Outlook 2003 Client SASL Login Problem?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Outlook 2003 Client SASL Login Problem?

Jim Seymour-2
Hi All,

Just upgraded our mailserver.  Thought I had everything set the same as
I did with the old one.  Nonetheless, of all the people who *can't*
send email, it would have to be the President of the company.

I do have "broken_sasl_auth_clients = yes".  Postfix version is 2.7.0,
running on an Ubuntu 10.04.3 LTS.  Dovecot is version 1.2.9.

Other SASL parameters from "postconf -n" ...

smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot

Relevant master.cf config

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o syslog_name=postfix/smtps

The only difference between the old master.cf and the new is the
addition of the smtpd_client_restrictions line and the syslog_name
line.

The Outlook 2007 client I used to test Outlook functionality with the
new server works fine.  The Outlook 2003 client acts like it's not
logging in.  I verified it *is* set to login to SMTPS using the same
login information as the POP3S login (which works fine).  I even
manually configured-in the user's logname and password separately, to
no avail.

Google searches thus far have not been helpful.

Thanks,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Reindl Harald-2


Am 30.01.2012 14:47, schrieb James Seymour:

> Hi All,
>
> Just upgraded our mailserver.  Thought I had everything set the same as
> I did with the old one.  Nonetheless, of all the people who *can't*
> send email, it would have to be the President of the company.
>
> I do have "broken_sasl_auth_clients = yes".  Postfix version is 2.7.0,
> running on an Ubuntu 10.04.3 LTS.  Dovecot is version 1.2.9.
>
> Other SASL parameters from "postconf -n" ...
>
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
>
> Relevant master.cf config
>
> smtps     inet  n       -       -       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o syslog_name=postfix/smtps
>
> The only difference between the old master.cf and the new is the
> addition of the smtpd_client_restrictions line and the syslog_name
> line.
>
> The Outlook 2007 client I used to test Outlook functionality with the
> new server works fine.  The Outlook 2003 client acts like it's not
> logging in.  I verified it *is* set to login to SMTPS using the same
> login information as the POP3S login (which works fine).  I even
> manually configured-in the user's logname and password separately, to
at least show some parts of the logfile

but i guess it is a dovecot/outlook-problem
if you enable SPA in outlook 2003 you MUST support NTLM auth
outlook >= 2007 can also use CRAM-MD5

so consider TLS/SSL and do NOT activate SPA in Outlook


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Noel Jones-2
In reply to this post by Jim Seymour-2
On 1/30/2012 7:47 AM, James Seymour wrote:

> Hi All,
>
> Just upgraded our mailserver.  Thought I had everything set the same as
> I did with the old one.  Nonetheless, of all the people who *can't*
> send email, it would have to be the President of the company.
>
> I do have "broken_sasl_auth_clients = yes".  Postfix version is 2.7.0,
> running on an Ubuntu 10.04.3 LTS.  Dovecot is version 1.2.9.
>
> Other SASL parameters from "postconf -n" ...
>
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
>
> Relevant master.cf config
>
> smtps     inet  n       -       -       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>   -o syslog_name=postfix/smtps
>
> The only difference between the old master.cf and the new is the
> addition of the smtpd_client_restrictions line and the syslog_name
> line.
>
> The Outlook 2007 client I used to test Outlook functionality with the
> new server works fine.  The Outlook 2003 client acts like it's not
> logging in.  I verified it *is* set to login to SMTPS using the same
> login information as the POP3S login (which works fine).  I even
> manually configured-in the user's logname and password separately, to
> no avail.
>
> Google searches thus far have not been helpful.
>
> Thanks,
> Jim

Are others able to use SASL?  Are they using the smtps service?

Please show all logging when the client tries to send mail, from
connect to disconnect and everything in between.

Please show "postconf -n" output.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Wietse Venema
In reply to this post by Jim Seymour-2
James Seymour:
> Hi All,
>
> Just upgraded our mailserver.  Thought I had everything set the same as
> I did with the old one.  Nonetheless, of all the people who *can't*
> send email, it would have to be the President of the company.

Have you compared the SMTP server EHLO replies (with openssl s_client)?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Jim Seymour-2
In reply to this post by Reindl Harald-2
On Mon, 30 Jan 2012 14:51:51 +0100
Reindl Harald <[hidden email]> wrote:

>
[snip]
>
> at least show some parts of the logfile

Very well.  Not much to see...

Jan 29 20:42:26 mail postfix/smtps/smtpd[7781]: connect from
c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106] Jan 29 20:42:27 mail
postfix/smtps/smtpd[7781]: NOQUEUE: reject: RCPT from
c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]: 554 5.7.1
<c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]>: Client host
rejected: Access denied; from=<elided>
to=<elided> proto=ESMTP helo=<cswin0035> Jan 29
20:42:32 mail postfix/smtps/smtpd[7781]: disconnect from
c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]

>
> but i guess it is a dovecot/outlook-problem
> if you enable SPA in outlook 2003 ...
[snip]

It is not enabled.

On Mon, 30 Jan 2012 07:57:27 -0600
Noel Jones <[hidden email]> wrote:

[snip]
>
> Are others able to use SASL?  Are they using the smtps service?

Yes and yes.

>
> Please show all logging when the client tries to send mail, from
> connect to disconnect and everything in between.

Above.

>
> Please show "postconf -n" output.

As you wish...

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = mail/inbox
inet_interfaces = all
mailbox_size_limit = 256000000
masquerade_domains = <elided>
message_size_limit = 20480000
mydestination = <elided>
myhostname = mail
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
recipient_delimiter = +
relayhost = <elided>
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_invalid_hostname,    reject_non_fqdn_sender,    reject_unknown_sender_domain,    check_client_access hash:/etc/postfix/client_checks,    permit_sasl_authenticated,    reject_unauth_destination,    reject
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/myserver.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no

Thanks,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Jim Seymour-2
In reply to this post by Wietse Venema
On Mon, 30 Jan 2012 09:08:55 -0500 (EST)
Wietse Venema <[hidden email]> wrote:

[snip]
>
> Have you compared the SMTP server EHLO replies (with openssl
> s_client)?

No.  That'd be difficult, tho not impossible, to do at this point, as
the old server is up in storage.

But this is certainly an Outlook 2003 -specific problem.  Claws-Mail
works fine, Thunderbird works fine, and Outlook 2007 works fine.  All
were tested against both submission and smtps.

Thanks,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Reindl Harald-2
In reply to this post by Jim Seymour-2


Am 30.01.2012 15:16, schrieb James Seymour:

> On Mon, 30 Jan 2012 14:51:51 +0100
> Reindl Harald <[hidden email]> wrote:
>
>>
> [snip]
>>
>> at least show some parts of the logfile
>
> Very well.  Not much to see...
>
> Jan 29 20:42:26 mail postfix/smtps/smtpd[7781]: connect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106] Jan 29 20:42:27 mail
> postfix/smtps/smtpd[7781]: NOQUEUE: reject: RCPT from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]: 554 5.7.1
> <c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]>: Client host
> rejected: Access denied; from=<elided>
> to=<elided> proto=ESMTP helo=<cswin0035> Jan 29
> 20:42:32 mail postfix/smtps/smtpd[7781]: disconnect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]
enough to see what happens or not!
if there is no SASL attempt
if you get connect followed directly by NOQUEUE the was no attempt

verify this with " | grep -i sasl | grep 68.43.238.106" to your logfile

postfix will log a sasl login (also if it has failed):
Jan 30 15:14:13 mail postfix/smtpd[21979]: 941D791: client=chello084112016179.9.11.vie.surfer.at[84.112.16.179],
sasl_method=CRAM-MD5, sasl_username=*************





signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Noel Jones-2
In reply to this post by Jim Seymour-2
On 1/30/2012 8:16 AM, James Seymour wrote:

> On Mon, 30 Jan 2012 14:51:51 +0100
> Reindl Harald <[hidden email]> wrote:
>
>>
> [snip]
>>
>> at least show some parts of the logfile
>
> Very well.  Not much to see...
>
> Jan 29 20:42:26 mail postfix/smtps/smtpd[7781]: connect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106] Jan 29 20:42:27 mail
> postfix/smtps/smtpd[7781]: NOQUEUE: reject: RCPT from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]: 554 5.7.1
> <c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]>: Client host
> rejected: Access denied; from=<elided>
> to=<elided> proto=ESMTP helo=<cswin0035> Jan 29
> 20:42:32 mail postfix/smtps/smtpd[7781]: disconnect from
> c-68-43-238-106.hsd1.mi.comcast.net[68.43.238.106]
>

If the client attempts SASL, postfix will log either success or
failure.  Looks as if the client didn't even try.

Maybe client didn't like any of the AUTH methods offered.  Now would
be a good time to connect to postfix/smtps with openssl s_client and
see what AUTH mechanisms are being offered.  I'm pretty sure Outlook
2003 needs either PLAIN or LOGIN (and no reason to not offer both).


>> Please show "postconf -n" output.
>

Thanks, no glaring errors here.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Outlook 2003 Client SASL Login Problem?

Jim Seymour-2
On Mon, 30 Jan 2012 09:21:36 -0600
Noel Jones <[hidden email]> wrote:

[snip]
>
> If the client attempts SASL, postfix will log either success or
> failure.  Looks as if the client didn't even try.

Exactly.  And that should've been my clue that the mechanism(s) offered
weren't to the client's liking.

Wietse picked up on it, right off, tho.  But I kept screwing-around,
looking elsewhere, until you also suggested...

>
> Maybe client didn't like any of the AUTH methods offered.  Now would
> be a good time to connect to postfix/smtps with openssl s_client and
> see what AUTH mechanisms are being offered.  I'm pretty sure Outlook
> 2003 needs either PLAIN or LOGIN (and no reason to not offer both).
[snip]

LOGIN was what it wanted.  PLAIN was all that was being offered.

Changed dovecot.com, restarted dovecot and postfix, and all's well.

Thanks for your help, everybody!

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.