SASL fine from iPhone, not from Nokia?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL fine from iPhone, not from Nokia?

Simon Wilson-7
I have a postfix 2.3.3 server, and I *think* I have SASL set up right.  
The reason I think it is right is that I have an iphone that connects  
fine to Postfix, and sends emails fine through port 587 with the  
following logs:

Oct 13 23:33:21 server04 postfix/smtpd[988]: connect from  
unknown[120.155.207.95]
Oct 13 23:33:21 server04 postfix/smtpd[988]: setting up TLS connection  
from unknown[120.155.207.95]
Oct 13 23:33:22 server04 postfix/smtpd[988]: TLS connection  
established from unknown[120.155.207.95]: TLSv1 with cipher AES128-SHA  
(128/128 bits)
Oct 13 23:33:22 server04 postfix/smtpd[988]: DDB8C57522:  
client=unknown[120.155.207.95], sasl_method=PLAIN, sasl_username=simon

It seems to be authing against SASL fine, uses PLAIN as its mech, but  
as it is TLS encrypted that's fine, and verifies me against LDAP.

My /usr/lib64/sasl2/smtpd.conf reads:

pwcheck_method: saslauthd
saslauthd_version: 2
mech_list: plain login cram-md5

saslauthd is configured to use LDAP.

I can testsaslauthd -u simon -p password with no problems, and it hits  
my LDAP server.

Now my wife has just got a Nokia E51. When it tries to send using SMTP  
to the same port 587, it tries to use CRAM-MD5, and the send fails:

Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS connection  
from unknown[58.171.251.169]
Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection  
established from unknown[58.171.251.169]: TLSv1 with cipher AES256-SHA  
(256/256 bits)
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication problem: unable to open Berkeley db /etc/sasldb2:  
Permission denied
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication problem: unable to open Berkeley db /etc/sasldb2:  
Permission denied
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication failure: no secret in database
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning:  
unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed:  
authentication failure

It establishes the TLS fine, but then tries to use sasldb2 instead of  
saslauthd which is configured to go to LDAP. There is nothing IN  
sasldb2, no secrets etc as it says - it's not supposed to be using it.

One thing I note is that "telnet mail.simonandkate.net 587" does not  
return AUTH in the list offered:

220 mail.simonandkate.net ESMTP Postfix
EHLO simon.whatever
250-mail.simonandkate.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

So it would appear that SASL is *not* setup right... but why do I get  
log entries saying the iPhone is sending email as sasl_method=PLAIN,  
sasl_username=simon?

So can anyone tell me what I have done wrong? Why does SASL appear to  
be (possibly) working for PLAIN (iPhone) but not for the Nokia  
(CRAM-MD5), and why is the server not advertising the AUTH methods?

Postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 2h
disable_vrfy_command = yes
html_directory = no
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = !system.simonandkate.net, simonandkate.net,  
simonandkate.lan
message_size_limit = 26214400
mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, localhost.localdomain, simonandkate.net,  
system.simonandkate.net, howiesue.net
myhostname = mail.simonandkate.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = simonandkate.net
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining      permit
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,        
permit_sasl_authenticated,      reject_unauth_destination,        
reject_unauth_pipelining,      reject_invalid_helo_hostname,    
reject_non_fqdn_helo_hostname,  
reject_non_fqdn_sender,reject_unknown_sender_domain,    
reject_non_fqdn_recipient,      reject_unknown_recipient_domain,        
  check_sender_access hash:/etc/postfix/sender_access,        
reject_rbl_client zen.spamhaus.org,       reject_rbl_client  
bl.spamcop.net,       check_policy_service unix:postgrey/socket,  
check_policy_service unix:private/policy        permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/simonandkate.net-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/simonandkate.net-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Any help would be appreciated... :)
--
Simon Wilson
www.simonandkate.net
Reply | Threaded
Open this post in threaded view
|

Re: SASL fine from iPhone, not from Nokia?

Eero Volotinen-2

> One thing I note is that "telnet mail.simonandkate.net 587" does not
> return AUTH in the list offered:
>
> 220 mail.simonandkate.net ESMTP Postfix
> EHLO simon.whatever
> 250-mail.simonandkate.net
> 250-PIPELINING
> 250-SIZE 26214400
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> So it would appear that SASL is *not* setup right... but why do I get
> log entries saying the iPhone is sending email as sasl_method=PLAIN,
> sasl_username=simon?
>
> So can anyone tell me what I have done wrong? Why does SASL appear to be
> (possibly) working for PLAIN (iPhone) but not for the Nokia (CRAM-MD5),
> and why is the server not advertising the AUTH methods?
> smtpd_tls_auth_only = yes

Because of:

smtpd_tls_auth_only (default: no)
When TLS encryption is optional in the Postfix SMTP server, do not
announce or accept SASL authentication over unencrypted connections.

This feature is available in Postfix 2.2 and later.

you need to use openssl s_client -connect mailserver:port to get the
auth advertising, so pure telnet is not encrypted connection.

Make sure that nokia is really using encryption (tls)

--
Eero
Reply | Threaded
Open this post in threaded view
|

Re: SASL fine from iPhone, not from Nokia?

Patrick Ben Koetter
In reply to this post by Simon Wilson-7
* Simon Wilson <[hidden email]>:

> I have a postfix 2.3.3 server, and I *think* I have SASL set up
> right. The reason I think it is right is that I have an iphone that
> connects fine to Postfix, and sends emails fine through port 587
> with the following logs:
>
> Oct 13 23:33:21 server04 postfix/smtpd[988]: connect from
> unknown[120.155.207.95]
> Oct 13 23:33:21 server04 postfix/smtpd[988]: setting up TLS
> connection from unknown[120.155.207.95]
> Oct 13 23:33:22 server04 postfix/smtpd[988]: TLS connection
> established from unknown[120.155.207.95]: TLSv1 with cipher
> AES128-SHA (128/128 bits)
> Oct 13 23:33:22 server04 postfix/smtpd[988]: DDB8C57522:
> client=unknown[120.155.207.95], sasl_method=PLAIN,
> sasl_username=simon
>
> It seems to be authing against SASL fine, uses PLAIN as its mech,
> but as it is TLS encrypted that's fine, and verifies me against
> LDAP.
>
> My /usr/lib64/sasl2/smtpd.conf reads:
>
> pwcheck_method: saslauthd
> saslauthd_version: 2
> mech_list: plain login cram-md5
>
> saslauthd is configured to use LDAP.
>
> I can testsaslauthd -u simon -p password with no problems, and it
> hits my LDAP server.
>
> Now my wife has just got a Nokia E51. When it tries to send using
> SMTP to the same port 587, it tries to use CRAM-MD5, and the send
> fails:

The saslauthd password verification service can't deal with shared-secret
mechanisms such as cram-md5.

Remove "cram-md5" from $mech_list in /usr/lib64/sasl2/smtpd.conf and the Nokia
E51 should be able to auth.

p@rick




>
> Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS
> connection from unknown[58.171.251.169]
> Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection
> established from unknown[58.171.251.169]: TLSv1 with cipher
> AES256-SHA (256/256 bits)
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication failure: no secret in database
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning:
> unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed:
> authentication failure
>
> It establishes the TLS fine, but then tries to use sasldb2 instead
> of saslauthd which is configured to go to LDAP. There is nothing IN
> sasldb2, no secrets etc as it says - it's not supposed to be using
> it.
>
> One thing I note is that "telnet mail.simonandkate.net 587" does not
> return AUTH in the list offered:
>
> 220 mail.simonandkate.net ESMTP Postfix
> EHLO simon.whatever
> 250-mail.simonandkate.net
> 250-PIPELINING
> 250-SIZE 26214400
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> So it would appear that SASL is *not* setup right... but why do I
> get log entries saying the iPhone is sending email as
> sasl_method=PLAIN, sasl_username=simon?
>
> So can anyone tell me what I have done wrong? Why does SASL appear
> to be (possibly) working for PLAIN (iPhone) but not for the Nokia
> (CRAM-MD5), and why is the server not advertising the AUTH methods?
>
> Postconf -n:
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> bounce_template_file = /etc/postfix/bounce.cf
> broken_sasl_auth_clients = yes
> canonical_maps = hash:/etc/postfix/canonical
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> delay_warning_time = 2h
> disable_vrfy_command = yes
> html_directory = no
> mailbox_transport = cyrus
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> masquerade_domains = !system.simonandkate.net, simonandkate.net,
> simonandkate.lan
> message_size_limit = 26214400
> mydestination = $myhostname, localhost.$mydomain, localhost,
> $mydomain, localhost.localdomain, simonandkate.net,
> system.simonandkate.net, howiesue.net
> myhostname = mail.simonandkate.net
> mynetworks = 127.0.0.0/8, 192.168.1.0/24
> myorigin = simonandkate.net
> newaliases_path = /usr/bin/newaliases.postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_client_restrictions =
> smtpd_data_restrictions = reject_unauth_pipelining      permit
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,      reject_unauth_destination,
> reject_unauth_pipelining,      reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_non_fqdn_sender,reject_unknown_sender_domain,
> reject_non_fqdn_recipient,      reject_unknown_recipient_domain,
> check_sender_access hash:/etc/postfix/sender_access,
> reject_rbl_client zen.spamhaus.org,       reject_rbl_client
> bl.spamcop.net,       check_policy_service unix:postgrey/socket,
> check_policy_service unix:private/policy        permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sender_restrictions =
> smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/tls/certs/simonandkate.net-cert.pem
> smtpd_tls_key_file = /etc/pki/tls/private/simonandkate.net-key.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_timeout = 3600s
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
>
> Any help would be appreciated... :)
> --
> Simon Wilson
> www.simonandkate.net

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: SASL fine from iPhone, not from Nokia?

Patrick Ben Koetter
In reply to this post by Eero Volotinen-2
* Eero Volotinen <[hidden email]>:

>
> >One thing I note is that "telnet mail.simonandkate.net 587" does
> >not return AUTH in the list offered:
> >
> >220 mail.simonandkate.net ESMTP Postfix
> >EHLO simon.whatever
> >250-mail.simonandkate.net
> >250-PIPELINING
> >250-SIZE 26214400
> >250-ETRN
> >250-STARTTLS
> >250-ENHANCEDSTATUSCODES
> >250-8BITMIME
> >250 DSN
> >
> >So it would appear that SASL is *not* setup right... but why do I
> >get log entries saying the iPhone is sending email as
> >sasl_method=PLAIN, sasl_username=simon?
> >
> >So can anyone tell me what I have done wrong? Why does SASL appear
> >to be (possibly) working for PLAIN (iPhone) but not for the Nokia
> >(CRAM-MD5), and why is the server not advertising the AUTH
> >methods?
> >smtpd_tls_auth_only = yes
>
> Because of:
>
> smtpd_tls_auth_only (default: no)
> When TLS encryption is optional in the Postfix SMTP server, do not
> announce or accept SASL authentication over unencrypted connections.
>
> This feature is available in Postfix 2.2 and later.
>
> you need to use openssl s_client -connect mailserver:port to get the
> auth advertising, so pure telnet is not encrypted connection.
>
> Make sure that nokia is really using encryption (tls)

This is wrong. The log shows the mobile is using TLS. The SASL part fails. See
my other post why it fails.

p@rick



>
> --
> Eero

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: SASL fine from iPhone, not from Nokia?

Eero Volotinen-2
In reply to this post by Eero Volotinen-2
> you need to use openssl s_client -connect mailserver:port to get the
> auth advertising, so pure telnet is not encrypted connection.

Sorry, the correct commandline is:

openssl s_client -starttls smtp -connect mailhost:port

--
Eero
Reply | Threaded
Open this post in threaded view
|

Re: SASL fine from iPhone, not from Nokia?

Jan Kohnert
In reply to this post by Simon Wilson-7
Am Tuesday 13 October 2009 15:52:32 schrieb Simon Wilson:

> Now my wife has just got a Nokia E51. When it tries to send using SMTP
> to the same port 587, it tries to use CRAM-MD5, and the send fails:
>
> Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS connection
> from unknown[58.171.251.169]
> Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection
> established from unknown[58.171.251.169]: TLSv1 with cipher AES256-SHA
> (256/256 bits)
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication failure: no secret in database
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning:
> unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed:
> authentication failure
>
> It establishes the TLS fine, but then tries to use sasldb2 instead of
> saslauthd which is configured to go to LDAP. There is nothing IN
> sasldb2, no secrets etc as it says - it's not supposed to be using it.
Well, if you did not setup LDAP to store passwords in plaintext format (which
you probably don't want to), it will not work with CRAM-MD5, that's just the
way it is. But anyway, if you use TLS/SSL passwords are sumitted over an
encrypted connection, so submitting plaintext passwords should not be a big
security issue here.

> One thing I note is that "telnet mail.simonandkate.net 587" does not
> return AUTH in the list offered:
>
> 220 mail.simonandkate.net ESMTP Postfix
> EHLO simon.whatever
> 250-mail.simonandkate.net
> 250-PIPELINING
> 250-SIZE 26214400
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN

> Postconf -n:
[...]
> smtpd_sasl_auth_enable = yes
> smtpd_tls_auth_only = yes
[...]

That's the way you configured postfix. It shall only give AUTH *after*
STARTTLS (or over an SSL connection). That's just fine. I would propose (am I
allowed to?), to configure your wifes phone to use TLS, and AUTH PLAIN.

--
MfG Jan

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SASL fine from iPhone, not from Nokia?

Barney Desmond
In reply to this post by Eero Volotinen-2
2009/10/14 Eero Volotinen <[hidden email]>:

> Because of:
>
> smtpd_tls_auth_only (default: no)
> When TLS encryption is optional in the Postfix SMTP server, do not announce
> or accept SASL authentication over unencrypted connections.
>
> This feature is available in Postfix 2.2 and later.
>
> you need to use openssl s_client -connect mailserver:port to get the auth
> advertising, so pure telnet is not encrypted connection.
>
> Make sure that nokia is really using encryption (tls)

To expand on what Eero said, Postfix won't advertise AUTH unless the
connection is tunneled through TLS - it's because you have
"smtpd_tls_auth_only = yes".

Here's how I've tested your server, it looks as you'd expect once you
make a TLS connection. As for the use of CRAM-MD5, see Patrick's
notes.


furinkan@shirayuki:~$ openssl s_client -connect
mail.simonandkate.net:587 -starttls smtp
CONNECTED(00000003)
depth=1 /C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailAddress=[hidden email]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=*.simonandkate.net/emailAddress=[hidden email]
   i:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailAddress=[hidden email]
 1 s:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailAddress=[hidden email]
   i:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPDCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCQVUx
<trimmed>
-----END CERTIFICATE-----
subject=/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=*.simonandkate.net/emailAddress=[hidden email]
issuer=/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailAddress=[hidden email]
---
No client certificate CA names sent
---
SSL handshake has read 2594 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 565F11F92AC11E91E1F356668B37675E03B3D2F929C5A83BA33183E8DA915308
    Session-ID-ctx:
    Master-Key:
F0BF9E73B3880277076D5005E34B81CC9420B05A1A9B4CB5C0EECB0C8794F60E927053F77D20F0F680C72243F0FD778C
    Key-Arg   : None
    Start Time: 1255442651
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 DSN
EHLO shirayuki
250-mail.simonandkate.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-AUTH CRAM-MD5 LOGIN PLAIN
250-AUTH=CRAM-MD5 LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
DONE
Reply | Threaded
Open this post in threaded view
|

Re: SASL fine from iPhone, not from Nokia?

Simon Wilson-7
In reply to this post by Patrick Ben Koetter
Quoting Patrick Ben Koetter <[hidden email]>:

>
> The saslauthd password verification service can't deal with
> shared-secret
> mechanisms such as cram-md5.
>
> Remove "cram-md5" from $mech_list in /usr/lib64/sasl2/smtpd.conf
> and the Nokia
> E51 should be able to auth.
>
> p@rick
>

You guys rock... I am so impressed by not only the detail and effort  
but also the speed of responses. Thanks all so much.

P@rick was correct, it was because I was offering CRAM-MD5 that the  
Nokia was trying to use it. Remove that offering and Bingo! the Nokia  
has fallen back to LOGIN.

Oct 14 00:12:23 server04 postfix/smtpd[2783]: setting up TLS  
connection from unknown[58.171.186.70]
Oct 14 00:12:24 server04 postfix/smtpd[2783]: TLS connection  
established from unknown[58.171.186.70]: TLSv1 with cipher AES256-SHA  
(256/256 bits)
Oct 14 00:12:25 server04 postfix/smtpd[2783]: B7A425751F:  
client=unknown[58.171.186.70], sasl_method=LOGIN, sasl_username=katie

And thanks also to Eero for explaining why the server wasn't appearing  
to offer SASL but it is really - and to Barney for testing my setup  
remotely! :)

As to Jan being allowed to propose configuring the Nokia to use TLS  
and PLAIN - thanks Jan - yes you are allowed... :) It's now working  
using TLS and LOGIN mech.

Thanks again guys - kudos to you all for helping me out.
--
Simon Wilson
www.simonandkate.net