Re: Authentication problem
François RONVAUX wrote: I successfully got the client "test" authenticate on the server "mx1" with this : --- foo@test : # cat /etc/mail/secrets foofoo:password_clear --- But another issue that appeared... Authentication does now work with this line in the file "smtpd.conf" : --- table secrets file:/etc/mail/secrets --- But if instead of a text file I use a db file, it does not work and I see again the message "AUTH rejected: 535 Authentication failed" in the logs : --- table secrets db:/etc/mail/secrets.db --- I generated the db file with "makemap secrets" and there was no error reported by the command. if you are on openbsd you might need the `opensmtpd-extras` package
Re: Authentication problem
Authentication does now work with this line in the file "smtpd.conf" : --- table secrets file:/etc/mail/secrets --- But if instead of a text file I use a db file, it does not work Than don't use it. :-) file is recommended over db anyway: https://www.mail-archive.com/misc@opensmtpd.org/msg03302.html
Re: Authentication problem
I successfully got the client "test" authenticate on the server "mx1" with
this :
---
foo@test : # cat /etc/mail/secrets
foofoo:password_clear
---
But another issue that appeared...
Authentication does now work with this line in the file "smtpd.conf" :
---
table secrets file:/etc/mail/secrets
---
But if instead of a text file I use a db file, it does not work and I see
again the message "AUTH rejected: 535
Authentication failed" in the logs :
---
table secrets db:/etc/mail/secrets.db
---
I generated the db file with "makemap secrets" and there was no error
reported by the command.
Le lun. 14 juin 2021 à 20:55, Gilles CHEHADE a écrit :
>
> > On 14 Jun 2021, at 19:20, François RONVAUX
> wrote:
> >
> > Thanks for the reply.
> > I will have a look at smtpctl encrypt...
> >
> >
> > According to this ressource (section "Credentials tables"):
> > https://man.openbsd.org/OpenBSD-6.9/table.5
> > --
> > In a relay context, the credentials are a mapping of labels and
> username:password pairs:
> >
> > label1 user:password
> >
> > The label must be unique and is used as a selector for the proper
> credentials when multiple credentials are valid for a single destination.
> > The password is not encrypted as it must be provided to the remote host.
> > --
> >
> > It clearly states that the password must be not encrypted.
> > Maybe this man page is not up to date ?
>
> For mta authentication, when your server authenticates elsewhere, the
> password is not encrypted because it can’t, it must be supplied to the
> remote server.
> For listener authentication, when a client authenticates to your machine,
> the password is encrypted because we use crypt(3) to validate.
>
> In your mail, you showed the listen configuration:
>
> listen on egress inet4 \
> tls-require \
> auth
>
> So I assumed you were talking about incoming authentication.
>
>
>
> > And I run and old OpenSMTPD v6.4.0 with relaying e-mails to a gmail
> account and it does work with not-encrypted password in the secret file.
> > When did this requirement of encrypted password change ?
> >
> > Regards.
> >
> >
> >
> >
> >
> >
> >
> >
> > Le lun. 14 juin 2021 à 14:08, a écrit :
> > June 14, 2021 9:19 AM, "François RONVAUX"
> wrote:
> >
> >> Hello,
> >>
> >> I have a mail server "mx1" with this listening section :
> >> ---
> >> listen on egress inet4 \
> >> tls-require \
> >> auth
> >> ---
> >>
> >> I have also a server "test" and I would want to authenticate the user
> when sending an e-mail to the
> >> server "mx1" but I get an error :
> >> ---
> >> test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535
> Authentication failed
> >> ---
> >>
> >> "test" seems to connect properly on "mx1" but the error does occur on
> the user authentication.
> >>
> >> Because I can perfectly connect to "mx1" with a MUA like Thunderbird,
> it makes me think the error
> >> should be located on the opensmtpd "test" secrets file :
> >> ---
> >> foo f...@mx1.example.org:password
> >> ---
> >>
> >> The password is 40 digits long and looks like this :
> >> C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G) >>
> >> Can a special character be a problem in the password field ?
> >> If yes, how to deal with it ?
> >>
> >> Thanks for your suggestions.
> >
> > The problem is not that there's a special character but that the
> password should be crypt(3)-ed,
> > look at smtpctl encrypt
>
>
Re: Authentication problem
> On 14 Jun 2021, at 19:20, François RONVAUX wrote:
>
> Thanks for the reply.
> I will have a look at smtpctl encrypt...
>
>
> According to this ressource (section "Credentials tables"):
> https://man.openbsd.org/OpenBSD-6.9/table.5
> --
> In a relay context, the credentials are a mapping of labels and
> username:password pairs:
>
> label1 user:password
>
> The label must be unique and is used as a selector for the proper credentials
> when multiple credentials are valid for a single destination.
> The password is not encrypted as it must be provided to the remote host.
> --
>
> It clearly states that the password must be not encrypted.
> Maybe this man page is not up to date ?
For mta authentication, when your server authenticates elsewhere, the password
is not encrypted because it can’t, it must be supplied to the remote server.
For listener authentication, when a client authenticates to your machine, the
password is encrypted because we use crypt(3) to validate.
In your mail, you showed the listen configuration:
listen on egress inet4 \
tls-require \
auth
So I assumed you were talking about incoming authentication.
> And I run and old OpenSMTPD v6.4.0 with relaying e-mails to a gmail account
> and it does work with not-encrypted password in the secret file.
> When did this requirement of encrypted password change ?
>
> Regards.
>
>
>
>
>
>
>
>
> Le lun. 14 juin 2021 à 14:08, a écrit :
> June 14, 2021 9:19 AM, "François RONVAUX" wrote:
>
>> Hello,
>>
>> I have a mail server "mx1" with this listening section :
>> ---
>> listen on egress inet4 \
>> tls-require \
>> auth
>> ---
>>
>> I have also a server "test" and I would want to authenticate the user when
>> sending an e-mail to the
>> server "mx1" but I get an error :
>> ---
>> test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535
>> Authentication failed
>> ---
>>
>> "test" seems to connect properly on "mx1" but the error does occur on the
>> user authentication.
>>
>> Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it
>> makes me think the error
>> should be located on the opensmtpd "test" secrets file :
>> ---
>> foo f...@mx1.example.org:password
>> ---
>>
>> The password is 40 digits long and looks like this :
>> C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G)>
>> Can a special character be a problem in the password field ?
>> If yes, how to deal with it ?
>>
>> Thanks for your suggestions.
>
> The problem is not that there's a special character but that the password
> should be crypt(3)-ed,
> look at smtpctl encrypt
Re: Authentication problem
Thanks for the reply.
I will have a look at smtpctl encrypt...
According to this ressource (section "Credentials tables"):
https://man.openbsd.org/OpenBSD-6.9/table.5
--
In a relay context, the credentials are a mapping of labels and
username:password pairs:
label1 user:password
The label must be unique and is used as a selector for the proper
credentials when multiple credentials are valid for a single destination.
The password is not encrypted as it must be provided to the remote host.
--
It clearly states that the password must be not encrypted.
Maybe this man page is not up to date ?
And I run and old OpenSMTPD v6.4.0 with relaying e-mails to a gmail account
and it does work with not-encrypted password in the secret file.
When did this requirement of encrypted password change ?
Regards.
Le lun. 14 juin 2021 à 14:08, a écrit :
> June 14, 2021 9:19 AM, "François RONVAUX"
> wrote:
>
> > Hello,
> >
> > I have a mail server "mx1" with this listening section :
> > ---
> > listen on egress inet4 \
> > tls-require \
> > auth
> > ---
> >
> > I have also a server "test" and I would want to authenticate the user
> when sending an e-mail to the
> > server "mx1" but I get an error :
> > ---
> > test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535
> Authentication failed
> > ---
> >
> > "test" seems to connect properly on "mx1" but the error does occur on
> the user authentication.
> >
> > Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it
> makes me think the error
> > should be located on the opensmtpd "test" secrets file :
> > ---
> > foo f...@mx1.example.org:password
> > ---
> >
> > The password is 40 digits long and looks like this :
> > C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G) >
> > Can a special character be a problem in the password field ?
> > If yes, how to deal with it ?
> >
> > Thanks for your suggestions.
>
> The problem is not that there's a special character but that the password
> should be crypt(3)-ed,
> look at smtpctl encrypt
>
Re: Authentication problem
June 14, 2021 9:19 AM, "François RONVAUX" wrote:
> Hello,
>
> I have a mail server "mx1" with this listening section :
> ---
> listen on egress inet4 \
> tls-require \
> auth
> ---
>
> I have also a server "test" and I would want to authenticate the user when
> sending an e-mail to the
> server "mx1" but I get an error :
> ---
> test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535
> Authentication failed
> ---
>
> "test" seems to connect properly on "mx1" but the error does occur on the
> user authentication.
>
> Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it
> makes me think the error
> should be located on the opensmtpd "test" secrets file :
> ---
> foo f...@mx1.example.org:password
> ---
>
> The password is 40 digits long and looks like this :
> C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G)
> Can a special character be a problem in the password field ?
> If yes, how to deal with it ?
>
> Thanks for your suggestions.
The problem is not that there's a special character but that the password
should be crypt(3)-ed,
look at smtpctl encrypt
Authentication problem
Hello,
I have a mail server "mx1" with this listening section :
---
listen on egress inet4 \
tls-require \
auth
---
I have also a server "test" and I would want to authenticate the user when
sending an e-mail to the server "mx1" but I get an error :
---
test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535
Authentication failed
---
"test" seems to connect properly on "mx1" but the error does occur on the
user authentication.
Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it
makes me think the error should be located on the opensmtpd "test" secrets
file :
---
foo f...@mx1.example.org:password
---
The password is 40 digits long and looks like this :
C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G)
