Diary of a geek

← June 2006 →
Mon	Tue	Wed	Thu	Fri	Sat	Sun
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

clug - 4
code - 6
debian - 126
geek - 26
humour - 11
lca - 16
life - 652
americania - 54
mtb - 2
repatexpat - 10
meme - 4
opinion - 35
politics - 12
rant - 3
tech - 250
gadgets - 4
security - 18
spam - 1
ubuntu - 8
uni - 31
work - 53

: JavaScript required

Sunday, 11 June 2006

One of my users was having some issues using Outlook to connect to my SMTP server to send mail, so I had a bit of a poke around during the week to try and improve the situation.

I used to work in IT security, so I've got a healthy level of paranoia when it comes to network security. One of the things I don't allow is any clear-text authentication. I make users use an SSH/SCP client rather than an FTP client to upload files, web-mail is SSLed, IMAPS and POP3S only, etc.

For various reasons, the occasional user wants to relay mail through my SMTP sever, rather than using their local ISP. Furthermore, a lot of the time, these users are on dynamic address space, so whitelisting IPs for relaying isn't feasible. So I use SMTP-AUTH. I also support STARTTLS.

During this debugging session, I discovered that one can actually authenticate without using TLS, so I fixed up Sendmail's configuration to only offer AUTH after a STARTTLS (define(`confAUTH_OPTIONS', `p') in sendmail.mc).

The problem that my user was having (and I reproduced myself) was that even with Outlook configured to "Require an encrypted connection" for SMTP, and authentication also specified, relaying was failing.

Turns out that Outlook (and Outlook Express) only support the AUTH LOGIN SASL mechanism, which is obsolete, not the AUTH PLAIN mechanism, which was all I had Sendmail configured for (and works fine for Sarah and her Mail.app on the PowerBook).

So the first thing was to enable LOGIN so that the applicable lines read as TRUST_AUTH_MECH(`PLAIN LOGIN') and define(`confAUTH_MECHANISMS', `PLAIN LOGIN') in sendmail.mc

Then it turns out that Outlook doesn't really handle TLS all that well anyway, it'd rather just talk raw SMTP over SSL (i.e. port 465/tcp), and what was happening was on the first couple of delivery attempts, it would connect to port 25, start spewing SSL negotiation crap, upset the greetpause feature I had enabled, and never succeed in getting anywhere. Then it fell back to using STARTTLS instead.

So rather than having this hit and miss approach, I finally enabled SSMTP, by adding DAEMON_OPTIONS(`Port=smtps, NAME=TLSMTA, M=s') to sendmail.mc

So the following deficiencies in Outlook were highlighted from this exercise:

Outlook does not notify the user if authentication is required, but not able to be performed
Outlook only supports the obsolete AUTH LOGIN SASL mechanism
Outlook doesn't do TLS on port 25 properly

After all this, the user is going to probably switch to Thunderbird, but at least Outlook is now supported as properly as possible.

[10:13] [tech] [permalink]