Exim4 not sending authentication to a remote smarthost SMTP

Update 2014-08-15:
This article also solves the symptom 503 sender is null. Seen with net.cn mail service.

I stumbled on this problem while re-configuring an Exim4 SMTP relay on Debian to work with a new service provider chosen by the customer (net263.com).

I was told to use port 25 with net263.com because they would NOT support any kind of SSL/TLS security on their SMTP server. It turned out that there was SMTPS running on port 465, making this article less relevant to net263.com but I thought I’d still share this information as it was not easy to find! Trust Nmap more than your workmates!

It should have been as simple as:

  1. Editing /etc/exim4/passwd.client such as:
    target.mail.server.example:login:password
  2. Running dpkg-reconfigure exim4-config to change the remote smarthost address to smtpcom.263xmail.com on port 25
See my article on configuring a SMTP a relay if you need more details.

The bad

Unfortunately, it didn’t go as easy as revealed by a sendmail command (Edited to remove sensitive data):

# sendmail -v [email protected]
Hello from Server
LOG: MAIN
  <= [email protected] U=root P=local S=284
[email protected]:~# delivering 1WRHep-0001u3-AP
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
  SMTP<< 220 Welcome to TAP gateway for 263
  SMTP>> EHLO debian
  SMTP<< 250-263xmail at your service
         250-263.net
         250-SIZE 209715200
         250-ETRN
         250-AUTH LOGIN
         250 8BITMIME
  SMTP>> MAIL FROM: SIZE=1316
  SMTP<< 250 Ok
  SMTP>> RCPT TO:
  SMTP<< 554 Relay access denied
  SMTP>> QUIT

Complete log

# sendmail -v [email protected]
Hello from Server
LOG: MAIN
  <= [email protected] U=root P=local S=284
[email protected]:~# delivering 1WRHep-0001u3-AP
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
  SMTP<< 220 Welcome to TAP gateway for 263
  SMTP>> EHLO debian
  SMTP<< 250-263xmail at your service
         250-263.net
         250-SIZE 209715200
         250-ETRN
         250-AUTH LOGIN
         250 8BITMIME
  SMTP>> MAIL FROM: SIZE=1316
  SMTP<< 250 Ok
  SMTP>> RCPT TO:
  SMTP<< 554 Relay access denied
  SMTP>> QUIT
LOG: MAIN
  ** [email protected] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after RCPT TO:: host smtpcom.263xmail.com [221.179.222.132]: 554 Relay access denied
LOG: MAIN
  <= <> R=1WRHep-0001u3-AP U=Debian-exim P=local S=1168
LOG: MAIN
  Completed
delivering 1WRHff-0001uh-C2
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
  SMTP<< 220 Welcome to TAP gateway for 263
  SMTP>> EHLO debian
  SMTP<< 250-263xmail at your service
         250-263.net
         250-SIZE 209715200
         250-ETRN
         250-AUTH LOGIN
         250 8BITMIME
  SMTP>> MAIL FROM:<> SIZE=2223
  SMTP<< 250 Ok
  SMTP>> RCPT TO:
  SMTP<< 554 <>: Sender address rejected: Access denied
  SMTP>> QUIT
LOG: MAIN
  ** [email protected] R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after RCPT TO:: host smtpcom.263xmail.com [221.179.222.132]: 554 <>: Sender address rejected: Access denied
LOG: MAIN
  Frozen (delivery error message)

To understand better the problem, I setup the same email account on Mozilla Thunderbird and capture the traffic with Wireshark. It went like this (Edited for privacy and readability):

<< 220 Welcome to TAP gateway for 263 
>> EHLO [127.0.0.1] 
<< 250-263xmail at your service 
   250-263.net 
   250-SIZE 209715200 
   250-ETRN 
   250-AUTH LOGIN 
   250 8BITMIME 
>> AUTH LOGIN 
<< 334 XXXXXXXXXXX 
>> XXXXXXXXXXXXXXXXXXXXX 
<< 334 XXXXXXXXXXX
>> XXXXXX
<< 235 Authentication successful
>> MAIL FROM: SIZE=372

220 Welcome to TAP gateway for 263 
EHLO [127.0.0.1] 
250-263xmail at your service 
250-263.net 
250-SIZE 209715200 
250-ETRN 
250-AUTH LOGIN 
250 8BITMIME 
AUTH LOGIN 
334 XXXXXXXXXXX 
XXXXXXXXXXXXXXXXXXXXX 
334 XXXXXXXXXXX
XXXXXX
235 Authentication successful
MAIL FROM: SIZE=372 
250 Ok 
RCPT TO: 
250 Ok 
DATA 
354 Start mail input; end with . 
Message-ID: <[email protected]> 
Date: Sat, 22 Mar 2014 17:21:00 +0800 
From: XXX <
[email protected]
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: [email protected] Subject: Hello from server Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 140321-1, 03/22/2014), Outbound message X-Antivirus-Status: Clean . 250 Ok: queued as 80D9F534B QUIT 221 bye

The problem seems obvious, Exim4 doesn’t authenticate but try to send the message directly!

The Ugly

After checking my password in /etc/exim4/passwd.client and running sendmail in debug mode(-d), I get the following output (truncated because too long!)

Connecting to smtpcom.263xmail.com [221.179.222.132]:25 ... connected
waiting for data on socket
read response data: size=36
SMTP<< 220 Welcome to TAP gateway for 263
221.179.222.132 in hosts_avoid_esmtp? no (option unset)
SMTP>> EHLO debian
waiting for data on socket
read response data: size=103
SMTP<< 250-263xmail at your service
250-263.net
250-SIZE 209715200
250-ETRN
250-AUTH LOGIN
250 8BITMIME
221.179.222.132 in hosts_require_tls? no (option unset)
221.179.222.132 in hosts_avoid_pipelining? no (option unset)
not using PIPELINING
221.179.222.132 in hosts_require_auth? no (option unset)
search_open: nwildlsearch "/etc/exim4/passwd.client"
search_find: file="/etc/exim4/passwd.client"
key="smtpcom.263xmail.com" partial=-1 affix=NULL starflags=0
LRU list:
>/etc/exim4/passwd.client
End
internal_search_find: file="/etc/exim4/passwd.client"
type=nwildlsearch key="smtpcom.263xmail.com"
file lookup required for smtpcom.263xmail.com
in /etc/exim4/passwd.client
smtpcom.263xmail.com in "*"? yes (matched "*")

What I learn is that the server is not in the hosts_require_auth to force authentication and that my credentials are correctly found. After a little Googling, I tried to add my host to the . I modified /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost to add the SMTP server to hosts_require_auth such as:

[...]

remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for [email protected]$domain"
driver = smtp
hosts_require_auth = smtpcom.263xmail.com
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}

[...]

Then regenerate the config and restart Exim4:

 update-exim4.conf
 service exim4 restart

Still the same, nothing seemed to get Exim to authenticate against the SMTP server.

Hope

Going back to the documentation, I found the section titled Using Exim as SMTP-AUTH client dealing with Exim as a SMTP client:

If you need to enable AUTH PLAIN or AUTH LOGIN for unencrypted connections because your service provider does support neither TLS encryption nor the CRAM MD5 authentication method, you can do so by setting the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro. Please refer to Section 2.1.3, “Using Exim Macros to control the configuration” for an explanation of how best to do this.

Light

That's more or less what's going on here.

That's more or less what's going on here.

After some more Googling, I finally found the fix to my problem:

Edit the file /etc/exim4/exim4.conf.localmacros (create it if it's not there)

set the content of /etc/exim4/exim4.conf.localmacros such as:

AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

Then regenerate/reload the configuration either with:

dpkg-reconfigure exim4-config

Or

update-exim4.conf
/etc/init.d/exim4 restart

Conclusion

Exim is actually protecting us against sending our emails out there in the clear (as nobody should ever do in the 21st century). I just wanted to make this article as it took me several hours to figure out that this protection was there and how to disable it.

1 Comment

  1. Chuck July 13, 2015 10:26 am  Reply

    What a mess Debian is. Incredible.

    Back to Slack!

Leave a Reply