Re: Outlook 2003 Client SASL Login Problem?

[James Seymour]

On Mon, 30 Jan 2012 09:21:36 -0600
Noel Jones  wrote:

[snip]
> 
> If the client attempts SASL, postfix will log either success or
> failure.  Looks as if the client didn't even try.

Exactly.  And that should've been my clue that the mechanism(s) offered
weren't to the client's liking.

Wietse picked up on it, right off, tho.  But I kept screwing-around,
looking elsewhere, until you also suggested...

> 
> Maybe client didn't like any of the AUTH methods offered.  Now would
> be a good time to connect to postfix/smtps with openssl s_client and
> see what AUTH mechanisms are being offered.  I'm pretty sure Outlook
> 2003 needs either PLAIN or LOGIN (and no reason to not offer both).
[snip]

LOGIN was what it wanted.  PLAIN was all that was being offered.

Changed dovecot.com, restarted dovecot and postfix, and all's well.

Thanks for your help, everybody!

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

Re: Outlook 2003 Client SASL Login Problem?

[Noel Jones]

On 1/30/2012 8:16 AM, James Seymour wrote:
> On Mon, 30 Jan 2012 14:51:51 +0100
> Reindl Harald  wrote:
> 
>>
> [snip]
>>
>> at least show some parts of the logfile
> 
> Very well.  Not much to see...
> 
> Jan 29 20:42:26 mail postfix/smtps/smtpd[7781]: connect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106] Jan 29 20:42:27 mail
> postfix/smtps/smtpd[7781]: NOQUEUE: reject: RCPT from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]: 554 5.7.1
> : Client host
> rejected: Access denied; from=
> to= proto=ESMTP helo= Jan 29
> 20:42:32 mail postfix/smtps/smtpd[7781]: disconnect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]
> 

If the client attempts SASL, postfix will log either success or
failure.  Looks as if the client didn't even try.

Maybe client didn't like any of the AUTH methods offered.  Now would
be a good time to connect to postfix/smtps with openssl s_client and
see what AUTH mechanisms are being offered.  I'm pretty sure Outlook
2003 needs either PLAIN or LOGIN (and no reason to not offer both).


>> Please show "postconf -n" output.
> 

Thanks, no glaring errors here.




  -- Noel Jones

Re: Outlook 2003 Client SASL Login Problem?

[Reindl Harald]

Am 30.01.2012 15:16, schrieb James Seymour:
> On Mon, 30 Jan 2012 14:51:51 +0100
> Reindl Harald  wrote:
> 
>>
> [snip]
>>
>> at least show some parts of the logfile
> 
> Very well.  Not much to see...
> 
> Jan 29 20:42:26 mail postfix/smtps/smtpd[7781]: connect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106] Jan 29 20:42:27 mail
> postfix/smtps/smtpd[7781]: NOQUEUE: reject: RCPT from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]: 554 5.7.1
> : Client host
> rejected: Access denied; from=
> to= proto=ESMTP helo= Jan 29
> 20:42:32 mail postfix/smtps/smtpd[7781]: disconnect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]

enough to see what happens or not!
if there is no SASL attempt
if you get connect followed directly by NOQUEUE the was no attempt

verify this with " | grep -i sasl | grep 68.43.238.106" to your logfile

postfix will log a sasl login (also if it has failed):
Jan 30 15:14:13 mail postfix/smtpd[21979]: 941D791: 
client=chello084112016179.9.11.vie.surfer.at[84.112.16.179],
sasl_method=CRAM-MD5, sasl_username=*






signature.asc
Description: OpenPGP digital signature

Re: Outlook 2003 Client SASL Login Problem?

[James Seymour]

On Mon, 30 Jan 2012 09:08:55 -0500 (EST)
Wietse Venema  wrote:

[snip]
> 
> Have you compared the SMTP server EHLO replies (with openssl
> s_client)?

No.  That'd be difficult, tho not impossible, to do at this point, as
the old server is up in storage.

But this is certainly an Outlook 2003 -specific problem.  Claws-Mail
works fine, Thunderbird works fine, and Outlook 2007 works fine.  All
were tested against both submission and smtps.

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

Re: Outlook 2003 Client SASL Login Problem?

[James Seymour]

On Mon, 30 Jan 2012 14:51:51 +0100
Reindl Harald  wrote:

> 
[snip]
> 
> at least show some parts of the logfile

Very well.  Not much to see...

Jan 29 20:42:26 mail postfix/smtps/smtpd[7781]: connect from
c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106] Jan 29 20:42:27 mail
postfix/smtps/smtpd[7781]: NOQUEUE: reject: RCPT from
c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]: 554 5.7.1
: Client host
rejected: Access denied; from=
to= proto=ESMTP helo= Jan 29
20:42:32 mail postfix/smtps/smtpd[7781]: disconnect from
c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]

> 
> but i guess it is a dovecot/outlook-problem
> if you enable SPA in outlook 2003 ...
[snip]

It is not enabled.

On Mon, 30 Jan 2012 07:57:27 -0600
Noel Jones  wrote:

[snip]
> 
> Are others able to use SASL?  Are they using the smtps service?

Yes and yes.

> 
> Please show all logging when the client tries to send mail, from
> connect to disconnect and everything in between.

Above.

> 
> Please show "postconf -n" output.

As you wish...

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = mail/inbox
inet_interfaces = all
mailbox_size_limit = 25600
masquerade_domains = 
message_size_limit = 2048
mydestination = 
myhostname = mail
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
recipient_delimiter = +
relayhost = 
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_sender,reject_unknown_sender_domain,check_client_access 
hash:/etc/postfix/client_checks,permit_sasl_authenticated,
reject_unauth_destination,reject
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/myserver.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

Re: Outlook 2003 Client SASL Login Problem?

[Wietse Venema]

James Seymour:
> Hi All,
> 
> Just upgraded our mailserver.  Thought I had everything set the same as
> I did with the old one.  Nonetheless, of all the people who *can't*
> send email, it would have to be the President of the company.

Have you compared the SMTP server EHLO replies (with openssl s_client)?

Wietse

Re: Outlook 2003 Client SASL Login Problem?

[Noel Jones]

On 1/30/2012 7:47 AM, James Seymour wrote:
> Hi All,
> 
> Just upgraded our mailserver.  Thought I had everything set the same as
> I did with the old one.  Nonetheless, of all the people who *can't*
> send email, it would have to be the President of the company.
> 
> I do have "broken_sasl_auth_clients = yes".  Postfix version is 2.7.0,
> running on an Ubuntu 10.04.3 LTS.  Dovecot is version 1.2.9.
> 
> Other SASL parameters from "postconf -n" ...
> 
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> 
> Relevant master.cf config
> 
> smtps inet  n   -   -   -   -   smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o syslog_name=postfix/smtps
> 
> The only difference between the old master.cf and the new is the
> addition of the smtpd_client_restrictions line and the syslog_name
> line.
> 
> The Outlook 2007 client I used to test Outlook functionality with the
> new server works fine.  The Outlook 2003 client acts like it's not
> logging in.  I verified it *is* set to login to SMTPS using the same
> login information as the POP3S login (which works fine).  I even
> manually configured-in the user's logname and password separately, to
> no avail.
> 
> Google searches thus far have not been helpful.
> 
> Thanks,
> Jim

Are others able to use SASL?  Are they using the smtps service?

Please show all logging when the client tries to send mail, from
connect to disconnect and everything in between.

Please show "postconf -n" output.


  -- Noel Jones

Re: Outlook 2003 Client SASL Login Problem?

[Reindl Harald]

Am 30.01.2012 14:47, schrieb James Seymour:
> Hi All,
> 
> Just upgraded our mailserver.  Thought I had everything set the same as
> I did with the old one.  Nonetheless, of all the people who *can't*
> send email, it would have to be the President of the company.
> 
> I do have "broken_sasl_auth_clients = yes".  Postfix version is 2.7.0,
> running on an Ubuntu 10.04.3 LTS.  Dovecot is version 1.2.9.
> 
> Other SASL parameters from "postconf -n" ...
> 
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> 
> Relevant master.cf config
> 
> smtps inet  n   -   -   -   -   smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o syslog_name=postfix/smtps
> 
> The only difference between the old master.cf and the new is the
> addition of the smtpd_client_restrictions line and the syslog_name
> line.
> 
> The Outlook 2007 client I used to test Outlook functionality with the
> new server works fine.  The Outlook 2003 client acts like it's not
> logging in.  I verified it *is* set to login to SMTPS using the same
> login information as the POP3S login (which works fine).  I even
> manually configured-in the user's logname and password separately, to

at least show some parts of the logfile

but i guess it is a dovecot/outlook-problem
if you enable SPA in outlook 2003 you MUST support NTLM auth
outlook >= 2007 can also use CRAM-MD5

so consider TLS/SSL and do NOT activate SPA in Outlook



signature.asc
Description: OpenPGP digital signature

Outlook 2003 Client SASL Login Problem?

[James Seymour]

Hi All,

Just upgraded our mailserver.  Thought I had everything set the same as
I did with the old one.  Nonetheless, of all the people who *can't*
send email, it would have to be the President of the company.

I do have "broken_sasl_auth_clients = yes".  Postfix version is 2.7.0,
running on an Ubuntu 10.04.3 LTS.  Dovecot is version 1.2.9.

Other SASL parameters from "postconf -n" ...

smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot

Relevant master.cf config

smtps inet  n   -   -   -   -   smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o syslog_name=postfix/smtps

The only difference between the old master.cf and the new is the
addition of the smtpd_client_restrictions line and the syslog_name
line.

The Outlook 2007 client I used to test Outlook functionality with the
new server works fine.  The Outlook 2003 client acts like it's not
logging in.  I verified it *is* set to login to SMTPS using the same
login information as the POP3S login (which works fine).  I even
manually configured-in the user's logname and password separately, to
no avail.

Google searches thus far have not been helpful.

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .