SMTP authentication issue with Outlook 2007

From: Henrik Larsson (no email)
Date: Fri May 23 2008 - 15:29:20 EDT

  • Next message: Brian Evans: "Re: DKIM without a dedicated port/ip listener?"

    Hi All

    I'm a little confused here, and I'm not sure if this is a postfix, SASL
    or just a Microsoft compatibility issue.

    I got SMTP authentication working for all my users, even the latest
    Outlook 2007 user. The problem is that every time the Outlook 2007 user
    authenticates, I see this message in the log:
    May 23 00:28:45 web02 postfix/smtpd[31767]: connect from
    79.138.250.228.bredband.3.dk[79.138.250.228]
    May 23 00:28:47 web02 postfix/smtpd[31767]: warning: SASL authentication
    failure: realm changed: authentication aborted
    May 23 00:28:47 web02 postfix/smtpd[31767]: warning:
    79.138.250.228.bredband.3.dk[79.138.250.228]: SASL DIGEST-MD5
    authentication failed: authentication failure
    May 23 00:28:47 web02 postfix/smtpd[31767]: B4E662DA668:
    client=79.138.250.228.bredband.3.dk[79.138.250.228], sasl_method=LOGIN,
    sasl_username=

    It seems like the client tries out DIGEST-MD5 first but this failes
    because of "realm changed", and then the client falls back to LOGIN with
    success. Is there any way to solve this?

    Any solution will actually do here, a configuration change for postfix
    or SASL or even a solution for Outlook 2007 would do ;o)

    Below is output from saslfinger and postfinger for your refference:

    # ./saslfinger -s
    saslfinger - postfix Cyrus sasl configuration fre 23 maj 2008 20:30:59 CEST
    version: 1.0.2
    mode: server-side SMTP AUTH

    -- basics --
    Postfix: 2.5.1
    System: FreeBSD 6.3-STABLE (WEB02) #0: Thu Apr 24 11:10:47 CEST 2008

    -- smtpd is linked to --
            libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28352000)

    -- active SMTP AUTH and TLS parameters for smtpd --
    broken_sasl_auth_clients = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
    smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
    smtpd_tls_loglevel = 0
    smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes

    -- listing of /usr/local/lib/sasl2 --
    total 822
    drwxr-xr-x 2 root wheel 1024 14 nov 2007 .
    drwxr-xr-x 14 root wheel 4096 21 apr 10:53 ..
    -rwxr-xr-x 1 root wheel 736 14 nov 2007 libanonymous.la
    -rwxr-xr-x 1 root wheel 44655 14 nov 2007 libanonymous.so
    -rwxr-xr-x 1 root wheel 44655 14 nov 2007 libanonymous.so.2
    -rwxr-xr-x 1 root wheel 724 14 nov 2007 libcrammd5.la
    -rwxr-xr-x 1 root wheel 49216 14 nov 2007 libcrammd5.so
    -rwxr-xr-x 1 root wheel 49216 14 nov 2007 libcrammd5.so.2
    -rwxr-xr-x 1 root wheel 745 14 nov 2007 libdigestmd5.la
    -rwxr-xr-x 1 root wheel 95905 14 nov 2007 libdigestmd5.so
    -rwxr-xr-x 1 root wheel 95905 14 nov 2007 libdigestmd5.so.2
    -rwxr-xr-x 1 root wheel 712 14 nov 2007 liblogin.la
    -rwxr-xr-x 1 root wheel 45946 14 nov 2007 liblogin.so
    -rwxr-xr-x 1 root wheel 45946 14 nov 2007 liblogin.so.2
    -rwxr-xr-x 1 root wheel 712 14 nov 2007 libplain.la
    -rwxr-xr-x 1 root wheel 45240 14 nov 2007 libplain.so
    -rwxr-xr-x 1 root wheel 45240 14 nov 2007 libplain.so.2
    -rwxr-xr-x 1 root wheel 732 14 nov 2007 libsasldb.la
    -rwxr-xr-x 1 root wheel 57521 14 nov 2007 libsasldb.so
    -rwxr-xr-x 1 root wheel 57521 14 nov 2007 libsasldb.so.2
    -rwxr-xr-x 1 root wheel 744 14 nov 2007 libsql.la
    -rwxr-xr-x 1 root wheel 61509 14 nov 2007 libsql.so
    -rwxr-xr-x 1 root wheel 61509 14 nov 2007 libsql.so.2
    -rw-rw---- 1 root wheel 258 14 dec 14:55 smtpd.conf

    -- content of /usr/local/lib/sasl2/smtpd.conf --
    pwcheck_method: auxprop
    auxprop_plugin: sql
    log_level: 0

    sql_user: --- replaced ---
    sql_passwd: --- replaced ---
    sql_hostnames: localhost
    sql_database: mail
    sql_select: select clearpass from mailbox where user = '%u@%r' and login
    = 1 and disablesmtp != 1
    sql_verbose: 0

    -- active services in /etc/postfix/master.cf --
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    smtp inet n - n - - smtpd
    submission inet n - n - - smtpd
      -o smtpd_enforce_tls=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps inet n - n - - smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    pickup fifo n - n 60 1 pickup
    cleanup unix n - n - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    tlsmgr unix - - n 1000? 1 tlsmgr
    rewrite unix - - n - - trivial-rewrite
    bounce unix - - n - 0 bounce
    defer unix - - n - 0 bounce
    trace unix - - n - 0 bounce
    verify unix - - n - 1 verify
    flush unix n - n 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - n - - smtp
    relay unix - - n - - smtp
            -o fallback_relay=
    showq unix n - n - - showq
    error unix - - n - - error
    retry unix - - n - - error
    discard unix - - n - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    anvil unix - - n - 1 anvil
    scache unix - - n - 1 scache
    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o
    receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=
    amavis-lmtp unix - - n - 2 lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    proxywrite unix - - n - 1 proxymap

    -- mechanisms on localhost --
    250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
    250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

    -- end of saslfinger output --

    # postfinger
    postfinger - postfix configuration on Fri May 23 21:06:29 CEST 2008
    version: 1.30

    Warning: postfinger output may show private configuration information,
    such as ip addresses and/or domain names which you do not want to show
    to the public. If this is the case it is your responsibility to modify
    the output to hide this private information. [Remove this warning with
    the --nowarn option.]

    --System Parameters--
    mail_version = 2.5.1
    hostname = web02.larsson.it
    uname = FreeBSD web02.larsson.it 6.3-STABLE FreeBSD 6.3-STABLE #0: Thu
    Apr 24 11:10:47 CEST 2008
    :/usr/obj/usr/src/sys/WEB02 i386

    --Packaging information--
    looks like this postfix comes from BSD package:

    --main.cf non-default parameters--
    biff = no
    broken_sasl_auth_clients = yes
    content_filter = amavis-lmtp:[127.0.0.1]:10024
    disable_vrfy_command = yes
    header_checks = regexp:/etc/postfix/checks_header.regexp
    mailq_path = /usr/libexec/postfix/mailq
    message_size_limit = 25600000
    mydestination = web02.larsson.it
    myhostname = mail.larsson.it
    mynetworks = 127.0.0.0/8
    myorigin = web02.larsson.it
    newaliases_path = /usr/libexec/postfix/newaliases
    notify_classes = bounce, 2bounce, delay, resource, software
    owner_request_special = no
    parent_domain_matches_subdomains =
    proxy_interfaces = 213.185.13.10
    queue_directory = /home/mail/postfix
    readme_directory = /etc/postfix/readme
    recipient_delimiter = +
    sample_directory = /etc/postfix/sample
    sendmail_path = /usr/libexec/postfix/sendmail
    show_user_unknown_table_name = no
    smtpd_client_restrictions = permit_mynetworks,
    permit_sasl_authenticated, check_client_access
    mysql:/etc/postfix/access_client.mysql
    smtpd_hard_error_limit = 5
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
    check_helo_access mysql:/etc/postfix/access_helo.mysql
    smtpd_recipient_restrictions = permit_mynetworks,
    permit_sasl_authenticated, reject_non_fqdn_recipient,
    reject_unauth_pipelining, check_recipient_access
    mysql:/etc/postfix/access_recipient.mysql, check_recipient_access
    mysql:/etc/postfix/access_aliases.mysql, reject
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sender_restrictions = permit_mynetworks,
    permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access
    mysql:/etc/postfix/access_sender.mysql, check_sender_access
    regexp:/etc/postfix/access_sender.regexp
    smtpd_soft_error_limit = 2
    smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
    smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
    smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
    smtpd_use_tls = yes
    strict_rfc821_envelopes = yes
    tls_random_exchange_name = /var/lib/postfix/prng_exch
    transport_maps = mysql:/etc/postfix/maps_transport.mysql
    virtual_alias_maps = mysql:/etc/postfix/maps_aliases.mysql
    virtual_gid_maps = mysql:/etc/postfix/maps_virtualid.mysql
    virtual_mailbox_base = /
    virtual_mailbox_maps = mysql:/etc/postfix/maps_mailbox.mysql
    virtual_uid_maps = mysql:/etc/postfix/maps_virtualid.mysql

    --master.cf--
    smtp inet n - n - - smtpd
    submission inet n - n - - smtpd
      -o smtpd_enforce_tls=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    smtps inet n - n - - smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    pickup fifo n - n 60 1 pickup
    cleanup unix n - n - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    tlsmgr unix - - n 1000? 1 tlsmgr
    rewrite unix - - n - - trivial-rewrite
    bounce unix - - n - 0 bounce
    defer unix - - n - 0 bounce
    trace unix - - n - 0 bounce
    verify unix - - n - 1 verify
    flush unix n - n 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - n - - smtp
    relay unix - - n - - smtp
            -o fallback_relay=
    showq unix n - n - - showq
    error unix - - n - - error
    retry unix - - n - - error
    discard unix - - n - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    anvil unix - - n - 1 anvil
    scache unix - - n - 1 scache
    127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o
    receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=
    amavis-lmtp unix - - n - 2 lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
    proxywrite unix - - n - 1 proxymap

    -- end of postfinger output --

    Best regards
    Henrik


  • Next message: Brian Evans: "Re: DKIM without a dedicated port/ip listener?"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD