subject:"Bug#568455\: fetchmail TLS\/SSL with Exchange 2007 results in Autorization failures"

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-09-26 Thread Matthias Andree

It appears after another couple of hours of debugging and trying that
depending on the excact circumstances, the GSS library in use may return
when the actual AUTH SASL process has not completed, for instance,
because credentials are missing.

However, fetchmail has never cancelled the authentication phase
properly in that situation. Ever since the gssapi.c code had been added
to fetchmail in February 2001, fetchmail sent a blank line to wake up
the server, which worked in some circumstances. However, according to
various RFCs (1734/5034, 3501), fetchmail was supposed to send an
asterisk, *, on a line by its own, to really cancel the AUTHentication
phase.

Also, the authentication framework in fetchmail sent the star to cancel
things a bit later, but did not wait for and did not pick up the
authentication error message that the server is required to send. This
caused fetchmail to go out of synch and mistake the GSSAPI AUTH error
for an error response to the later USER command.

Relevant changes that should fix the bug but require testing are in the
upstream test release 6.3.18-pre2; it is spread out across various
commits in Git unfortunately.

I'd propose that 6.3.18-pre2 be packaged for experimental, or for
unstable with a marker to NOT migrate to testing until we have evidence
that the bug is really fixed in -pre2.

-- 
Matthias Andree



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-08-21 Thread Matthias Andree

Nico, Héctor,

this was repeated again and again on the fetchmail list, and it is a
massive regression from Debian 4.0 - and we can solve it with a patch.

I have asked Patrick Rynhart and Alan Murrell to test [1] (it may need a
few more of the previous commits, too, see [2], and disregard failures
to patch NEWS).

If that works out well, I will then ask you to merge the patch to all
fetchmail versions that are configured and built with ./configure
--with-gssapi, and upload new versions.

[1]
http://gitorious.org/fetchmail/fetchmail/commit/82e1d66f6bee1a8837d8d6c89c7ed6b11f2c0a48
[2] http://gitorious.org/fetchmail/fetchmail/blobs/history/master/gssapi.c

Best
Matthias



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568455: fetchmail, TLS/SSL with Exchange 2007 results in Autorization failures

2010-04-08 Thread Matthias Andree

This pretty much looks like a pilot error on either end of your link. I  
can successfully authenticate via GSSAPI (w/ Kerberos V under the hood) to  
a Cyrus server. It's also documented that fetchmail will try passwordless  
authentication schemes before exposing the password.


Try configuring kerberos properly (krb5.conf or krb5.ini according to site  
instructions) and running kinit before running fetchmail. If that  
works, it's a problem on your end. If you can successfully obtain a  
ticket-granting ticket with kinit, but it's not good for authentication,  
contact the staff that sees to your Exchange server.


I propose to close this bug as it's not a fetchmail bug.  (If it can  
later be proven to be, you can reopen it.)


--
Matthias Andree



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-23 Thread Patrick Rynhart


Hi all,

Regarding:


Apparently the POP3/IMAP server or the client is misconfigured.
The server might offer Kerberos without proper setup (that's in case the  
user isn't recognized), or the client may not have the required  
credentials (use kinit LOGIN before running fetchmail).
I can authenticate with GSSAPI to a Kerberized Cyrus IMAP/POP3 server, so  
I need further evidence before I believe this to be a fetchmail bug.


Is there anyone else who has access to an Exchange 2007 environment so 
that we could possibly narrow this issue down ?  The only Exchange box 
that I have access to is our production environment.


Thanks Matthias for your suggested workaround.

Regards,

Patrick




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568455: fetchmail, TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-08 Thread Matthias Andree



(sorry for breaking threading, replying through web interface to BTS)

Apparently the POP3/IMAP server or the client is misconfigured.

The server might offer Kerberos without proper setup (that's in case the  
user isn't recognized), or the client may not have the required  
credentials (use kinit LOGIN before running fetchmail).


I can authenticate with GSSAPI to a Kerberized Cyrus IMAP/POP3 server, so  
I need further evidence before I believe this to be a fetchmail bug.


The fetchmail client option to work around would be auth, quoting the  
manpage.


   --auth type
  (Keyword: auth[enticate])
  This option permits you  to  specify  an  authentication
  type  (see  USER AUTHENTICATION below for details).  The
  possible values are any, password, kerberos_v5, kerberos
  (or,  for  excruciating exactness, kerberos_v4), gssapi,
  cram-md5, otp, ntlm, msn (only for POP3), external (only
  IMAP)  and  ssh.   When  any (the default) is specified,
  fetchmail tries first methods that don't require a pass-
  word  (EXTERNAL,  GSSAPI, KERBEROS IV, KERBEROS 5); then
  it looks for methods that mask your password  (CRAM-MD5,
  X-OTP  -  note  that NTLM and MSN are not autoprobed for
  POP3 and MSN is only supported for POP3);  and  only  if
  the  server  doesn't  support  any of those will it ship
  your password en clair.  Other values  may  be  used  to
  force  various  authentication  methods  (ssh suppresses
  authentication and is thus  useful  for  IMAP  PREAUTH).
  (external  suppresses  authentication and is thus useful
  for IMAP EXTERNAL).   Any  value  other  than  password,
  cram-md5, ntlm, msn or otp suppresses fetchmail's normal
  inquiry for a password.  Specify ssh when you are  using
  an  end-to-end  secure connection such as an ssh tunnel;
  specify external when you use TLS with client  authenti-
  cation  and  specify  gssapi  or  kerberos_v4 if you are
  using a protocol variant  that  employs  GSSAPI  or  K4.
  Choosing  KPOP  protocol  automatically selects Kerberos
  authentication.  This option does not work with ETRN.

NTLM or password should work for you.

I believe this was somewhat obvious enough, but let me know your  
suggestions for improvement.


HTH

--
Matthias Andree



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-07 Thread Nico Golde

Hey,
* Patrick Rynhart p.rynh...@massey.ac.nz [2010-02-06 19:54]:
 Thanks for your mail. However, I'm not trying to match the version of 
 fetchmail 
 shipped with Lenny - just attempting to get a version of fetchmail with SSL 
 support that works within our environment. (In particular, I'm not using 
 Debian 
 src, rather the tgz downloaded direct from the fetchmail site.)

Ok

 What I have noticed is that if I aptitude install fetchmail then we end up 
 with a version of fetchmail which is unable to retrieve messages via POP3 in 
 our Exchange 2007 environment; this has been confirmed by other users of this 
 shared server.  However, if I build fetchmail with SSL support from source 
 (obtained direct from the fetchmail website) then mail can be retrieved.

Can you please provide a relevant snippet of your config file?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpHKLqexCQr2.pgp
Description: PGP signature

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-07 Thread Patrick Rynhart





Hi Nico,

The relevant snip from my user config file is:

poll owa.massey.ac.nz with
 proto pop3
 user prynhart there with password "**" is prynhart here
 ssl
mda "/usr/bin/procmail -d %s"

The host "owa.massey.ac.nz" is a Microsoft Exchange 2007 Outlook Web
Access node.

If I try invoking the debian packaged version of fetchmail I get:

$ /usr/bin/fetchmail -v
fetchmail: 6.3.9-rc2 querying owa.massey.ac.nz (protocol POP3) at Mon
08 Feb 2010 08:38:25 NZDT: poll started
Trying to connect to 130.123.129.207/995...connected.
fetchmail: Issuer Organization: DigiCert Inc
fetchmail: Issuer CommonName: DigiCert High Assurance CA-3
fetchmail: Server CommonName: owa.massey.ac.nz
fetchmail: Subject Alternative Name: owa.massey.ac.nz
fetchmail: Subject Alternative Name: exchange.massey.ac.nz
fetchmail: Subject Alternative Name: autodiscover.massey.ac.nz
fetchmail: Subject Alternative Name: tur-exchcas1
fetchmail: Subject Alternative Name: tur-exchcas2
fetchmail: owa.massey.ac.nz key fingerprint:
D1:05:DB:94:20:7A:B9:E7:0D:71:EB:D9:93:65:0E:18
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 service
ready
fetchmail: POP3 CAPA
fetchmail: POP3 +OK
fetchmail: POP3 TOP
fetchmail: POP3 UIDL
fetchmail: POP3 SASL NTLM GSSAPI PLAIN
fetchmail: POP3 USER
fetchmail: POP3 .
fetchmail: POP3 AUTH GSSAPI
fetchmail: POP3 + 
fetchmail: Sending credentials
fetchmail: Error exchanging credentials
fetchmail: POP3 +
YGAGBisGAQUFAqBWMFSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqMgMB6gHBsadHVyLWV4Y2hjYXMxJEBNQVNTRVkuQUMuTlo=
fetchmail: POP3 USER prynhart
fetchmail: POP3 -ERR Logon failure: unknown user name or bad
password.
fetchmail: Logon failure: unknown user name or bad password.
fetchmail: Authorization failure on prynh...@tur-exchcas.massey.ac.nz
fetchmail: POP3 QUIT
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 server
signing off.
fetchmail: 6.3.9-rc2 querying owa.massey.ac.nz (protocol POP3) at Mon
08 Feb 2010 08:38:25 NZDT: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3

Please note the "Error Exchanging Credentials" which occurs prior to
the attempt to send username/password combination.

If I aptitude remove fetchmail, build fetchmail from source with SSL
support enabled, I get:

~$ fetchmail -v
fetchmail: 6.3.13 querying owa.massey.ac.nz (protocol POP3) at Mon 08
Feb 2010 08:40:24 NZDT: poll started
Trying to connect to 130.123.129.207/995...connected.
fetchmail: Issuer Organization: DigiCert Inc
fetchmail: Issuer CommonName: DigiCert High Assurance CA-3
fetchmail: Server CommonName: owa.massey.ac.nz
fetchmail: Subject Alternative Name: owa.massey.ac.nz
fetchmail: Subject Alternative Name: exchange.massey.ac.nz
fetchmail: Subject Alternative Name: autodiscover.massey.ac.nz
fetchmail: Subject Alternative Name: tur-exchcas1
fetchmail: Subject Alternative Name: tur-exchcas2
fetchmail: owa.massey.ac.nz key fingerprint:
D1:05:DB:94:20:7A:B9:E7:0D:71:EB:D9:93:65:0E:18
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 service
ready
fetchmail: POP3 CAPA
fetchmail: POP3 +OK
fetchmail: POP3 TOP
fetchmail: POP3 UIDL
fetchmail: POP3 SASL NTLM GSSAPI PLAIN
fetchmail: POP3 USER
fetchmail: POP3 .
fetchmail: POP3 USER prynhart
fetchmail: POP3 +OK
fetchmail: POP3 PASS *
fetchmail: POP3 +OK User successfully logged on.
fetchmail: POP3 STAT
fetchmail: POP3 +OK 0 0
fetchmail: No mail for prynhart at owa.massey.ac.nz
fetchmail: POP3 QUIT
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 server
signing off.
fetchmail: 6.3.13 querying owa.massey.ac.nz (protocol POP3) at Mon 08
Feb 2010 08:40:25 NZDT: poll completed
fetchmail: normal termination, status 1

I note that the Debian packaged version attempts an "AUTH GSSAPI" which
appears to fail whereas the version of fetchmail build from source does
not attempt this.

Regards,

Patrick


Dr
Patrick Rynhart
Linux
Systems Administrator / Team Leader
IT
Support Group
School
of Engineering and Advanced Technology
AgHort
A Room 3.61
Massey
University (Turitea Campus)
NEW
ZEALAND
Phone
+64 6 356 9099 extn 2444






Nico Golde wrote:

  Hey,
* Patrick Rynhart p.rynh...@massey.ac.nz [2010-02-06 19:54]:
  
  
Thanks for your mail. However, I'm not trying to match the version of fetchmail 
shipped with Lenny - just attempting to get a version of fetchmail with SSL 
support that works within our environment. (In particular, I'm not using Debian 
src, rather the tgz downloaded direct from the fetchmail site.)

  
  
Ok

  
  
What I have noticed is that if I "aptitude install fetchmail" then we end up 
with a version of fetchmail which is unable to retrieve messages via POP3 in 
our Exchange 2007 environment; this has been confirmed by other users of this 
shared server.  However, if I build fetchmail with SSL support from source 
(obtained direct from the fetchmail website) then mail can be retrieved.

  
  
Can you please provide a relevant snippet of your config file?

Cheers
Nico

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-07 Thread Nico Golde

Hey,
* Patrick Rynhart p.rynh...@massey.ac.nz [2010-02-07 20:54]:
 The relevant snip from my user config file is:
 
 poll owa.massey.ac.nz with
   proto pop3
   user prynhart there with password ** is prynhart here
   ssl
 mda /usr/bin/procmail -d %s

Ok that looks normal

 The host owa.massey.ac.nz is a Microsoft Exchange 2007 Outlook Web
 Access node.
 
 If I try invoking the debian packaged version of fetchmail I get:
 
 $ /usr/bin/fetchmail -v
 fetchmail: 6.3.9-rc2 querying owa.massey.ac.nz (protocol POP3) at Mon 08
 Feb 2010 08:38:25 NZDT: poll started
 Trying to connect to 130.123.129.207/995...connected.
 fetchmail: Issuer Organization: DigiCert Inc
 fetchmail: Issuer CommonName: DigiCert High Assurance CA-3
 fetchmail: Server CommonName: owa.massey.ac.nz
 fetchmail: Subject Alternative Name: owa.massey.ac.nz
 fetchmail: Subject Alternative Name: exchange.massey.ac.nz
 fetchmail: Subject Alternative Name: autodiscover.massey.ac.nz
 fetchmail: Subject Alternative Name: tur-exchcas1
 fetchmail: Subject Alternative Name: tur-exchcas2
 fetchmail: owa.massey.ac.nz key fingerprint:
 D1:05:DB:94:20:7A:B9:E7:0D:71:EB:D9:93:65:0E:18
 fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 service ready
 fetchmail: POP3 CAPA
 fetchmail: POP3 +OK
 fetchmail: POP3 TOP
 fetchmail: POP3 UIDL
 fetchmail: POP3 SASL NTLM GSSAPI PLAIN
 fetchmail: POP3 USER
 fetchmail: POP3 .
 fetchmail: POP3 AUTH GSSAPI
 fetchmail: POP3 +
 fetchmail: Sending credentials
 fetchmail: Error exchanging credentials
 fetchmail: POP3 +
 YGAGBisGAQUFAqBWMFSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqMgMB6gHBsadHVyLWV4Y2hjYXMxJEBNQVNTRVkuQUMuTlo=
 fetchmail: POP3 USER prynhart
 fetchmail: POP3 -ERR Logon failure: unknown user name or bad password.
 fetchmail: Logon failure: unknown user name or bad password.
 fetchmail: Authorization failure on prynh...@tur-exchcas.massey.ac.nz
 fetchmail: POP3 QUIT
 fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 server signing off.
 fetchmail: 6.3.9-rc2 querying owa.massey.ac.nz (protocol POP3) at Mon 08
 Feb 2010 08:38:25 NZDT: poll completed
 fetchmail: Query status=3 (AUTHFAIL)
 fetchmail: normal termination, status 3
 
 Please note the Error Exchanging Credentials which occurs prior to the
 attempt to send username/password combination.

Hmm this is strange, Error exchanging credentials happens if after 
initiating the security context (gssapi) and it doesn't return with either
successful completion or a continuation is needed (call to 
gss_init_sec_context()). This doesn't really look like a fetchmail problem to 
me though but rather like a bug in the gssapi sources or your microsoft 
exchange server.

 If I aptitude remove fetchmail, build fetchmail from source with SSL
 support enabled, I get:
 
 ~$ fetchmail -v
 fetchmail: 6.3.13 querying owa.massey.ac.nz (protocol POP3) at Mon 08
 Feb 2010 08:40:24 NZDT: poll started
 Trying to connect to 130.123.129.207/995...connected.
 fetchmail: Issuer Organization: DigiCert Inc
 fetchmail: Issuer CommonName: DigiCert High Assurance CA-3
 fetchmail: Server CommonName: owa.massey.ac.nz
 fetchmail: Subject Alternative Name: owa.massey.ac.nz
 fetchmail: Subject Alternative Name: exchange.massey.ac.nz
 fetchmail: Subject Alternative Name: autodiscover.massey.ac.nz
 fetchmail: Subject Alternative Name: tur-exchcas1
 fetchmail: Subject Alternative Name: tur-exchcas2
 fetchmail: owa.massey.ac.nz key fingerprint:
 D1:05:DB:94:20:7A:B9:E7:0D:71:EB:D9:93:65:0E:18
 fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 service ready
 fetchmail: POP3 CAPA
 fetchmail: POP3 +OK
 fetchmail: POP3 TOP
 fetchmail: POP3 UIDL
 fetchmail: POP3 SASL NTLM GSSAPI PLAIN
 fetchmail: POP3 USER
 fetchmail: POP3 .
 fetchmail: POP3 USER prynhart
 fetchmail: POP3 +OK
 fetchmail: POP3 PASS *
 fetchmail: POP3 +OK User successfully logged on.
 fetchmail: POP3 STAT
 fetchmail: POP3 +OK 0 0
 fetchmail: No mail for prynhart at owa.massey.ac.nz
 fetchmail: POP3 QUIT
 fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 server signing off.
 fetchmail: 6.3.13 querying owa.massey.ac.nz (protocol POP3) at Mon 08
 Feb 2010 08:40:25 NZDT: poll completed
 fetchmail: normal termination, status 1

The different to the Debian package is that you are not authenticating with 
gssapi in this case, not the lack of fetchmail: Sending credentials.
What does the ldd command tell you for the Debian binary and the self compiled 
version?

 I note that the Debian packaged version attempts an AUTH GSSAPI which
 appears to fail whereas the version of fetchmail build from source does
 not attempt this.

Yes exactly, additionally to the above, how are you building your version?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpNBTYKfPMMg.pgp
Description: PGP signature

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-07 Thread Patrick Rynhart





Hi Nico,

I have compared the versions of fetchmail packaged with Debian 4.0 and
5.0. For Debian 4.0, GSS support is not included in the binary, i.e.

$ fetchmail -V
This is fetchmail release 6.3.6+NTLM+SDPS+SSL+NLS.

However, in Debian 5.0 it is

$ fetchmail -V
This is fetchmail release 6.3.9-rc2+GSS+NTLM+SDPS+SSL+NLS+KRB5.

I had a Google around and couldn't find any way for a user to disable
GSS support via a fetchmailrc file (for example). It seems that the
only fix is to recompile the binary.

Where to from here ? At this stage we don't know whether it's a gssapi
issue or Exchange just not liking GSS ?

Also, why doesn't fetchmail try one of the other auth mechanisms once
GSS fails ? Interesting...

Regards,

Patrick


Dr
Patrick Rynhart
Linux
Systems Administrator / Team Leader
IT
Support Group
School
of Engineering and Advanced Technology
AgHort
A Room 3.61
Massey
University (Turitea Campus)
NEW
ZEALAND
Phone
+64 6 356 9099 extn 2444






Nico Golde wrote:

  Hey,
* Patrick Rynhart p.rynh...@massey.ac.nz [2010-02-07 20:54]:
  
  
The relevant snip from my user config file is:

poll owa.massey.ac.nz with
  proto pop3
  user prynhart there with password "**" is prynhart here
  ssl
mda "/usr/bin/procmail -d %s"

  
  
Ok that looks normal

  
  
The host "owa.massey.ac.nz" is a Microsoft Exchange 2007 Outlook Web
Access node.

If I try invoking the debian packaged version of fetchmail I get:

$ /usr/bin/fetchmail -v
fetchmail: 6.3.9-rc2 querying owa.massey.ac.nz (protocol POP3) at Mon 08
Feb 2010 08:38:25 NZDT: poll started
Trying to connect to 130.123.129.207/995...connected.
fetchmail: Issuer Organization: DigiCert Inc
fetchmail: Issuer CommonName: DigiCert High Assurance CA-3
fetchmail: Server CommonName: owa.massey.ac.nz
fetchmail: Subject Alternative Name: owa.massey.ac.nz
fetchmail: Subject Alternative Name: exchange.massey.ac.nz
fetchmail: Subject Alternative Name: autodiscover.massey.ac.nz
fetchmail: Subject Alternative Name: tur-exchcas1
fetchmail: Subject Alternative Name: tur-exchcas2
fetchmail: owa.massey.ac.nz key fingerprint:
D1:05:DB:94:20:7A:B9:E7:0D:71:EB:D9:93:65:0E:18
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 service ready
fetchmail: POP3 CAPA
fetchmail: POP3 +OK
fetchmail: POP3 TOP
fetchmail: POP3 UIDL
fetchmail: POP3 SASL NTLM GSSAPI PLAIN
fetchmail: POP3 USER
fetchmail: POP3 .
fetchmail: POP3 AUTH GSSAPI
fetchmail: POP3 +
fetchmail: Sending credentials
fetchmail: Error exchanging credentials
fetchmail: POP3 +
YGAGBisGAQUFAqBWMFSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKoZIhvcSAQICAwYKKwYBBAGCNwICCqMgMB6gHBsadHVyLWV4Y2hjYXMxJEBNQVNTRVkuQUMuTlo=
fetchmail: POP3 USER prynhart
fetchmail: POP3 -ERR Logon failure: unknown user name or bad password.
fetchmail: Logon failure: unknown user name or bad password.
fetchmail: Authorization failure on prynh...@tur-exchcas.massey.ac.nz
fetchmail: POP3 QUIT
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 server signing off.
fetchmail: 6.3.9-rc2 querying owa.massey.ac.nz (protocol POP3) at Mon 08
Feb 2010 08:38:25 NZDT: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3

Please note the "Error Exchanging Credentials" which occurs prior to the
attempt to send username/password combination.

  
  
Hmm this is strange, Error exchanging credentials happens if after 
initiating the security context (gssapi) and it doesn't return with either
successful completion or a continuation is needed (call to 
gss_init_sec_context()). This doesn't really look like a fetchmail problem to 
me though but rather like a bug in the gssapi sources or your microsoft 
exchange server.

  
  
If I aptitude remove fetchmail, build fetchmail from source with SSL
support enabled, I get:

~$ fetchmail -v
fetchmail: 6.3.13 querying owa.massey.ac.nz (protocol POP3) at Mon 08
Feb 2010 08:40:24 NZDT: poll started
Trying to connect to 130.123.129.207/995...connected.
fetchmail: Issuer Organization: DigiCert Inc
fetchmail: Issuer CommonName: DigiCert High Assurance CA-3
fetchmail: Server CommonName: owa.massey.ac.nz
fetchmail: Subject Alternative Name: owa.massey.ac.nz
fetchmail: Subject Alternative Name: exchange.massey.ac.nz
fetchmail: Subject Alternative Name: autodiscover.massey.ac.nz
fetchmail: Subject Alternative Name: tur-exchcas1
fetchmail: Subject Alternative Name: tur-exchcas2
fetchmail: owa.massey.ac.nz key fingerprint:
D1:05:DB:94:20:7A:B9:E7:0D:71:EB:D9:93:65:0E:18
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3 service ready
fetchmail: POP3 CAPA
fetchmail: POP3 +OK
fetchmail: POP3 TOP
fetchmail: POP3 UIDL
fetchmail: POP3 SASL NTLM GSSAPI PLAIN
fetchmail: POP3 USER
fetchmail: POP3 .
fetchmail: POP3 USER prynhart
fetchmail: POP3 +OK
fetchmail: POP3 PASS *
fetchmail: POP3 +OK User successfully logged on.
fetchmail: POP3 STAT
fetchmail: POP3 +OK 0 0
fetchmail: No mail for prynhart at owa.massey.ac.nz
fetchmail: POP3 QUIT
fetchmail: POP3 +OK Microsoft Exchange Server 2007 POP3

Bug#568455: [pkg-fetchmail-maint] Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-06 Thread Nico Golde

Hey,
* Patrick Rynhart p.rynh...@massey.ac.nz [2010-02-05 02:49]:
 Package: fetchmail
 Version: Lenny
 Severity: important
 
 
 After upgrading from Debian Etch to Lenny using SSL/TLS to retreive email via 
 POP from our Exchange 2007 environment is broken.  
 All attempts to retrieve mail (with credentials provided in users 
 .fetchmailrc files) result in Autorization failure
 
 The certificates used to secure our Exchange environment are issued by 
 DigiCert Inc (I'm not sure if this is related but thought that the 
 CA for this certificate could have been dropped between Etch and Lenny - 
 however, if I build from source and compile against the 
 Debian Lenny provided SSL libraries then the problem is resolved).
 
 The issue was resolved by building fetchmail 6.3.13 from source with SSL 
 support enabled.

6.3.13 is not in lenny?!

downgrading and tagged with moreinfo, using 6.3.13 SSL works fine.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0
For security reasons, all text in this mail is double-rot13 encrypted.


pgpzC7poGWiou.pgp
Description: PGP signature

Bug#568455: [pkg-fetchmail-maint] Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-06 Thread Patrick Rynhart


Hi Nico,

Thanks for your mail. However, I'm not trying to match the version of 
fetchmail shipped with Lenny - just attempting to get a version of 
fetchmail with SSL support that works within our environment. (In 
particular, I'm not using Debian src, rather the tgz downloaded direct 
from the fetchmail site.)


What I have noticed is that if I aptitude install fetchmail then we 
end up with a version of fetchmail which is unable to retrieve messages 
via POP3 in our Exchange 2007 environment; this has been confirmed by 
other users of this shared server.  However, if I build fetchmail with 
SSL support from source (obtained direct from the fetchmail website) 
then mail can be retrieved.


Thanks  Regards,

Patrick

On 7/02/10 2:19 AM, Nico Golde wrote:

Hey,
* Patrick Rynhartp.rynh...@massey.ac.nz  [2010-02-05 02:49]:
   

Package: fetchmail
Version: Lenny
Severity: important


After upgrading from Debian Etch to Lenny using SSL/TLS to retreive email via 
POP from our Exchange 2007 environment is broken.
All attempts to retrieve mail (with credentials provided in users .fetchmailrc files) 
result in Autorization failure

The certificates used to secure our Exchange environment are issued by DigiCert 
Inc (I'm not sure if this is related but thought that the
CA for this certificate could have been dropped between Etch and Lenny - 
however, if I build from source and compile against the
Debian Lenny provided SSL libraries then the problem is resolved).

The issue was resolved by building fetchmail 6.3.13 from source with SSL 
support enabled.
 

6.3.13 is not in lenny?!

downgrading and tagged with moreinfo, using 6.3.13 SSL works fine.

Cheers
Nico
   




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

2010-02-04 Thread Patrick Rynhart

Package: fetchmail
Version: Lenny
Severity: important


After upgrading from Debian Etch to Lenny using SSL/TLS to retreive email via 
POP from our Exchange 2007 environment is broken.  
All attempts to retrieve mail (with credentials provided in users .fetchmailrc 
files) result in Autorization failure

The certificates used to secure our Exchange environment are issued by DigiCert 
Inc (I'm not sure if this is related but thought that the 
CA for this certificate could have been dropped between Etch and Lenny - 
however, if I build from source and compile against the 
Debian Lenny provided SSL libraries then the problem is resolved).

The issue was resolved by building fetchmail 6.3.13 from source with SSL 
support enabled.

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fetchmail depends on:
ii  adduser 3.110add and remove users and groups
ii  debianutils 2.30 Miscellaneous utilities specific t
ii  libc6   2.7-18lenny2 GNU C Library: Shared libraries
ii  libcomerr2  1.41.3-1 common error description library
ii  libkrb531.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime libraries
ii  libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries
ii  lsb-base3.2-20   Linux Standard Base 3.2 init scrip

Versions of packages fetchmail recommends:
ii  ca-certificates   20080809   Common CA certificates

Versions of packages fetchmail suggests:
pn  fetchmailconf none (no description available)
pn  resolvconfnone (no description available)
ii  ssmtp [mail-transport-agent]  2.62-3 extremely simple MTA to get mail o



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: fetchmail, TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: fetchmail, TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: [pkg-fetchmail-maint] Bug#568455: Bug#568455: Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: [pkg-fetchmail-maint] Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: [pkg-fetchmail-maint] Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

Bug#568455: fetchmail TLS/SSL with Exchange 2007 results in Autorization failures

12 matches

Site Navigation

Mail list logo

Footer information