Relay implementation does not work on smtp outlook

france · May 16, 2024, 2:17pm

Hello everyone, I finally saw the implementation of the relay on mail with the v 1.40

Unfortunately, compared to the previous tests, nothing has changed compared to the manual configuration with podman, that is, I always get the same error using TLS and port 587:

SASL authentication failed; cannot authenticate to server smtp-mail.outlook.com[52.98.159.22]: no mechanism available

On neth7 it always worked …Without further changes .

davidep · May 16, 2024, 4:12pm

Where did you find this error? Is it from the UI validation or is it a Mail log line?

I don’t have an Outlook account to run a test, but from that server response AUTH LOGIN is available so I’d expect it works…

openssl s_client -starttls smtp -connect smtp-mail.outlook.com:587 -crlf
...
EHLO nethesis.it
250-MI1P293CA0024.outlook.office365.com Hello [80.17.99.73]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
QUIT
DONE

france · May 16, 2024, 4:27pm

Hi Davide and thank you for answering, what you read is from the gui, but to follow you will report an excerpt from the journal …

May 16 18:25:45 ns8 postfix/smtp[12141]: Untrusted TLS connection established to smtp-mail.outlook.com[52.98.163.38]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (2048 bits) server-digest SHA256
May 16 18:25:45 ns8 postfix/smtp[12141]: warning: SASL authentication failure: No worthy mechs found
May 16 18:25:45 ns8 postfix/smtp[12141]: 0BAF0A4C31: SASL authentication failed; cannot authenticate to server smtp-mail.outlook.com[52.98.163.38]: no mechanism available

davidep · May 16, 2024, 4:31pm

So you saved a relay rule but mail cannot be sent, can you confirm?

If so, there is probably a bug in the Postfix container.

france · May 16, 2024, 6:20pm

Yes, here is the rule:

france · May 16, 2024, 6:21pm

I don’t know but probably, as as previously written on neth7 it has been working wonderfully for years.

davidep · May 17, 2024, 11:31am

Bug filed here

github.com/NethServer/dev

No auth mechanism available with Mail relay rule

opened 11:28AM - 17 May 24 UTC

DavidePrincipi

bug

The SMTP AUTH LOGIN authentication method is not considered valid by the Mail SM…TP client. Some SMTP servers (e.g. Outlook.com) do not provide the PLAIN method and our client does not support LOGIN as it used to do in NS7: the SMTP authentication fails with a `no mechanism available` error message. **Steps to reproduce** - Add a [custom configuration](https://github.com/NethServer/ns8-mail/blob/main/README.md#postfix-custom-configuration) directive for Postfix smtpd service: `smtpd_sasl_mechanism_filter = login`. This actually disables the PLAIN method. - Configure a "fake" relay rule: - destination: `administrator@fake.test` - hostname: `10.5.4.1` (Mail itself) - port: `10587` unencrypted local-only - authentication: ENABLED, set credentials of a valid Mail user - TLS: DISABLED, not needed for this test - Save the rule - Send a test message: connect to port 587 or 465 with your MUA (Thunderbird?) and send a message to `administrator@fake.test` - Go to the Mail Queue page **Expected behavior** Apart from the `fake.test` domain which is an undeliverable domain, the message should be delivered after a succesful SMTP authentication. The Mail log evidence should be something like 2024-05-17T13:23:38+02:00 [1:mail3:postfix/smtpd] 581C96C756475: client=cluster-localnode[10.5.4.1], sasl_method=LOGIN, sasl_username=davidep2 **Actual behavior** The message is in the queue. If you see the message delay reason is SASL authentication failed; cannot authenticate to server 10.5.4.1[10.5.4.1]: no mechanism available It seems Postfix does not support LOGIN method: maybe the container is missing some Cyrus library? **Components** Mail 1.4.0 **See also** https://community.nethserver.org/t/relay-implementation-does-not-work-on-smtp-outlook/23659 ---- Thanks to **france**

stephdl · May 21, 2024, 10:02am

github.com/NethServer/ns8-mail

Add cyrus-sasl-login package to postfix installation

NethServer:main ← NethServer:sdl-6926

opened 07:30AM - 21 May 24 UTC

stephdl

+1 -1

This pull request adds the `cyrus-sasl-login` package to the postfix installatio…n. This package is required for certain authentication methods in postfix. https://github.com/NethServer/dev/issues/6926 side note for the testing I did differently to test my code - create directly an account to outlook.com with credential - install a mail server - force to use login instead of plain authentication with the custom template - install roundcubemail - create a default relay rule to send by outlook.com - send an email to foo@domain.com with roundcubemail - you get this error and you cannot authenticate to outlook.com `May 21 09:26:17 mail postfix/smtp[69385]: 7AE9D18016D01: to=<foo@domain.com>, relay=smtp-mail.outlook.com[52.98.243.6]:587, delay=0.4, delays=0.34/0/0.06/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp-mail.outlook.com[52.98.243.6]: no mechanism available)` - upgrade the mail server to this build - send an email to foo@domain.com with roundcubemail - you get an error message different that the policy of outlook forbid to send an email with the identity of another `May 21 09:28:26 mail postfix/smtp[70233]: 0020D1801FDC1: to=<foo@domain.com>, relay=smtp-mail.outlook.com[52.98.252.246]:587, delay=1.9, delays=1.2/0.02/0.35/0.34, dsn=5.2.252, status=bounced (host smtp-mail.outlook.com[52.98.252.246] said: 554 5.2.252 SendAsDenied; foo@outlook.com not allowed to send as administrator@mail.sdl.nethserver.net; STOREDRV.Submission.Exception:SendAsDeniedException.MapiExceptionSendAsDenied; Failed to process message due to a permanent exception with message [BeginDiagnosticData]Cannot submit message. 1.84300:0A000000, 1.84300:0A000000, 1.84300:0E000000, 1.84300:32000000, 1.116652:E71C0000, 1.81836:36020000, 0.117068:0B000000, 1.79180:0A000000, 1.79180:0A000000, 1.79180:0E000000, 1.79180:32000000, 1.79180:FA000000, 0.73100:18000000, 0.38698:05000780, 1.41134:87000000, 1.41134:47000000, 0.37692:87000000, 0.37948:87000000, 5.33852:00000000534D545000000100, 7.36354:010000000000010901000000, 4.56248:DC040000, 7.40748:010000000000010B04000000, 7.57132:00000000000`

stephdl · May 21, 2024, 12:48pm

api-cli run update-module --data '{"module_url":"ghcr.io/nethserver/mail:1.4.1-dev.1","instances":["mail1"],"force":true}'

if you want to test the fix to help the development, adjust with the module_id of your mail module (check the status page of the module)

france · May 21, 2024, 5:49pm

Of course you do! Can I run that is, that you wrote directly from the shell?

stephdl · May 21, 2024, 6:54pm

Take a snapshot before you test and again try to use outlook as relay, adjust to hour module id of your mail server

france · May 21, 2024, 7:20pm

So @stephdl I performed a snap , and activated the relay . I sent two emails to the domain.gmail and icloud (the most awaited domains to receive spam …) and they both arrived.

Here is an excerpt from the journal:slight_smile:

ay 21 21:15:35 ns8 dovecot[131693]: imap(francesco)<219><x7l3pPsY3KQKBQQB>: save: box=Sent, uid=68, msgid=<cd4b116288526bfd9c716799691c9f53@internal.lan>, from=Francesco<francesco@internal.lan>, subject=prova finale relay, flags=(\Seen)
May 21 21:15:35 ns8 roundcubemail-app[3812]: 10.0.2.100 - - [21/May/2024:19:15:34 +0000] "POST /?_task=mail&_unlock=loading1716318934450&_framed=1&_lang=en HTTP/1.1" 200 894 "https://pegana.duckdns.org/?_task=mail&_action=compose&_id=525759339664cf2c21d5d0&_extwin=1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15"
May 21 21:15:35 ns8 traefik[2344]: 192.168.3.2 - - [21/May/2024:19:15:34 +0000] "POST /?_task=mail&_unlock=loading1716318934450&_framed=1&_lang=en HTTP/1.1" 200 346 "-" "-" 21751 "roundcubemail1-https@file" "http://127.0.0.1:20011" 1066ms
May 21 21:15:35 ns8 dovecot[131693]: imap(francesco)<219><x7l3pPsY3KQKBQQB>: Disconnected: Logged out in=940 out=760 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
May 21 21:15:35 ns8 samba-dc[3110]: TLS ../../source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
May 21 21:15:35 ns8 postfix/smtp[132692]: connect to smtp-mail.outlook.com[2603:1026:c09:82f::6]:587: Network unreachable
May 21 21:15:35 ns8 samba-dc[3110]: TLS ../../source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
May 21 21:15:35 ns8 samba-dc[3110]: TLS ../../source4/lib/tls/tls_tstream.c:1378 - Decryption has failed.
May 21 21:15:35 ns8 postfix/smtp[132692]: Untrusted TLS connection established to smtp-mail.outlook.com[52.98.200.230]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (2048 bits) server-digest SHA256
May 21 21:15:36 ns8 postfix/smtp[132692]: AD1EAB5AC0: to=<xxxxxxxx@icloud.com>, relay=smtp-mail.outlook.com[52.98.200.230]:587, delay=2.2, delays=0.74/0.01/1.1/0.32, dsn=2.0.0, status=sent (250 2.0.0 OK <AS8P251MB01206BC3B9EE80AB3029F5B3B2EA2@AS8P251MB0120.EURP251.PROD.OUTLOOK.COM> [Hostname=AS8P251MB0120.EURP251.PROD.OUTLOOK.COM])

france · May 21, 2024, 7:47pm

I deleted the snap . Can I leave your update that I assume will be updated when you release the correct version? Thank you .