qpsmtpd with TLS and AUTH
Rasmus Skaarup
Hello,
I'm trying to allow our SMTP server to let Google deliver mails through it. Google demands buth TLS and AUTH to be set up, before it can use the server.
I commented out the "auth/auth_flat_file" line in config/plugins and placed the following line just below it:
tls /var/service/qpsmtpd/config/ssl/qpsmtpd-server.crt /var/service/qpsmtpd/config/ssl/qpsmtpd-server.key /var/service/qpsmtpd/config/ssl/qpsmtpd-ca.crt
Then i ran plugins/tls_cert with a few options (so the certificate carries our company name).
But I keep getting a "wrong password" error.
Here is a snippet from my logfile:
@400000004b7ac0e600a2ecfc 44729 250-denene.dvconsulting.dk Hi mail-wy0-f177.google.com [74.125.82.177]
@400000004b7ac0e600a42964 44729 250-PIPELINING
@400000004b7ac0e600a5fa3c 44729 250-8BITMIME
@400000004b7ac0e600a7a7ec 44729 250 AUTH CRAM-MD5
@400000004b7ac0e603bc2764 44729 dispatching AUTH CRAM-MD5
@400000004b7ac0e603c20f1c 44729 334 PDg3ZTc4LjRiN2FjMGRjQGRlbmVuZS5kdmNvbnN1bHRpbmcuZGs+
@400000004b7ac0e606cba59c 44729 running plugin (auth-cram-md5): auth::auth_flat_file
@400000004b7ac0e606cd9d84 44729 auth::auth_flat_file plugin: Authentication for: <secre...@secretdomain.invalid>
@400000004b7ac0e606cfeb5c 44729 trying to get config for flat_auth_pw
@400000004b7ac0e606d51b7c 44729 auth::auth_flat_file plugin: passClear NOT defined
@400000004b7ac0e606d80594 44729 auth::auth_flat_file plugin: passHash defined: 5a8cf0b98d4e09d155f6cd64f5b708fb - <87e78.4...@denene.dvconsulting.dk> - 7a66033f5c7208945ad2c36b9e92100c
@400000004b7ac0e606db265c 44729 Plugin auth::auth_flat_file, hook auth-cram-md5 returned DENY, authflat/cram-md5 - wrong password
@400000004b7ac0e606de04bc 44729 535 Authentication failed for ma...@dvconsulting.dk - authflat/cram-md5 - wrong password
@400000004b7ac0e606e196cc 44729 Authentication failed for ma...@dvconsulting.dk - authflat/cram-md5 - wrong password
@400000004b7ac0e60afddd9c 44729 dispatching QUIT
@400000004b7ac0e60b00854c 44729 running plugin (quit): quit_fortune
@400000004b7ac0e60b03d10c 44729 Plugin quit_fortune, hook quit returned DECLINED,
@400000004b7ac0e60b0678bc 44729 221 denene.dvconsulting.dk closing connection. Have a wonderful day.
@400000004b7ac0e60b09f35c 44729 click, disconnecting
@400000004b7ac0e60b0bfecc 44729 running plugin (disconnect): rhsbl
@400000004b7ac0e60b0e0e24 44729 Plugin rhsbl, hook disconnect returned DECLINED,
@400000004b7ac0e60b0f61fc 44729 running plugin (disconnect): dnsbl
@400000004b7ac0e60b130f64 44729 Plugin dnsbl, hook disconnect returned DECLINED,
@400000004b7ac0e60b16091c 44729 running plugin (post-connection): tls
@400000004b7ac0e60b1d0a14 44729 Plugin tls, hook post-connection returned DECLINED,
@400000004b7ac0e60b563ab4 tcpserver: end 44729 status 0
@400000004b7ac0e60b5705d4 tcpserver: status: 0/10
(I replaced my username with <secre...@secretdomain.invalid>)
I've made some small changes to auth_file_flat to make it display the additional info in the middle, here's the code:
if ( defined $passClear ) {
$self->log(LOGINFO, "passClear defined: $passClear");
} else {
$self->log(LOGINFO, "passClear NOT defined");
}
if ( defined $passHash ) {
$self->log(LOGINFO, "passHash defined: $passHash - $ticket - " . hmac_md5_hex($ticket, $auth_pass));
} else {
$self->log(LOGINFO, "passHash NOT defined");
}
I guarantee that the password I enter in config/flat_auth_pw and on Googles webpage are identical, but as you can see $passHash and hmac_md5_hex($ticket, $auth_pass) are not the same.
Has it something to do with using both TLS and auth_flat_file?
Best regards,
Rasmus Skaarup
Baltasar Cevc
> ...
> @400000004b7ac0e606cba59c 44729 running plugin (auth-cram-md5):
> auth::auth_flat_file
> @400000004b7ac0e606cd9d84 44729 auth::auth_flat_file plugin:
> Authentication for: <secre...@secretdomain.invalid>
> @400000004b7ac0e606cfeb5c 44729 trying to get config for flat_auth_pw
> @400000004b7ac0e606d51b7c 44729 auth::auth_flat_file plugin:
> passClear NOT defined
> @400000004b7ac0e606d80594 44729 auth::auth_flat_file plugin:
> passHash defined: 5a8cf0b98d4e09d155f6cd64f5b708fb - <87e78.4...@denene.dvconsulting.dk
> > - 7a66033f5c7208945ad2c36b9e92100c
> @400000004b7ac0e606db265c 44729 Plugin auth::auth_flat_file, hook
> auth-cram-md5 returned DENY, authflat/cram-md5 - wrong password
> @400000004b7ac0e606de04bc 44729 535 Authentication failed for ma...@dvconsulting.dk
> - authflat/cram-md5 - wrong password
> @400000004b7ac0e606e196cc 44729 Authentication failed for ma...@dvconsulting.dk
> - authflat/cram-md5 - wrong password
...
I don't use the auth plugins myself, but maybe this general
information will help you as I've noticed the corresponding error in
your trace:
If you want to use the MD5-mechanisms, you need a clear-text password.
Only plain and login will function with a password hash. Be sure that
your server only announces mechanims that are supported for all users
- the announcement takes place before the user is known, thus if you
have one single user without a plaintext password, it would be unable
to login otherwise (the client would probably try CRAM-MD5 and then -
by definition - fail to authenticate).
Cheers,
Baltasar
((( Baltasar Cevc
) World wide web:
# http://www.openairkino.net/ (a project for the local youth;
German only)
# http://technik.juz-kirchheim.de/ (programming and admin projects)
# http://baltasar.cevc-topp.de/ (private homepage)
) Phone:
+49 178 691 22 33
)
Rasmus Skaarup
Thanks for input, but the password in flat_file_pw is already in
cleartext.
Regards,
Rasmus
Rasmus Skaarup
Gmail apparently only supports AUTH PLAIN.
But why their mail servers responds with "AUTH CRAM-MD5" and proceeds with a plain mechanism is not really playing nice.
I added support for the plain mechanism in the auth_flat_file plugin (which was rather easy - why isn't this a selectable feature? Should I post a patch?) so my mail server now tells "AUTH CRAM-MD5 PLAIN" and Gmail now chooses "AUTH PLAIN" and authentication succeeds.
Br
Rasmus
Ask Bjørn Hansen
Could you make the diff with "diff -u"?
- ask
> <auth_flat_file.patch>