Martin DENIZET

Update 2014-08-15:
This article also solves the symptom 503 sender is null. Seen with net.cn mail service.

I stumbled on this problem while re-configuring an Exim4 SMTP relay on Debian to work with a new service provider chosen by the customer (net263.com).

It should have been as simple as:

1. Editing /etc/exim4/passwd.client such as:

   target.mail.server.example:login:password

2. Running dpkg-reconfigure exim4-config to change the remote smarthost address to smtpcom.263xmail.com on port 25

The bad

Unfortunately, it didn’t go as easy as revealed by a sendmail command (Edited to remove sensitive data):

# sendmail -v [email protected]
Hello from Server
LOG: MAIN
  <= [email protected] U=root P=local S=284
root@debian:~# delivering 1WRHep-0001u3-AP
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
  SMTP<< 220 Welcome to TAP gateway for 263
  SMTP>> EHLO debian
  SMTP<< 250-263xmail at your service
         250-263.net
         250-SIZE 209715200
         250-ETRN
         250-AUTH LOGIN
         250 8BITMIME
  SMTP>> MAIL FROM: SIZE=1316
  SMTP<< 250 Ok
  SMTP>> RCPT TO:
  SMTP<< 554 Relay access denied
  SMTP>> QUIT

# sendmail -v [email protected]
Hello from Server
LOG: MAIN
  <= [email protected] U=root P=local S=284
root@debian:~# delivering 1WRHep-0001u3-AP
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
  SMTP<< 220 Welcome to TAP gateway for 263
  SMTP>> EHLO debian
  SMTP<< 250-263xmail at your service
         250-263.net
         250-SIZE 209715200
         250-ETRN
         250-AUTH LOGIN
         250 8BITMIME
  SMTP>> MAIL FROM: SIZE=1316
  SMTP<< 250 Ok
  SMTP>> RCPT TO:
  SMTP<< 554 Relay access denied
  SMTP>> QUIT
LOG: MAIN
  ** [email protected] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after RCPT TO:: host smtpcom.263xmail.com [221.179.222.132]: 554 Relay access denied
LOG: MAIN
  <= <> R=1WRHep-0001u3-AP U=Debian-exim P=local S=1168
LOG: MAIN
  Completed
delivering 1WRHff-0001uh-C2
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
  SMTP<< 220 Welcome to TAP gateway for 263
  SMTP>> EHLO debian
  SMTP<< 250-263xmail at your service
         250-263.net
         250-SIZE 209715200
         250-ETRN
         250-AUTH LOGIN
         250 8BITMIME
  SMTP>> MAIL FROM:<> SIZE=2223
  SMTP<< 250 Ok
  SMTP>> RCPT TO:
  SMTP<< 554 <>: Sender address rejected: Access denied
  SMTP>> QUIT
LOG: MAIN
  ** [email protected] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after RCPT TO:: host smtpcom.263xmail.com [221.179.222.132]: 554 <>: Sender address rejected: Access denied
LOG: MAIN
  Frozen (delivery error message)

To understand better the problem, I setup the same email account on Mozilla Thunderbird and capture the traffic with Wireshark. It went like this (Edited for privacy and readability):

<< 220 Welcome to TAP gateway for 263 
>> EHLO [127.0.0.1] 
<< 250-263xmail at your service 
   250-263.net 
   250-SIZE 209715200 
   250-ETRN 
   250-AUTH LOGIN 
   250 8BITMIME 
>> AUTH LOGIN 
<< 334 XXXXXXXXXXX 
>> XXXXXXXXXXXXXXXXXXXXX 
<< 334 XXXXXXXXXXX
>> XXXXXX
<< 235 Authentication successful
>> MAIL FROM: SIZE=372

220 Welcome to TAP gateway for 263 
EHLO [127.0.0.1] 
250-263xmail at your service 
250-263.net 
250-SIZE 209715200 
250-ETRN 
250-AUTH LOGIN 
250 8BITMIME 
AUTH LOGIN 
334 XXXXXXXXXXX 
XXXXXXXXXXXXXXXXXXXXX 
334 XXXXXXXXXXX
XXXXXX
235 Authentication successful
MAIL FROM: SIZE=372 
250 Ok 
RCPT TO: 
250 Ok 
DATA 
354 Start mail input; end with . 
Message-ID: <[email protected]> 
Date: Sat, 22 Mar 2014 17:21:00 +0800 
From: XXX <
[email protected]
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: [email protected] Subject: Hello from server Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 140321-1, 03/22/2014), Outbound message X-Antivirus-Status: Clean . 250 Ok: queued as 80D9F534B QUIT 221 bye

The problem seems obvious, Exim4 doesn’t authenticate but try to send the message directly!

The Ugly

After checking my password in /etc/exim4/passwd.client and running sendmail in debug mode(-d), I get the following output (truncated because too long!)

Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
waiting for data on socket
read response data: size=36
SMTP<< 220 Welcome to TAP gateway for 263
221.179.222.132 in hosts_avoid_esmtp? no (option unset)
SMTP>> EHLO debian
waiting for data on socket
read response data: size=103
SMTP<< 250-263xmail at your service
250-263.net
250-SIZE 209715200
250-ETRN
250-AUTH LOGIN
250 8BITMIME
221.179.222.132 in hosts_require_tls? no (option unset)
221.179.222.132 in hosts_avoid_pipelining? no (option unset)
not using PIPELINING
221.179.222.132 in hosts_require_auth? no (option unset)
search_open: nwildlsearch "/etc/exim4/passwd.client"
search_find: file="/etc/exim4/passwd.client"
key="smtpcom.263xmail.com" partial=-1 affix=NULL starflags=0
LRU list:
>/etc/exim4/passwd.client
End
internal_search_find: file="/etc/exim4/passwd.client"
type=nwildlsearch key="smtpcom.263xmail.com"
file lookup required for smtpcom.263xmail.com
in /etc/exim4/passwd.client
smtpcom.263xmail.com in "*"? yes (matched "*")

What I learn is that the server is not in the hosts_require_auth to force authentication and that my credentials are correctly found. After a little Googling, I tried to add my host to the . I modified /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost to add the SMTP server to hosts_require_auth such as:

[...]

remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
hosts_require_auth = smtpcom.263xmail.com
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}

[...]

Then regenerate the config and restart Exim4:

 update-exim4.conf
 service exim4 restart

Still the same, nothing seemed to get Exim to authenticate against the SMTP server.

Hope

Going back to the documentation, I found the section titled Using Exim as SMTP-AUTH client dealing with Exim as a SMTP client:

If you need to enable AUTH PLAIN or AUTH LOGIN for unencrypted connections because your service provider does support neither TLS encryption nor the CRAM MD5 authentication method, you can do so by setting the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro. Please refer to Section 2.1.3, “Using Exim Macros to control the configuration” for an explanation of how best to do this.

Light

That's more or less what's going on here.

After some more Googling, I finally found the fix to my problem:

Edit the file /etc/exim4/exim4.conf.localmacros (create it if it's not there)

set the content of /etc/exim4/exim4.conf.localmacros such as:

AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

Then regenerate/reload the configuration either with:

dpkg-reconfigure exim4-config

Or

update-exim4.conf
/etc/init.d/exim4 restart

Conclusion

Exim is actually protecting us against sending our emails out there in the clear (as nobody should ever do in the 21st century). I just wanted to make this article as it took me several hours to figure out that this protection was there and how to disable it.