SMTP Authentication

[Kamal]

What is the protocol used when "My Outgoing Server Requires
Authentication" is used with Outlook SMTP?

I tried connecting Outlook to a Postfix Server using SASL but it didn't
work.

 

[neo [mvp outlook]]

Checking that box does not mean that Outlook will secure the connection via
SSL/SASL/SSMTP/TLS. It just means that it will use the AUTH LOGIN smtp verb
before doing anything else. You would go to the last tab and check a box if
you are trying to secure the connection.

/neo

ps - outlook 2003 (and most likely earlier versions) have a problem with
secure smtp when using non-standard ports. (non-standard = anything that
isn't port 25 or 465)

 

[Kamal]

Checking that box does not mean that Outlook will secure the connection via
SSL/SASL/SSMTP/TLS.

I didn't mention anything about a secure connection in my email. I just
want a user to be authenticated using a username/password when using SMTP.

It just means that it will use the AUTH LOGIN smtp verb

before doing anything else.

I did some packet analysis and found out that Outlook completely ignores
the "250-AUTH=PLAIN OTP DIGEST-MD5 CRAM-MD5" statement from the SASL
server & directly sends a "Mail from:<email>" & then a "Rcpt to:<email>".

 

[neo [mvp outlook]]

I can check with someone in MS that knows how SMTP was implemented to see if
Outlook can handle AUTH=PLAIN but I think Microsoft products tend to use the
AUTH LOGIN and AUTH=LOGIN verbs. No promises though that I will be able to
provide an answer... okay?

/neo

 

[Jeff Stephenson [MSFT]]

I can check with someone in MS that knows how SMTP was implemented to see if
Outlook can handle AUTH=PLAIN but I think Microsoft products tend to use the
AUTH LOGIN and AUTH=LOGIN verbs. No promises though that I will be able to
provide an answer... okay?

I'm the someone ;-). At present, Outlook only supports the LOGIN and NTLM
(a proprietary protocol) in SASL.

 

[Kamal]

I'm the someone ;-). At present, Outlook only supports the LOGIN and NTLM
(a proprietary protocol) in SASL.

OK. Any idea then which mail servers support these protocols (LOGIN &
NTLM) in SASL?

 

[Jeff Stephenson [MSFT]]

OK. Any idea then which mail servers support these protocols (LOGIN &
NTLM) in SASL?

Well, the only server I know of that supports NTLM is Exchange - it's a
Microsoft proprietary mechanism, though I think that any server running on
a Windows machine *should* be able to use it - I just don't know that they
do.

I'm surprised that your server doesn't support LOGIN - I haven't seen one
up to now that supported SASL but didn't support LOGIN. What sort of
server are you trying to connect to? Note that LOGIN is also "proprietary"
in the sense that there is not an RFC for it, but it's a well-known
mechanism developed originally by Netscape (I think) that most everyone has
added to SASL without an RFC on it...

 

[Kamal]

Well, the only server I know of that supports NTLM is Exchange - it's a
Microsoft proprietary mechanism, though I think that any server running on
a Windows machine *should* be able to use it - I just don't know that they
do.

I'm surprised that your server doesn't support LOGIN - I haven't seen one
up to now that supported SASL but didn't support LOGIN. What sort of
server are you trying to connect to? Note that LOGIN is also "proprietary"
in the sense that there is not an RFC for it, but it's a well-known
mechanism developed originally by Netscape (I think) that most everyone has
added to SASL without an RFC on it...

I am using cyrus-sasl with postfix.
Seems that cyrus-sasl supports both NTLM & LOGIN authentication but not
by the default compilation. I have compiled this package with the 2
protocols enabled & now everything seems to be working fine.

Thank you very much for your assistance.

 

[Tim Winders via OfficeKB.com]

Hello, Jeff.

I have setup Postfix-2.3-20030315 with TLS/SASL to be able to use secure
SMTP and SMTP AUTH for mail relaying.

The problem I am having is that I can't get Outlook 2003 nor OE6 to AUTH to
the server. I have checked the "my outgoing server (SMTP) requires
authentication" and I have "This server requires and encrypted connection
(SSL)" checked, but I never see AUTH coming from Outlook. I do see it
setup the TLS connection, but it never authenticates.

I downloaded and installed Thunderbird 1.2 just to make sure that Postfix
was working properly and, indeed, I see the TLS setup, then the
authentication working properly and mail is relayed.

Here is a the log entries when using Thunderbird:

Mar 30 14:21:09 barney postfix/smtpd[340638]: connect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]
Mar 30 14:21:09 barney postfix/smtpd[340638]: setting up TLS connection
from 216-117-112-254.southplainscollege.edu[216.117.112.254]
Mar 30 14:21:10 barney postfix/smtpd[340638]: TLS connection established
from 216-117-112-254.southplainscollege.edu[216.117.112.254]: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 30 14:21:13 barney postfix/smtpd[340638]: 9B273168E: client=216-117-112-
254.southplainscollege.edu[216.117.112.254], sasl_method=PLAIN,
[email protected]
Mar 30 14:21:13 barney postfix/smtpd[340638]: disconnect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]


and here is the log snippet when connecting with Outlook:

Mar 30 14:09:25 barney postfix/smtpd[336572]: connect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]
Mar 30 14:09:25 barney postfix/smtpd[336572]: setting up TLS connection
from 216-117-112-254.southplainscollege.edu[216.117.112.254]
Mar 30 14:09:25 barney postfix/smtpd[336572]: TLS connection established
from 216-117-112-254.southplainscollege.edu[216.117.112.254]: TLSv1 with
cipher RC4-MD5 (128/128 bits)
Mar 30 14:09:25 barney postfix/smtpd[336572]: NOQUEUE: reject: RCPT from
216-117-112-254.southplainscollege.edu[216.117.112.254]: 550
<[email protected]>: Relay access denied;
from=<[email protected]> to=<[email protected]>
proto=ESMTP helo=<TWINDERSSNIFFER>
Mar 30 14:09:25 barney postfix/smtpd[336572]: disconnect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]


as you can see, the mail server rejects the mail from outlook, because it
hasn't authenticated to the server.

Any suggestions on what to check for / change in Outlook?

 

[neo [mvp outlook]]

And what port is Outlook/OE connecting on? (Port 25 and the depreciated
port 465 [SSMTP] are the only two out of the box they support when it comes
to SSL/TLS. For Outlook 2003, you can apply
http://support.microsoft.com/default.aspx?scid=kb;en-us;887568&sd=RMVP in
order to support SSL/TLS on the message submission port of 587)

Hello, Jeff.

I have setup Postfix-2.3-20030315 with TLS/SASL to be able to use secure
SMTP and SMTP AUTH for mail relaying.

The problem I am having is that I can't get Outlook 2003 nor OE6 to AUTH
to
the server. I have checked the "my outgoing server (SMTP) requires
authentication" and I have "This server requires and encrypted connection
(SSL)" checked, but I never see AUTH coming from Outlook. I do see it
setup the TLS connection, but it never authenticates.

I downloaded and installed Thunderbird 1.2 just to make sure that Postfix
was working properly and, indeed, I see the TLS setup, then the
authentication working properly and mail is relayed.

Here is a the log entries when using Thunderbird:

Mar 30 14:21:09 barney postfix/smtpd[340638]: connect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]
Mar 30 14:21:09 barney postfix/smtpd[340638]: setting up TLS connection
from 216-117-112-254.southplainscollege.edu[216.117.112.254]
Mar 30 14:21:10 barney postfix/smtpd[340638]: TLS connection established
from 216-117-112-254.southplainscollege.edu[216.117.112.254]: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 30 14:21:13 barney postfix/smtpd[340638]: 9B273168E:
client=216-117-112-
254.southplainscollege.edu[216.117.112.254], sasl_method=PLAIN,
[email protected]
Mar 30 14:21:13 barney postfix/smtpd[340638]: disconnect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]


and here is the log snippet when connecting with Outlook:

Mar 30 14:09:25 barney postfix/smtpd[336572]: connect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]
Mar 30 14:09:25 barney postfix/smtpd[336572]: setting up TLS connection
from 216-117-112-254.southplainscollege.edu[216.117.112.254]
Mar 30 14:09:25 barney postfix/smtpd[336572]: TLS connection established
from 216-117-112-254.southplainscollege.edu[216.117.112.254]: TLSv1 with
cipher RC4-MD5 (128/128 bits)
Mar 30 14:09:25 barney postfix/smtpd[336572]: NOQUEUE: reject: RCPT from
216-117-112-254.southplainscollege.edu[216.117.112.254]: 550
<[email protected]>: Relay access denied;
from=<[email protected]> to=<[email protected]>
proto=ESMTP helo=<TWINDERSSNIFFER>
Mar 30 14:09:25 barney postfix/smtpd[336572]: disconnect from 216-117-112-
254.southplainscollege.edu[216.117.112.254]


as you can see, the mail server rejects the mail from outlook, because it
hasn't authenticated to the server.

Any suggestions on what to check for / change in Outlook?