Exim client not issuing STARTTLS when connecting to smarthost

eximnamecheapsmarthostsmtpstarttls

I have a Debian8 server running exim4 that sends outgoing mail by smarthost through NameCheap's mail.privateemail.com smtp server – or at least it use to. After a recent update, the server no longer accepts connections on port 25. I've reconfigured exim to use port 587 but can't send any mail.

The problem appears to occur during the STARTTLS handshaking. Initial connection succeeds, the server sends its 220 response, the exim client sends its ELHO command, and the server offers the 250 STARTTLS option. At that point, instead of replying with STARTTLS and establishing the secure connection, exim begins to send the message headers. To this the server sends a 530 "Must issue a STARTTLS command first" and the message delivery attempt aborts. Here is a snippet from the debug output from forcing delivery of a frozen message with exim -d -M:

Transport port=25 replaced by host-specific port=587
Connecting to mail.privateemail.com [198.54.122.60]:587 ... connected
waiting for data on socket
read response data: size=32
  SMTP<< 220 PrivateEmail.com Mail Node
198.54.122.60 in hosts_avoid_esmtp? no (option unset)
  SMTP>> EHLO efserver.hellonull.com
waiting for data on socket
read response data: size=22
  SMTP<< 250-STARTTLS
         250 OK
198.54.122.60 in hosts_require_tls? no (option unset)
198.54.122.60 in hosts_avoid_pipelining? no (option unset)
not using PIPELINING
198.54.122.60 in hosts_require_auth? no (option unset)
  SMTP>> MAIL FROM:<>
waiting for data on socket
read response data: size=41
  SMTP<< 530 Must issue a STARTTLS command first
ok=0 send_quit=1 send_rset=1 continue_more=0 yield=0 first_address is not NULL
  SMTP>> QUIT

Everything was working previously on port 25. Additionally, I am able to send outgoing mail using IceDove configured to use the same server, port, and STARTTLS. Can anyone explain why exim seems to be ignoring the STARTTLS offering from the server?

Best Answer

You can fix this by adding a hosts_require_tls option with the smarthost in the list to your configuration. This will cause Exim to send the STARTTLS command to establish a TLS connection. However, the hosts_avoid_tls option may override that setting.

You may want to try using port 465 (SSMTP). T It is documented as supported for incoming traffic. It does support for outgoing traffic. I've tested defining a smarthost as example.com:ssmtp instead of example.com.

Related Solutions

Set up Exim to authenticate users and then relay SMTP mail via smarthost using different auth

The two authentications are independent.

You enable Exim to authenticate on outgoing connections, with a client authenticator. You will need to configure a line in the Exim passwd.client file for each server you need to authenticate to. The man page for exim_passwd_client describes the format of the password file.

Incoming authentication is done with a server authenticator. These are likely commented out in the default configuration. The man page for exim_passwd describes the passwd file. You should consider enabling TLS on the submission port (587) for users to send messages. The following macros at the star of the file should enable incoming authentication.

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 587

To allow authenticate users to send outgoing mail you will need to accept the connections at certain points. Where your configuration has rule to handle local senders like:

accept
   hosts = +relay_from_hosts
   control = submission/sender_retain

Add a rule like:

accept
   authenticated = *
   control = submission/sender_retain

Postfix – Fix Sender Address Rejected Using Multiple Addresses

You can use reject_authenticated_sender_login_mismatch

Make users for test

# saslpasswd2 -c -u example.net user1
# saslpasswd2 -c -u example.com user2

# sasldblistusers2
user2@example.com: userPassword
user1@example.net: userPassword

Do some basic tests. As you can see without reject_authenticated_sender_login_mismatch user can use in MAIL FROM whatever he want

# echo "Hello world" | swaks -s 127.0.0.1 --from user1@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<-  220 mail.example.net ESMTP Postfix
 -> EHLO svn.example.net
<-  250-mail.example.net
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-AUTH LOGIN PLAIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<-  235 2.7.0 Authentication successful
 -> MAIL FROM:<user1@example.net>
<-  250 2.1.0 Ok
 -> RCPT TO:<user2@example.com>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Thu, 25 Feb 2016 20:53:45 +0000
 -> To: user2@example.com
 -> From: user1@example.net
 -> Subject: Test
 -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
 ->
 -> Hello world
 ->
 ->
 -> .
<-  250 2.0.0 Ok: queued as E1D3D406CC
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

# grep E1D3D406CC /var/log/maillog
Feb 25 20:53:45 svn postfix/smtpd[56996]: E1D3D406CC: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 20:53:45 svn postfix/cleanup[56999]: E1D3D406CC: message-id=<20160225205345.E1D3D406CC@mail.example.net>
Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: from=<user1@example.net>, size=416, nrcpt=1 (queue active)
Feb 25 20:53:45 svn postfix/local[57000]: E1D3D406CC: to=<user2@example.com>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 20:53:45 svn postfix/qmgr[56990]: E1D3D406CC: removed

# echo "Hello world" | swaks -s 127.0.0.1 --from non_exist-reply@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<-  220 mail.example.net ESMTP Postfix
 -> EHLO svn.example.net
<-  250-mail.example.net
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-AUTH LOGIN PLAIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<-  235 2.7.0 Authentication successful
 -> MAIL FROM:<non_exist_user@example.net>
<-  250 2.1.0 Ok
 -> RCPT TO:<user2@example.com>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Thu, 25 Feb 2016 20:55:13 +0000
 -> To: user2@example.com
 -> From: non_exist_user@example.net
 -> Subject: Test
 -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
 ->
 -> Hello world
 ->
 ->
 -> .
<-  250 2.0.0 Ok: queued as 94CBF4076C
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

# grep 94CBF4076C /var/log/maillog
Feb 25 20:55:13 svn postfix/smtpd[56996]: 94CBF4076C: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 20:55:13 svn postfix/cleanup[56999]: 94CBF4076C: message-id=<20160225205513.94CBF4076C@mail.example.net>
Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: from=<non_exist_user@example.net>, size=424, nrcpt=1 (queue active)
Feb 25 20:55:13 svn postfix/local[57000]: 94CBF4076C: to=<user2@example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 20:55:13 svn postfix/qmgr[56990]: 94CBF4076C: removed

But after we have added the following lines

# /etc/postfix/main.cf

smtpd_sender_login_maps = hash:/etc/postfix/sender_logins_maps
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

Do not forget to create map and restart the postfix

# postmap /etc/postfix/sender_logins_maps
# service postfix restart

# cat /etc/postfix/sender_logins_maps
user1@example.net user1@example.net
info@example.net user1@example.net
no-reply@example.net user1@example.net

User can't use anymore whatever he wants

# echo "Hello world" | swaks -s 127.0.0.1 --from non_exit_user@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1 --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<-  220 mail.example.net ESMTP Postfix
 -> EHLO svn.example.net
<-  250-mail.example.net
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-AUTH LOGIN PLAIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> AUTH PLAIN AHVzZXIxADEyMzQ1Njc=
<-  235 2.7.0 Authentication successful
 -> MAIL FROM:<non_exit_user@example.net>
<-  250 2.1.0 Ok
 -> RCPT TO:<user2@example.com>
<** 553 5.7.1 <non_exit_user@example.net>: Sender address rejected: not owned by user user1
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

But with the settings above user1@example.net can use in MAIL FROM only: user1@example.net, info@example.net and no-reply@example.net

# echo "Hello world" | swaks -s 127.0.0.1 --from no-reply@example.net --to user2@example.com --h-Subject "Test" --auth PLAIN --auth-user user1@example.net --auth-password 1234567 --body -
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<-  220 mail.example.net ESMTP Postfix
 -> EHLO svn.example.net
<-  250-mail.example.net
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-AUTH LOGIN PLAIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> AUTH PLAIN AHVzZXIxQGV4YW1wbGUubmV0ADEyMzQ1Njc=
<-  235 2.7.0 Authentication successful
 -> MAIL FROM:<no-reply@example.net>
<-  250 2.1.0 Ok
 -> RCPT TO:<user2@example.com>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Thu, 25 Feb 2016 23:03:07 +0000
 -> To: user2@example.com
 -> From: no-reply@example.net
 -> Subject: Test
 -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
 ->
 -> Hello world
 ->
 ->
 -> .
<-  250 2.0.0 Ok: queued as 9FE524068A
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

# grep 9FE524068A /var/log/maillog
Feb 25 23:03:07 svn postfix/smtpd[19097]: 9FE524068A: client=localhost[127.0.0.1], sasl_method=PLAIN, sasl_username=user1@example.net
Feb 25 23:03:07 svn postfix/cleanup[19100]: 9FE524068A: message-id=<20160225230307.9FE524068A@mail.example.net>
Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: from=<no-reply@example.net>, size=419, nrcpt=1 (queue active)
Feb 25 23:03:07 svn postfix/local[19101]: 9FE524068A: to=<user2@example.com>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 25 23:03:07 svn postfix/qmgr[19092]: 9FE524068A: removed

P.S. a little trick

if don't add any line for some specific user in the /etc/postfix/sender_logins_maps - he will receive an emails but won't send.

I can't seem to run saslauthd. It says command not found. Is that a separate utility? EDIT: Sorry I meant to say testsaslauthd. Neither work

It's just a test. So to quick setup test environment I have choose sasldb. Because I don't have time to setup and configure MySQL. You are using MySQL to store all information about users. And your restrictions described here

smtpd_sender_login_maps = 
 proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf
 proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf

You should add contents of the mysql_virtual_sender_acl.cf/mysql_virtual_alias_maps.cf (without password of course) to the question

Is there a way to configure Postfix to allow me to send from any address on this one particular domain after authenticating with one account?

in the /etc/postfix/sender_logins_maps you should have something like the following

@example.net user1@example.net

Modify smtpd_sender_login_maps

smtpd_sender_login_maps = 
 hash:/etc/postfix/sender_logins_maps,
 proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, 
 proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf

The file /etc/postfix/sender_logins_maps should contain only one line

@example.net user1@example.net

where @example.net - "one particular domain", user1@example.net - "authenticating with one account". It must be sasl_username!

sasl_method=PLAIN, sasl_username=user1@example.net

Don't forget to create map and restart the postfix.

Best Answer

Related Solutions

Set up Exim to authenticate users and then relay SMTP mail via smarthost using different auth

Postfix – Fix Sender Address Rejected Using Multiple Addresses

Related Topic