Re: Authentication problem
François RONVAUX wrote: I successfully got the client "test" authenticate on the server "mx1" with this : --- foo@test : # cat /etc/mail/secrets foofoo:password_clear --- But another issue that appeared... Authentication does now work with this line in the file "smtpd.conf" : --- table secrets file:/etc/mail/secrets --- But if instead of a text file I use a db file, it does not work and I see again the message "AUTH rejected: 535 Authentication failed" in the logs : --- table secrets db:/etc/mail/secrets.db --- I generated the db file with "makemap secrets" and there was no error reported by the command. if you are on openbsd you might need the `opensmtpd-extras` package
Re: Authentication problem
Authentication does now work with this line in the file "smtpd.conf" : --- table secrets file:/etc/mail/secrets --- But if instead of a text file I use a db file, it does not work Than don't use it. :-) file is recommended over db anyway: https://www.mail-archive.com/misc@opensmtpd.org/msg03302.html
Re: Authentication problem
I successfully got the client "test" authenticate on the server "mx1" with this : --- foo@test : # cat /etc/mail/secrets foofoo:password_clear --- But another issue that appeared... Authentication does now work with this line in the file "smtpd.conf" : --- table secrets file:/etc/mail/secrets --- But if instead of a text file I use a db file, it does not work and I see again the message "AUTH rejected: 535 Authentication failed" in the logs : --- table secrets db:/etc/mail/secrets.db --- I generated the db file with "makemap secrets" and there was no error reported by the command. Le lun. 14 juin 2021 à 20:55, Gilles CHEHADE a écrit : > > > On 14 Jun 2021, at 19:20, François RONVAUX > wrote: > > > > Thanks for the reply. > > I will have a look at smtpctl encrypt... > > > > > > According to this ressource (section "Credentials tables"): > > https://man.openbsd.org/OpenBSD-6.9/table.5 > > -- > > In a relay context, the credentials are a mapping of labels and > username:password pairs: > > > > label1 user:password > > > > The label must be unique and is used as a selector for the proper > credentials when multiple credentials are valid for a single destination. > > The password is not encrypted as it must be provided to the remote host. > > -- > > > > It clearly states that the password must be not encrypted. > > Maybe this man page is not up to date ? > > For mta authentication, when your server authenticates elsewhere, the > password is not encrypted because it can’t, it must be supplied to the > remote server. > For listener authentication, when a client authenticates to your machine, > the password is encrypted because we use crypt(3) to validate. > > In your mail, you showed the listen configuration: > > listen on egress inet4 \ > tls-require \ > auth > > So I assumed you were talking about incoming authentication. > > > > > And I run and old OpenSMTPD v6.4.0 with relaying e-mails to a gmail > account and it does work with not-encrypted password in the secret file. > > When did this requirement of encrypted password change ? > > > > Regards. > > > > > > > > > > > > > > > > > > Le lun. 14 juin 2021 à 14:08, a écrit : > > June 14, 2021 9:19 AM, "François RONVAUX" > wrote: > > > >> Hello, > >> > >> I have a mail server "mx1" with this listening section : > >> --- > >> listen on egress inet4 \ > >> tls-require \ > >> auth > >> --- > >> > >> I have also a server "test" and I would want to authenticate the user > when sending an e-mail to the > >> server "mx1" but I get an error : > >> --- > >> test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535 > Authentication failed > >> --- > >> > >> "test" seems to connect properly on "mx1" but the error does occur on > the user authentication. > >> > >> Because I can perfectly connect to "mx1" with a MUA like Thunderbird, > it makes me think the error > >> should be located on the opensmtpd "test" secrets file : > >> --- > >> foo f...@mx1.example.org:password > >> --- > >> > >> The password is 40 digits long and looks like this : > >> C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G) >> > >> Can a special character be a problem in the password field ? > >> If yes, how to deal with it ? > >> > >> Thanks for your suggestions. > > > > The problem is not that there's a special character but that the > password should be crypt(3)-ed, > > look at smtpctl encrypt > >
Re: Authentication problem
> On 14 Jun 2021, at 19:20, François RONVAUX wrote: > > Thanks for the reply. > I will have a look at smtpctl encrypt... > > > According to this ressource (section "Credentials tables"): > https://man.openbsd.org/OpenBSD-6.9/table.5 > -- > In a relay context, the credentials are a mapping of labels and > username:password pairs: > > label1 user:password > > The label must be unique and is used as a selector for the proper credentials > when multiple credentials are valid for a single destination. > The password is not encrypted as it must be provided to the remote host. > -- > > It clearly states that the password must be not encrypted. > Maybe this man page is not up to date ? For mta authentication, when your server authenticates elsewhere, the password is not encrypted because it can’t, it must be supplied to the remote server. For listener authentication, when a client authenticates to your machine, the password is encrypted because we use crypt(3) to validate. In your mail, you showed the listen configuration: listen on egress inet4 \ tls-require \ auth So I assumed you were talking about incoming authentication. > And I run and old OpenSMTPD v6.4.0 with relaying e-mails to a gmail account > and it does work with not-encrypted password in the secret file. > When did this requirement of encrypted password change ? > > Regards. > > > > > > > > > Le lun. 14 juin 2021 à 14:08, a écrit : > June 14, 2021 9:19 AM, "François RONVAUX" wrote: > >> Hello, >> >> I have a mail server "mx1" with this listening section : >> --- >> listen on egress inet4 \ >> tls-require \ >> auth >> --- >> >> I have also a server "test" and I would want to authenticate the user when >> sending an e-mail to the >> server "mx1" but I get an error : >> --- >> test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535 >> Authentication failed >> --- >> >> "test" seems to connect properly on "mx1" but the error does occur on the >> user authentication. >> >> Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it >> makes me think the error >> should be located on the opensmtpd "test" secrets file : >> --- >> foo f...@mx1.example.org:password >> --- >> >> The password is 40 digits long and looks like this : >> C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G)> >> Can a special character be a problem in the password field ? >> If yes, how to deal with it ? >> >> Thanks for your suggestions. > > The problem is not that there's a special character but that the password > should be crypt(3)-ed, > look at smtpctl encrypt
Re: Authentication problem
Thanks for the reply. I will have a look at smtpctl encrypt... According to this ressource (section "Credentials tables"): https://man.openbsd.org/OpenBSD-6.9/table.5 -- In a relay context, the credentials are a mapping of labels and username:password pairs: label1 user:password The label must be unique and is used as a selector for the proper credentials when multiple credentials are valid for a single destination. The password is not encrypted as it must be provided to the remote host. -- It clearly states that the password must be not encrypted. Maybe this man page is not up to date ? And I run and old OpenSMTPD v6.4.0 with relaying e-mails to a gmail account and it does work with not-encrypted password in the secret file. When did this requirement of encrypted password change ? Regards. Le lun. 14 juin 2021 à 14:08, a écrit : > June 14, 2021 9:19 AM, "François RONVAUX" > wrote: > > > Hello, > > > > I have a mail server "mx1" with this listening section : > > --- > > listen on egress inet4 \ > > tls-require \ > > auth > > --- > > > > I have also a server "test" and I would want to authenticate the user > when sending an e-mail to the > > server "mx1" but I get an error : > > --- > > test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535 > Authentication failed > > --- > > > > "test" seems to connect properly on "mx1" but the error does occur on > the user authentication. > > > > Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it > makes me think the error > > should be located on the opensmtpd "test" secrets file : > > --- > > foo f...@mx1.example.org:password > > --- > > > > The password is 40 digits long and looks like this : > > C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G) > > > Can a special character be a problem in the password field ? > > If yes, how to deal with it ? > > > > Thanks for your suggestions. > > The problem is not that there's a special character but that the password > should be crypt(3)-ed, > look at smtpctl encrypt >
Re: Authentication problem
June 14, 2021 9:19 AM, "François RONVAUX" wrote: > Hello, > > I have a mail server "mx1" with this listening section : > --- > listen on egress inet4 \ > tls-require \ > auth > --- > > I have also a server "test" and I would want to authenticate the user when > sending an e-mail to the > server "mx1" but I get an error : > --- > test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535 > Authentication failed > --- > > "test" seems to connect properly on "mx1" but the error does occur on the > user authentication. > > Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it > makes me think the error > should be located on the opensmtpd "test" secrets file : > --- > foo f...@mx1.example.org:password > --- > > The password is 40 digits long and looks like this : > C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G) > Can a special character be a problem in the password field ? > If yes, how to deal with it ? > > Thanks for your suggestions. The problem is not that there's a special character but that the password should be crypt(3)-ed, look at smtpctl encrypt
Authentication problem
Hello, I have a mail server "mx1" with this listening section : --- listen on egress inet4 \ tls-require \ auth --- I have also a server "test" and I would want to authenticate the user when sending an e-mail to the server "mx1" but I get an error : --- test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535 Authentication failed --- "test" seems to connect properly on "mx1" but the error does occur on the user authentication. Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it makes me think the error should be located on the opensmtpd "test" secrets file : --- foo f...@mx1.example.org:password --- The password is 40 digits long and looks like this : C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G)