>>
>> I have a new situation, however, that is maddening - an new Apple iPad 2.
>> If I set up its mail client to talk to port 587 without login
>> credentials or SSL, I can send mail to local recipients. This doesn't
>> work, of course, if I attempt to relay... So, then I add login creds
>> but in every case, I get an error back from the iPad mail client
>> telling me the user name/password is invalid. What sendmail says
>> when this is attempted is:
>>
>> ....did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
>>
>> ?????
>>
>> Like I said, I can use saslauth with login creds from a variety of
>> internal and external systems with, say, Thunderbird, no problem. The
>> relevant portion of the .mc file follow. (The first two lines
>> commented out were what I started with. The corresponding lines below
>> are what I'm using currently for testing.) Any help on this would be
>> most appreciated:
>>
>>
>> dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
>> dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
>>
>> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>> PLAIN')dnl
>>
>> define(`confAUTH_OPTIONS',`A p')dnl
>>
>> define(`CERT_DIR', `/usr/local/certs')dnl
>> define(`confCACERT_PATH', `CERT_DIR')dnl
>> define(`confCACERT', `CERT_DIR/mailcert.pem')dnl
>> define(`confSERVER_CERT', `CERT_DIR/mailcert.pem')dnl
>> define(`confSERVER_KEY', `CERT_DIR/mailkey.pem')dnl
>> define(`confCLIENT_CERT', `CERT_DIR/mailcert.pem')dnl
>> define(`confCLIENT_KEY', `CERT_DIR/mailkey.pem')dnl
>>
>> DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
>> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>
> Every time I have encountered that error message the client has not
> issued a STARTTLS command. Instead they have used an SSL tunnel to
> mail. You can verify this by doing a tcpdump on the connection. When
> the tunnel is used, there are no mail commands sent in the clear.
> Sendmail finds nothing usable.
>
> I have often found (pc clients) that using a completely non-standard
> port will cause them to actually use STARTTLS rather than the tunnel. I
> have not encountered this problem with Apple's mail.app on a Mac. It
> does STARTTLS normally on any port. Apparently the iPad is different.
> There may be a setting for it that will affect that but I don't know of
> any for the Mac.

Tim, try using smtps (port 465) you have already configured to test Doug guess.

--
[pl>en Andrew] Andrzej A. Filip : anfi [No Spam] onet.eu : Andrzej.Filip [No Spam] gmail.com
If you took all of the grains of sand in the world, and lined
them up end to end in a row, you'd be working for the government!
-- Mr. Interesting



Tim Daneliuk
Aug 14, 2011 - 03:35:04 pm EST
On 8/14/2011 1:23 PM, Andrzej Adam Filip wrote:
> Doug Hardie wrote:
>> In article,
>> Tim Daneliuk wrote:
>>
>>> I have a sendmail FreeBSD installation that has worked fine for some
>>> y***s. Internal and external users are able to connect and send mail
>>> without any authentication if the destination is an internal user and
>>> authenticate if they wish to relay.
>>>
>>> I have a new situation, however, that is maddening - an new Apple iPad 2.
>>> If I set up its mail client to talk to port 587 without login
>>> credentials or SSL, I can send mail to local recipients. This doesn't
>>> work, of course, if I attempt to relay... So, then I add login creds
>>> but in every case, I get an error back from the iPad mail client
>>> telling me the user name/password is invalid. What sendmail says
>>> when this is attempted is:
>>>
>>> ....did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
>>>
>>> ?????
>>>
>>> Like I said, I can use saslauth with login creds from a variety of
>>> internal and external systems with, say, Thunderbird, no problem. The
>>> relevant portion of the .mc file follow. (The first two lines
>>> commented out were what I started with. The corresponding lines below
>>> are what I'm using currently for testing.) Any help on this would be
>>> most appreciated:
>>>
>>>
>>> dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
>>> dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
>>>
>>> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>>> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
>>> PLAIN')dnl
>>>
>>> define(`confAUTH_OPTIONS',`A p')dnl
>>>
>>> define(`CERT_DIR', `/usr/local/certs')dnl
>>> define(`confCACERT_PATH', `CERT_DIR')dnl
>>> define(`confCACERT', `CERT_DIR/mailcert.pem')dnl
>>> define(`confSERVER_CERT', `CERT_DIR/mailcert.pem')dnl
>>> define(`confSERVER_KEY', `CERT_DIR/mailkey.pem')dnl
>>> define(`confCLIENT_CERT', `CERT_DIR/mailcert.pem')dnl
>>> define(`confCLIENT_KEY', `CERT_DIR/mailkey.pem')dnl
>>>
>>> DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
>>> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
>>
>> Every time I have encountered that error message the client has not
>> issued a STARTTLS command. Instead they have used an SSL tunnel to
>> mail. You can verify this by doing a tcpdump on the connection. When
>> the tunnel is used, there are no mail commands sent in the clear.
>> Sendmail finds nothing usable.
>>
>> I have often found (pc clients) that using a completely non-standard
>> port will cause them to actually use STARTTLS rather than the tunnel. I
>> have not encountered this problem with Apple's mail.app on a Mac. It
>> does STARTTLS normally on any port. Apparently the iPad is different.
>> There may be a setting for it that will affect that but I don't know of
>> any for the Mac.
>
> Tim, try using smtps (port 465) you have already configured to test Doug guess.
>

And the weirdness continues when I do that:
Aug 14 14:33:09 x*x sm-mta-in[57336]: STARTTLS=server, error: accept failed=0, SSL_error=5, errno=0, retry=-1, relay=YYY
Aug 14 14:33:09 x*x sm-mta-in[57336]: p7EJWEuB057336: YYY did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
Aug 14 14:33:16 x*x sm-mta-in[57351]: p7EJXEjw057351: YYY did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
Aug 14 14:33:23 x*x sm-mta-in[57354]: p7EJXLGT057354: YYY did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA



Tim Daneliuk
Aug 14, 2011 - 07:09:51 pm EST
On 8/14/2011 10:52 AM, Tim Daneliuk wrote:
> I have a sendmail FreeBSD installation that has worked fine for some
> y***s. Internal and external users are able to connect and send mail
> without any authentication if the destination is an internal user and
> authenticate if they wish to relay.
>
> I have a new situation, however, that is maddening - an new Apple iPad 2.
> If I set up its mail client to talk to port 587 without login
> credentials or SSL, I can send mail to local recipients. This doesn't
> work, of course, if I attempt to relay... So, then I add login creds
> but in every case, I get an error back from the iPad mail client
> telling me the user name/password is invalid. What sendmail says
> when this is attempted is:
>
> ....did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
>
> ?????
>
> Like I said, I can use saslauth with login creds from a variety of
> internal and external systems with, say, Thunderbird, no problem. The
> relevant portion of the .mc file follow. (The first two lines
> commented out were what I started with. The corresponding lines below
> are what I'm using currently for testing.) Any help on this would be
> most appreciated:
>
>
> dnl TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
> dnl define(`confAUTH_MECHANISMS',`PLAIN LOGIN')dnl
>
> TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>
> define(`confAUTH_OPTIONS',`A p')dnl
>
> define(`CERT_DIR', `/usr/local/certs')dnl
> define(`confCACERT_PATH', `CERT_DIR')dnl
> define(`confCACERT', `CERT_DIR/mailcert.pem')dnl
> define(`confSERVER_CERT', `CERT_DIR/mailcert.pem')dnl
> define(`confSERVER_KEY', `CERT_DIR/mailkey.pem')dnl
> define(`confCLIENT_CERT', `CERT_DIR/mailcert.pem')dnl
> define(`confCLIENT_KEY', `CERT_DIR/mailkey.pem')dnl
>
> DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl


It seems that the problem was that the iPad does NOT support dsa ciphers.
I went back and regenerated the certs using rsa 2048 bit and everything
started working just fine (I confirmed this by reinstalling the o*d dsa
certs and watching it break again).

It did require connecting to port 465 with SSL enabled. Connection
to 587 seems to not work no matter what.

So ... for anyone working with iPads: THEY DON'T SUPPORT DSA!!!!

One last question:

What is the difference between the following two options:

define(`confAUTH_OPTIONS',`A p')
define(`confAUTH_OPTIONS',`p')

That is, does the 'A' option do anything I care about???


Thanks to Doug and Andrzej for the helping hand!





Andrzej Adam Filip
Aug 15, 2011 - 02:55:29 pm EST
Tim Daneliuk wrote:
> On 8/14/2011 10:52 AM, Tim Daneliuk wrote:
>> [...]
>> DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
>> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> [...]
> One last question:
>
> What is the difference between the following two options:
>
> define(`confAUTH_OPTIONS',`A p')
> define(`confAUTH_OPTIONS',`p')
>
> That is, does the 'A' option do anything I care about???

http://www.sendmail.org/m4/tweaking_config.html#confAUTH_OPTIONS

> Thanks to Doug and Andrzej for the helping hand!

BTW: Have you considered compulsory authentication for messages
submitted over smtps (465) and msa (587)?
[ reject messages without preceding successful SMTP AUTH ]

--
[pl>en Andrew] Andrzej A. Filip : anfi [No Spam] onet.eu : Andrzej.Filip [No Spam] gmail.com
Go ahead... make my day.
-- Dirty Harry



Page: 1 2   Next  (First | Last)


Search Tags:
"id not issue MAIL/EXPN/VRFY/ETRN during connection to MSA"
"id not issue MAIL/EXPN/VRFY/ETRN during connection to MTA"
cache:tAJVqFgaD2IJ:www.linuxquestions.org/questions/linux-server-73/did-not-issue-mail-expn-vrfy-etrn-during-connection-to-mta-4175457668/
did not issue mail/expn/vrfy/etrn during connection to msa
did not issue mail/expn/vrfy/etrn during connection to msa sendmail apple
did not issue mail/expn/vrfy/etrn during connection to tlsmta thunderbird
id not issue mail/expn/vrfy/etrn during connection to msa-ssl thunderbird
ipad "connection to mta"
ipad id not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
ipad mail did not issue mail/expn/vrfy/etrn during connection to tlsmta
ipad smtp did not issue mail/expn/vrfy/etrn during connection to msa
ipad smtp tlsmta
TRUST_AUTH_MECH thunderbird



@ 2014 UsenetMessages.com | Privacy | Try: AnswerDB