# SMTP cannot Auth



## fullauto2012 (Jul 12, 2018)

Setting up an email server for my work. mail.domain.com for the sake of this thread... I can send email out from the non-root accounts from within alpine while logged into the machine. I can send emails from my other domain to accounts on the server (mail.domain.com), and can even reply.  But, when ever I try and relay mail through the server from outside the domain it will not accept my login and password they way I was told it would to allow relaying after authenticating username and password.  It does ask me for my password (thunderbird), but it never accepts my password which I KNOW is right.  I'm really stumped here!  Any help would be appreciated.

This is what I see in /var/log/mailog after I attempt to send mail.

`Jul 12 18:05:58 rocky sm-mta[14964]: STARTTLS=server, relay=x-x-x-x-static.hfc.comcastbusiness.net [x.x.x.x], version=TLSv1.2, verify=NOT, cipher=DHE-RSA-AES128-SHA, bits=128/128
Jul 12 18:06:10 rocky sm-mta[14964]: w6CM5w6j014964: x-x-x-x-static.hfc.comcastbusiness.net [s.s.s.s] did not issue MAIL/EXPN/VRFY/ETRN during connection to IPv4`

`root@rocky:/etc/mail # cat rocky.mc
divert(-1)
divert(0)
VERSIONID(`$FreeBSD: releng/11.1/etc/sendmail/freebsd.mc 285230 2015-07-07 03:00:57Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

MASQUERADE_AS(domain.com)dnl
MASQUERADE_DOMAIN(domain.comm)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl

dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/cacert.pem')
define(`confSERVER_CERT', `CERT_DIR/mail.domain.com-cert.pem')
define(`confSERVER_KEY', `CERT_DIR/mail.domain.com.pem')
define(`confCLIENT_CERT', `CERT_DIR/mail.domain.com-cert.pem')
define(`confCLIENT_KEY', `CERT_DIR/mail.domain.com.pem')

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN ')dnl
define(`confAUTH_OPTIONS',`A,p,y')
define(`confTLS_SRV_OPTIONS', `V')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
dnl DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv4, Family=inet', Name=MTA-v4, Port=25, Modifiers=a)
dnl DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
root@rocky:/etc/mail #`

`root@rocky:/etc/mail # cat access
# $FreeBSD: releng/11.1/etc/mail/access.sample 176353 2008-02-17 05:22:08Z gshapiro $
#
# Mail relay access control list.  Default is to reject mail unless the
# destination is local, or listed in /etc/mail/local-host-names
#

## Examples (commented out for safety)
#From:cyberspammer.com          ERROR:"550 We don't accept mail from spammers"
#From:okay.cyberspammer.com     OK
#Connect:sendmail.org           RELAY
#To:sendmail.org                RELAY
#Connect:128.32                 RELAY
#Connect:128.32.2               SKIP
#Connect:IPv6:1:2:3:4:5:6:7     RELAY
#Connect:suspicious.example.com QUARANTINE:Mail from suspicious host
#Connect:[127.0.0.3]            OK
#Connect:[IPv6:1:2:3:4:5:6:7:8] OK

Connect:127.0.0.1               RELAY
Connect: 192.168                RELAY
To:domain.com      OK
domain.com         RELAY`

Certs are installed:
`root@rocky:/etc/mail/certs # ls -la
total 39
drwxr-xr-x  3 root  wheel     6 Jul  8 06:56 .
drwxr-xr-x  3 root  wheel    25 Jul 12 17:43 ..
-r--------  1 root  wheel  1541 Jul  8 06:56 cacert.pem
-r--------  1 root  wheel  4873 Jul  8 06:56 mail.domain.com-cert.pem
-r--------  1 root  wheel  3253 Jul  8 06:56 mail.domain.com.pem
dr--------  2 root  wheel     6 Jul  8 06:55 old.d`

TLS working (I think):

`root@rocky:/etc/mail # openssl s_client -starttls smtp -connect localhost:25
CONNECTED(00000003)
depth=1 C = US, ST = Tennessee, L = Greeneville, O = OrganizationName, OU = IT, CN = mail.domain.com, emailAddress = admin.domain.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName.com/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
   i:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
 1 s:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
   i:/C=US/ST=Tennessee/L=Greeneville/O=OrganizationName/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com

Server certificate
-----BEGIN CERTIFICATE-----
|
|
<Cert here>
|
|
-----END CERTIFICATE-----
subject=/C=US/ST=Tennessee/L=Greeneville/O=domain.com/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
issuer=/C=US/ST=Tennessee/L=Greeneville/O=ORganization/OU=IT/CN=mail.domain.com/emailAddress=admin.domain.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 3706 bytes and written 660 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: A3D704FA4DD62D68DDA5DA885CC47D45A9905543300BADB7E92106AD2D79788C
    Session-ID-ctx:
    Master-Key: <Key here>
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 1 (seconds)
    TLS session ticket:
    0000 - 54 15 92 f3 bc 0c 87 68-ea b1 c0 92 a2 9b 18 e4   T......h........
    0010 - 44 e8 08 a4 29 48 24 4d-e1 a0 5c a9 64 66 fe fd   D...)H$M..\.df..
    0020 - 92 88 cf 17 45 c1 d8 61-e9 47 d5 c9 9b 17 b2 ac   ....E..a.G......
    0030 - a1 ec a1 a2 da 04 14 08-2e 84 c9 b6 3f ac cd 9a   ............?...
    0040 - b5 0c ac 67 54 f4 f2 a6-7a ff ec c7 56 cf 57 b0   ...gT...z...V.W.
    0050 - a1 b0 ae 7b 0f 03 7c 3e-e1 9f 3d 0d ae 0f 55 00   ...{..|>..=...U.
    0060 - 01 de a7 df 90 b3 d7 c7-5c aa 3f db f2 f9 91 3f   ........\.?....?
    0070 - 96 88 1a 3e 24 db 16 5a-4e 5b 34 65 e7 31 79 1e   ...>$..ZN[4e.1y.
    0080 - e0 4a 11 3e 57 53 2e 1e-0c 12 c7 98 db 8b ef bf   .J.>WS..........
    0090 - 45 c8 99 1f e8 d1 82 cb-a9 94 93 d7 91 06 a2 de   E...............

    Start Time: 1531432216
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP`


----------



## fullauto2012 (Jul 12, 2018)

UPDATE! 
It works so long as I send the password unencrypted!
However, I would like to use encrypted passwords...
Can anyone tell me what I am doing wrong here?


----------



## ShelLuser (Jul 13, 2018)

What do you see if you try to connect manually (using `telnet localhost 25`) and then issueing an EHLO command?  Does it mention STARTTLS? On that same subject: does it mention AUTH, and if so: what methods does it mention?

My guess right now (from mind) is that confAUTH_MECHANISMS (edit): skip that, this should be: TrustAuthMech could be set too lenient thus allowing plain text logins.

This might be a good read, I just discovered it:
http://www.sendmail.org/~ca/email/auth.html


----------



## fullauto2012 (Jul 13, 2018)

`root@kif:/usr/home/tim.falardeau # telnet mail.domain.com 25
Trying 96.82.237.89...
Connected to mail.domain.com.
Escape character is '^]'.
220 rocky.domain.com ESMTP Sendmail 8.15.2/8.15.2; Thu, 12 Jul 2018 19:38:52 -0400 (EDT)
ehlo good_domain.com
250-rocky.domain.com Hello x-x-x-x-static.hfc.comcastbusiness.net [x.x.x.x], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 rocky.domain.com closing connection
Connection closed by foreign host.
root@kif:/usr/home/tim.falardeau #`

`dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `[COLOR=rgb(184, 49, 47)]GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN[/COLOR] ')dnl
define(`confAUTH_OPTIONS',`A,p,y')
define(`confTLS_SRV_OPTIONS', `V')`


----------

