Exim Configuration – 503 AUTH Command Used When Not Advertised

authenticationconfigurationeximsmtp

I'm running a piece of software on a Windows server that sends email notifications via a remote SMTP server. It has very few configuration options, and only supports basic SMTP authentication without SSL/TLS. I have exim4 running on a Debian server that will be the SMTP server for this Windows program. It is set up with default configuration, plus allowing AUTH PLAIN and AUTH LOGIN unencrypted connections. I have successfully sent an email over telnet:

telnet servername 25
ehlo test
250-AUTH PLAIN LOGIN
...
auth plain XXX
235 Authentication succeeded
mail from: ...
...

However, the program I want to connect to this server fails to connect. To see why, I ran a packet sniffer during the connection, and see the following session:

C: HELO hostname
S: 250 Hello hostname
C: AUTH LOGIN XXX | XXX
S: 503 AUTH command used when not advertised | 500 unrecognized command
C: QUIT
S: 221 closing connection

I'm not familiar enough with the SMTP protocol to understand what's going on here. What do I need to change on my exim4 SMTP server to allow for this connection to be made?

Best Answer

The 503 AUTH command used when not advertised essentially explains itself, it didn't offer the client the option to use the AUTH command. This is most likely because the client used HELO rather than EHLO (which I would note you used when you did your telnet test).

SMTP Authentication is part of Extended SMTP, which is initiated with the EHLO command; "plain old" SMTP did not support authentication and so it is technically an illegal command, even though some SMTP servers may still allow it.

Best possible solution is to tell your program to use Extended SMTP (EHLO) if possible, otherwise there might be an exim command to force it to allow AUTH on HELO type connections.

** UPDATE **

According to this post here: http://www.exim.org/lurker/message/20040901.063858.126f66ac.en.html

EHLO (not HELO) must be given by client before AUTH.

That is, AUTH command could not be used unless advertised (through EHLO, according to auth_advertise, etc). This behavior was hardened in Exim 4.20 and is not an option.

Looks like you need a differnt MTA if your can't get your application to do EHLO. Or, do you require authentication, can you accomplish the same thing using IP based ACL's?

FINAL SOLUTION

Exim does have a work around for this, using allow_auth_unadvertised as described here, you can do something like this:

hosts   = *
control = allow_auth_unadvertised

Best Answer

Related Solutions

Reverse DNS does not match SMTP Banner

Exchange 2003 SP2 Mail Delivery Problem – Sending server sends QUIT command to EHLO response

Related Topic