Unable to relay email
Hello, I'm just starting out with OpenBSD and I wanted to relay email with OpenSTMP. I was able to follow the example on the stmpd.conf man page: https://man.openbsd.org/smtpd.conf I got the relay working by following the first example and adding "user username" to the following line: action “relay” relay user username host smtp+tls://b...@smtp.example.com auth where username is the name of a local user who had membership to the wheel group. It worked fine until late March. After that the smtpd.conf file started throwing a syntax error complaining about the addition I made above. smtpd -n was ok after user [username] was removed but the relay no longer functioned. The main cause seems to be a lack of authentication as I get a "mta error reason=AUTH rejected: 535 Authentication failed" when I try to send an email while running smtpd -dv. And the email lands in mailq and stays there: local# mailq678f2f628b32567d|local|mta|auth|sen...@local.home.org|destinat...@example1.com|destinat...@example1.com|1554405322|1554405322|0|1|offline||Network error on destination MXs Here is an example of the output. There are three accounts involved: 1) the local user from above, usern...@local.home.org 2) username from the email provider, sen...@example0.co.jp 3) destination account: destinat...@example1.com Thank you local# smtpd -dv debug: init ssl-treedebug: init ca-treedebug: init ssl-treedebug: using "fs" queue backenddebug: using "ramqueue" scheduler backenddebug: using "ram" stat backendinfo: OpenSMTPD 6.4.0 startingdebug: init ssl-treedebug: init ca-treedebug: init ssl-treedebug: using "fs" queue backenddebug: using "ramqueue" scheduler backenddebug: using "ram" stat backenddebug: init ssl-treedebug: init ca-treedebug: init ssl-treesetup_peer: control -> klondike[11371] fd=4debug: using "fs" queue backenddebug: using "ramqueue" scheduler backenddebug: using "ram" stat backendsetup_peer: control -> lookup[8371] fd=5setup_peer: lookup -> control[96994] fd=4setup_peer: control -> pony express[25508] fd=6setup_peer: control -> queue[54682] fd=7setup_peer: control -> scheduler[41566] fd=8setup_peer: lookup -> pony express[25508] fd=5debug: init ssl-treedebug: init ca-treedebug: init ssl-treedebug: using "fs" queue backenddebug: using "ramqueue" scheduler backenddebug: using "ram" stat backendsetup_peer: lookup -> queue[54682] fd=6setup_peer: pony express -> control[96994] fd=4setup_peer: pony express -> klondike[11371] fd=5setup_peer: pony express -> lookup[8371] fd=6setup_peer: pony express -> queue[54682] fd=7debug: init ssl-treedebug: init ca-treedebug: init ssl-treedebug: using "fs" queue backenddebug: using "ramqueue" scheduler backenddebug: using "ram" stat backendsetup_peer: queue -> control[96994] fd=4setup_peer: queue -> pony express[25508] fd=5setup_peer: queue -> lookup[8371] fd=6debug: init ssl-treedebug: init ca-treedebug: init ssl-treedebug: using "fs" queue backenddebug: using "ramqueue" scheduler backenddebug: using "ram" stat backendsetup_peer: queue -> scheduler[41566] fd=7setup_peer: klondike -> control[96994] fd=4setup_peer: klondike -> pony express[25508] fd=5setup_proc: klondike donesetup_done: ca[11371] donesetup_proc: control donesetup_done: control[96994] donesetup_proc: lookup donesetup_done: lka[8371] donesetup_proc: pony express donesetup_done: pony[25508] donesetup_proc: queue donesetup_done: queue[54682] donedebug: ca_engine_init: using RSA privsep enginedebug: init ssl-treedebug: init ca-treedebug: init ssl-treedebug: using "fs" queue backenddebug: using "ramqueue" scheduler backenddebug: using "ram" stat backendsetup_peer: scheduler -> control[96994] fd=4setup_peer: scheduler -> queue[54682] fd=5setup_proc: scheduler donesetup_done: scheduler[41566] donedebug: bounce warning after 4hsmtpd: setup donedebug: parent_send_config_ruleset: reloadingdebug: parent_send_config: configuring pony processdebug: parent_send_config: configuring ca processdebug: smtp: listen on IPv6:::1 port 25 flags 0x400 pki "" ca ""debug: init private ssl-treedebug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x400 pki "" ca ""debug: smtp: listen on 127.0.0.1 port 25 flags 0x400 pki "" ca ""debug: smtp: will accept at most 501 clientsdebug: queue: done loading queue into schedulerdebug: smtpd: scanning offline queue...debug: smtpd: offline scanning done Then I run:local$ echo "Hello test" | sendmail -v -f sender destinat...@example1.com <<< 220 local.home.org ESMTP OpenSMTPD>>> EHLO localhost<<< 250-local.home.org Hello localhost [local], pleased to meet you<<< 250-8BITMIME<<< 250-ENHANCEDSTATUSCODES<<< 250-SIZE 36700160<<< 250 HELP>>> MAIL FROM: <<< 250 2.0.0: Ok>>> RCPT TO: <<< 250 2.1.5 Destination address valid: Recipient ok>>> DATA<<< 354 Enter mail, end with "." on a line by itself>>> .<<< 250 2.0.0: 678f2f62 Message accepted for delivery>>> QUIT<<< 221 2.0.0: Bye Which causes the following response in “smtpd -dv”: c41771e881808b4f smtp connected
Re: Unable to relay email
> What's the alternative? Did you make an update? I don't know, it was about a month ago. I was trying to get the relay working so I was making changes to the smtpd.conf file. AFAIK I was restarting smtpd after each edit and stopped when it worked. Here are the diff's for my smtpd.conf from before it stopped working if it helps: == /etc/mail/smtpd.conf diffs (-OLD +NEW) == --- /var/backups/etc_mail_smtpd.conf.currentFri Feb 22 01:30:23 2019 +++ /etc/mail/smtpd.confFri Mar 15 20:49:37 2019 @@ -17,3 +17,5 @@ # match from any for domain "example.org" action "local" match for local action "local" match for any action "relay" + +#action "relay" relay host smtp+tls://sen...@example0.co.jp:25 == /etc/mail/smtpd.conf diffs (-OLD +NEW) == --- /var/backups/etc_mail_smtpd.conf.currentSat Mar 16 01:30:06 2019 +++ /etc/mail/smtpd.confSat Mar 16 19:02:30 2019 @@ -4,13 +4,15 @@ # See smtpd.conf(5) for more information. table aliases file:/etc/mail/aliases +table secrets file:/etc/mail/secrets # To accept external mail, replace with: listen on all # listen on lo0 action "local" mbox alias -action "relay" relay +action "relay" user username relay host smtp+tls://my_re...@example0.co.jp:25 \ + auth # Uncomment the following to accept external mail for domain "example.org" # > (Assuming Port 587 with STARTTLS.) > Is your server IP on a blacklist? https://www.dnsbl.info/ > Can you change the password of bob? Yes the test with Thunderbird was using STARTTLS and on port 587 The only site that has the server blacklisted is dnsbl.spfbl.net. I changed the password once and no luck, it made no difference. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Unable to relay email
Hello Thomas, Yes, I know it's hard to believe, maybe I forget to reload smtpd.conf after I made the edit, but I don't think so. Yes, secrets exists and has valid login info. I tested the info with Thunderbird on a client and was able to send an email Thanks > -- Original Message -- > From: Thomas Bohl > Date: April 4, 2019 at 6:55 PM > > > Hello, > > > action “relay” relay user username host smtp+tls://b...@smtp.example.com > > auth > > > It worked fine until late March. > > Hard to believe, since it is a syntax error. > > > > smtpd -n was ok after user [username] was removed but the relay no > > longer functioned. The main cause seems to be a lack of authentication > > as I get a "mta error reason=AUTH rejected: 535 Authentication failed" > > when I try to send an email while running smtpd -dv. > > exists or smtpd wouldn't start. > An entry for bob exist or a warning would appear. > An authentication is attempted or "530 Authentication required" would > (most likely) appear. > > 1. Is bob still an active account on smtp.example.com? > 2. Is the password in still valid? > 3. Is smtp.example.com still the preferred smarthost in the eyes of its > provider? > 4. Is your IP on a blacklist? https://www.dnsbl.info/ > > -- -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Unable to relay email
"Is it possible to resend without all the html?" Oh boy, sorry about that, hope this is better Hello, I'm just starting out with OpenBSD and I wanted to relay email with OpenSTMP. I was able to follow the example on the stmpd.conf man page: https://man.openbsd.org/smtpd.conf I got the relay working by following the first example and adding "user username" to the following line: action “relay” relay user username host smtp+tls://b...@smtp.example.com auth where username is the name of a local user who had membership to the wheel group. It worked fine until late March. After that the smtpd.conf file started throwing a syntax error complaining about the addition I made above. smtpd -n was ok after user [username] was removed but the relay no longer functioned. The main cause seems to be a lack of authentication as I get a "mta error reason=AUTH rejected: 535 Authentication failed" when I try to send an email while running smtpd -dv. And the email lands in mailq and stays there: local# mailq 678f2f628b32567d|local|mta|auth|sen...@local.home.org|destinat...@example1.com|destinat...@example1.com|1554405322|1554405322|0|1|offline||Network error on destination MXs Here is an example of the output. There are three accounts involved: 1) the local user from above, usern...@local.home.org 2) username from the email provider, sen...@example0.co.jp 3) destination account: destinat...@example1.com Thank you local# smtpd -dv debug: init ssl-tree debug: init ca-tree debug: init ssl-tree debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend info: OpenSMTPD 6.4.0 starting debug: init ssl-tree debug: init ca-tree debug: init ssl-tree debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend debug: init ssl-tree debug: init ca-tree debug: init ssl-tree setup_peer: control -> klondike[11371] fd=4 debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: control -> lookup[8371] fd=5 setup_peer: lookup -> control[96994] fd=4 setup_peer: control -> pony express[25508] fd=6 setup_peer: control -> queue[54682] fd=7 setup_peer: control -> scheduler[41566] fd=8 setup_peer: lookup -> pony express[25508] fd=5 debug: init ssl-tree debug: init ca-tree debug: init ssl-tree debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: lookup -> queue[54682] fd=6 setup_peer: pony express -> control[96994] fd=4 setup_peer: pony express -> klondike[11371] fd=5 setup_peer: pony express -> lookup[8371] fd=6 setup_peer: pony express -> queue[54682] fd=7 debug: init ssl-tree debug: init ca-tree debug: init ssl-tree debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: queue -> control[96994] fd=4 setup_peer: queue -> pony express[25508] fd=5 setup_peer: queue -> lookup[8371] fd=6 debug: init ssl-tree debug: init ca-tree debug: init ssl-tree debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: queue -> scheduler[41566] fd=7 setup_peer: klondike -> control[96994] fd=4 setup_peer: klondike -> pony express[25508] fd=5 setup_proc: klondike done setup_done: ca[11371] done setup_proc: control done setup_done: control[96994] done setup_proc: lookup done setup_done: lka[8371] done setup_proc: pony express done setup_done: pony[25508] done setup_proc: queue done setup_done: queue[54682] done debug: ca_engine_init: using RSA privsep engine debug: init ssl-tree debug: init ca-tree debug: init ssl-tree debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: scheduler -> control[96994] fd=4 setup_peer: scheduler -> queue[54682] fd=5 setup_proc: scheduler done setup_done: scheduler[41566] done debug: bounce warning after 4h smtpd: setup done debug: parent_send_config_ruleset: reloading debug: parent_send_config: configuring pony process debug: parent_send_config: configuring ca process debug: smtp: listen on IPv6:::1 port 25 flags 0x400 pki "" ca "" debug: init private ssl-tree debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x400 pki "" ca "" debug: smtp: listen on 127.0.0.1 port 25 flags 0x400 pki "" ca "" debug: smtp: will accept at most 501 clients debug: queue: done loading queue into scheduler debug: smtpd: scanning offline queue... debug: smtpd: offline scanning done Then I run: local$ echo "Hello test" | sendmail -v -f sender destinat...@example1.com <<< 220 local.home.org ESMTP OpenSMTPD >>> EHLO localhost <<< 250-local.home.org Hello localhost [local], pleased to meet you <<< 250-8BITMIME <<< 250-ENHANCEDSTATUSCODES <<< 250-SIZE 36700160 <<< 250 HELP >>> MAIL FROM: <<< 250 2.0.0: Ok >>> RCPT TO: <<< 250 2.1.5 Destination address valid: Recipient ok >>> DATA <<< 354 Enter mail, end with "." on a line by itself >>> . <<< 250
Re: Unable to relay email
> What happened "late March"? Did you reboot the system or did smtpd crash? I think I rebooted after applying these patches: 015: SECURITY FIX: March 22, 2019 All architectures A state in pf could pass ICMP packets to a destination IP address that did not match the state. A source code patch exists which remedies this problem. 016: SECURITY FIX: March 27, 2019 amd64 and i386 GDT and IDT limits were improperly restored during VMM context switches. A source code patch exists which remedies this problem. > I'm confused. The action line is commented out. Plus the explicit > mention of port 25 while the logs show port 587. > Can't you just post the full /etc/mail/smtpd.conf? > Ok, my bad. The second diff is more current. The point about the port > number still stands, though. And "user username" there is a syntax error. For the server I am trying to connect, I was told to use 587 if 25 didn't work, so I've been trying both. And your points about the comment and syntax error are correct. I really have no idea what the config was that was working. Here is the smtpd.conf now: local# cat smtpd.conf # $OpenBSD: smtpd.conf,v 1.11 2018/06/04 21:10:58 jmc Exp $ # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets # To accept external mail, replace with: listen on all # listen on lo0 action "local" mbox alias action "relay" relay host smtp+tls://my_re...@smtphm.example0.co.jp auth # match from any for domain "example.org" action "local" match for local action "local" match for any action "relay" -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Unable to relay email
> Looks good. > I bet money that the username:password pair in is just wrong :-) How much would you like to wager? :) I copied and pasted the info into a weblogin and it worked (unfortunately?) The format of my secrets file is: my_relay sender:PASSWORD > Don't forget to run > # smtpctl update table secrets > after you edit /etc/mail/secrets Still no luck. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Unable to relay email
> 10€ for the project :-) Haha, I'm sure a clever lawyer would have arguments for either of us already winning that bet. > Hm, maybe you need a "application password". > > Try > # smtpd -dv -Ttransfer > > There will be the line "mta: 0x: >>> AUTH PLAIN SomeBase64Code > > $ echo YourBase64Code | openssl enc -base64 -d > to see whether it contains the right login data. > > > > The format of my secrets file is: > > > > my_relay sender:PASSWORD > > Any strange glyph to be concerned about? At one point I was trying to connect to the server with openssl and when I used " perl -MMIME::Base64 -e 'print encode_base64("SomeBase64Code");' " for my password it was truncating because of a char, so I changed that password out but it made no difference. $ echo YourBase64Code | openssl enc -base64 -d senderPASSWORD$ Which is what's in the secrets file but without the colon between the account name and password Not sure if this helps but I'm looking at packet captures from Thunderbird and smtpd, all seems fine until Thunderbird: TLSv1.2 Certificate, Server Hello Done smtpd: Ignored Unknown Record This packet has the following url as well http://www.entrust.net/rpa0 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Unable to relay email
> Can you authenticate with openssl? No, I got the user and password prompts but auth failed. > Ok, lets rethink this. Assuming it stopped working the moment the system > got rebooted. Than there once was a working configuration, that can be > recreated. But if it stopped working around the time of the reboot there > is the possibility the provider changed something, making it > incompatible with OpenSMTPD. (Than it would be nice to have real hostnames.) It's possible something with the provider changed but I don't think so. I called them and they told me to use my browser. This is my host and the source of the connection info I use: https://support.bell.ca/internet/email/how-to-use-bell-mail?step=5 > You could try: > > action "relay" relay host smtps://my_re...@smtphm.example0.co.jp:465 > auth No route available > or: > action "relay" relay host smtp+tls://smtphm.example0.co.jp No auth table: When auth is appended I get the same 535 auth failed. > (I assume you use smtpd only to send system message to your personal > inbox on smtphm.example0.co.jp. So maybe sending to someone on the > system doesn't require authentication.) Yes, that's what I'm using it for basically. I get local "daily output" emails from "r...@local.home" sent to "r...@local.home". Note: the domain is "local.home" and not "local.home.org" which is what it is when I try to send to external addresses. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Unable to relay email
> (That is what you find when you search for smtphm. The .co.jp-part > doesn't really anonymise it. You should have used the original from the > get go.) Oh ok, thanks, never used a mailing list before, wasn't really sure what the protocol was > Do you have > root: wt...@bell.net > in /etc/mail/aliases? Nope, I added it and no change. > > Note: the domain is "local.home" and not "local.home.org" which is what it > > is > > when I try to send to external addresses. > > Not sure if I understand you there. When I get internal mail it's to and from r...@local.home When I "echo "hello world" | sendmail destinat...@example1.com" It's from u...@local.home.org > My last guess: > > action "relay" relay \ > host smtp+tls://my_re...@smtphm.sympatico.ca:587 \ > mail-from wt...@bell.net \ > auth > Still 535 I'm afraid. Appreciate all your help. Even though we haven't solved this, I feel like I've learned something, thanks -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Unable to relay email
Hello Peter, > 1. When you attempt to relay through Bell's smtp relay are you sending > mail as y...@bell.ca or > > any of the domains that falls under bell's domains? Perhaps they > implemented a block that > > prevents you@home.local, or better even y...@anythingotherthanbell.ca. > What I'm trying to guess at is that bell refuses to relay for anything > other than its domains. When it was working the sender was y...@local.home.org After it stopped working I made a /etc/mail/mailname file (which I've since removed) with sympatico.ca and tried sending as different senders but no luck. I tried different accounts and changing the passwords, still nothing. > 2. Use port 587, check connection with 'openssl s_client -connect > host:587 -starttls smtp' I tried that and previously "openssl s_client -debug -starttls smtp -crlf -connect host:25", and after the certificate I get: --- 250 STARTTLS AUTH LOGIN 334 VXNlcm5hbWU6 BASE64USERNAME 334 UGFzc3dvcmQ6 BASE64PASSWORD 535 Authentication failed > 3. Use section D.1 of RFC 5321 to help you write a test mail, use RFC > 4954 to help you construct a > > needed authentication, section 4.1 has an example. Steps are a) connect > b) ehlo c) auth d) mail from > > e) rcpt to f) data g) quit > > 4. once you have achieved sending a test mail through the bell relay > reflect what you did into your config. Try sending as root@home.local > and see it fail or not fail, try sending as y...@bell.ca and see it fail > or not fail. Know the capabilities (protocol and behaviour) of the bell > relay. Going off this: https://tools.ietf.org/html/rfc4954#section-4.1 S: 220-smtp.example.com ESMTP Server C: EHLO client.example.com S: 250-smtp.example.com Hello client.example.com S: 250-AUTH GSSAPI DIGEST-MD5 S: 250-ENHANCEDSTATUSCODES S: 250 STARTTLS C: STARTTLS I get: 250 STARTTLS EHLO 250-mtlspm02.bell.net 250-HELP 250-XREMOTEQUEUE 250-ETRN 250-CHUNKING 250-BINARYMIME 250-AUTH=LOGIN PLAIN 250-AUTH LOGIN PLAIN 250-PIPELINING 250-DSN 250-8BITMIME 250 SIZE 36700160 STARTTLS 502 You are not authorized to use SSL > I hope that helps in any way. Also just 535 doesn't tell me anything > when I checked it up in RFC 5321 other than that it's a permanent > failure. Was there an error string appended to this code? This is the line from smtpd -dv that had the error: c41771ec2113e5d0 mta error reason=AUTH rejected: 535 Authentication failed Thanks for the ideas, hopefully this will get sorted soon -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org