# Upgrade of qmail broke smtp auth [SOLVED]

## Red-Drop

Hi all,

I am running several small mail servers around the place and I have a small test server which is actually my home server running qmail with vpopmail and smpt auth through vpopmail. On a monthly basis I run and emerge UvD on this box and test out all the new versions of the servers before implementing them on my clients machines.

It seems that smtp-auth has been broken in qmail-1.03-r15 from 1.03-r13. I am getting the error from entourage:

Authentication failed because Entourage doesn't support any of the available authentication methods.

I have tested it with a few other clients like mail all seem to be having trouble authenticating.

Here is a copy of my control/conf-smtp

```
# Configuration file for qmail-smtpd

# $Header: /var/cvsroot/gentoo-x86/mail-mta/qmail/files/1.03-r13/conf-smtpd,v 1.2 2004/07/18 03:29:51 dragonheart Exp $

# Stuff to run before tcpserver

#QMAIL_TCPSERVER_PRE=""

# Stuff to run qmail-smtpd

#QMAIL_SMTP_PRE=""

# Stuff to after qmail-smtpd

#QMAIL_SMTP_POST="mail.reddrop.net /var/vpopmail/bin/vchkpw /bin/true"

# this turns off the IDENT grab attempt on connecting

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

# You might want to use rblsmtpd with this, but you need to fill in a RBL server here first

# see http://cr.yp.to/ucspi-tcp/rblsmtpd.html for more details

#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} rblsmtpd -r RBL-SERVER"

# If you are interested in providing POP or IMAP before SMTP type relaying,

# emerge relay-ctrl, then uncomment the next 2 lines

#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"

#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"

# In /etc/courier-imap/authdaemonrc add the next line to the end:

#authmodulelist="${authmodulelist} relay-ctrl-allow"

# Then in /etc/courier-imap/{imapd,imapd-ssl,pop3d,pop3d-ssl}

# Add this at the end

#PRERUN="${PRERUN} envdir /etc/relay-ctrl relay-ctrl-chdir"

# This next block is for SMTP-AUTH 

# This provides the LOGIN, PLAIN and CRAM-MD5 types

# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5

# and reads it's data from /etc/poppasswd

# see the manpage for cmd5checkpw for details on the passwords

# uncomment the next four lines to enable SMTP-AUTH

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

```

Any help would be much appreciated.

Just to get things back up and running again as quickly as possible how do i go back to 1.03-r13? Its ebuild is no longer in my portage treeLast edited by Red-Drop on Mon May 23, 2005 4:50 am; edited 2 times in total

----------

## SzczechoO

Hi!

I would check vchkpw permissions.

----------

## Red-Drop

Yeah even with 777 on vckpw it still does not work. But I figured out what is going on r15 supports TLS before authentication. Turning on ssl support in the client now allows me to send emails. 

Here is a dump with qmail-1.03-r13

```
Escape character is '^]'.

220 <DOMAIN GOES HERE> ESMTP

ehlo

250-<DOMAIN GOES HERE>

250-AUTH LOGIN CRAM-MD5 PLAIN

250-AUTH=LOGIN CRAM-MD5 PLAIN

250-STARTTLS

250-SIZE 0

250-PIPELINING

250 8BITMIME
```

and qmail-1.03-r15

```

power-mac-g5:~ reddrop$ telnet mail.reddrop.net 25

Trying 150.101.205.114...

Connected to mail.reddrop.net.

Escape character is '^]'.

220 <DOMAIN GOES HERE> ESMTP

ehlo

250-<DOMAIN GOES HERE>

250-STARTTLS

250-SIZE 0

250-PIPELINING

250 8BITMIME

```

I am happy to do this however it complains about the root certificat not being installed. How can I install a root certificate from my self signed certificate?

Also it would be nice to know how to change it back to mimic the old style of authentication also.Last edited by Red-Drop on Sun May 22, 2005 8:26 am; edited 3 times in total

----------

## Red-Drop

Also loggin in for smtp now takes over a minute.

Solved this with

 chmod u+s /var/vpopmail/bin/vchkpw

----------

## SzczechoO

I'm happy to read that, now you can change topic to [ SOLVED ].

----------

## Red-Drop

Well its not really solved yet. Just worked around.

----------

## CrackFarmer

I have having this identical problem after upgrading qmail.

220 <domain> ESMTP

EHLO .....

250-<domain>

250-STARTTLS

250-SIZE 0

250-PIPELINING

250 8BITMIME

and when I try and send AUTH LOGIN i get this:

AUTH LOGIN

530 Must issue a STARTTLS command first (#5.7.0)

However turning on SSL in my mail client dosn't seem to be working.

And of course if i send mail as is without AUTH i get relay error.

----------

## CrackFarmer

OK found the solution.

I added 'notlsbeforeauth' to my USE flag in my make.conf

re-emerged qmail and now i get this:

220 <domain> ESMTP

EHLO

250-<domain>

250-STARTTLS

250-AUTH LOGIN CRAM-MD5 PLAIN

250-AUTH=LOGIN CRAM-MD5 PLAIN

250-SIZE 0

250-PIPELINING

250 8BITMIME

What a pain in the ass..... i am just glad it is working now  :Smile:   :Smile: 

----------

## Red-Drop

Thanks the update to make.conf worked perfectly. Just to help in my puruit to further my gentoo knowledge how did you  know about that use flag? I cant seem to find it in /usr/portage/profiles/use.desc.

----------

## petterg

Hey guys, have you thought about what the notlsbeforeauth flag does?

Unless you have a really good reason you'll be better of be enabeling tls for smtp-auth in your mail client.

With the notls... flag off your mailserver will require your mail client to encrypt smtp-auth passwords before sending. With the notls... flag on your mailserver will accept both encrypted and unencrypted passwords - which basicaly means that most clients will send cleartext passwords over an unencrypted channel unless the user is aware of the tls settings.

Note: there is a bug in outlook (and express) 2002 (xp) that makes tls fail. There is a bugfix in microsoft knowledgebase, http://support.microsoft.com/?kbid=304008 . Outlook 2k works.

There is also a tls bug in older mozilla.

----------

## Red-Drop

Yes but users like flexibility. You  can't very well ring around half of your city telling people to reconfigure the mail clients. I think giving the users the choice is the best option.

Users should only protected from hurting other users, the server and possibly the admins feelings (that can have negative consequences also). Let them burn themselves if they want. And if some one does gain access to relay because they worked out a users password. All the more reason to yell at the user  :Twisted Evil: 

That's what I do any way. Feel free to disagree.

----------

## kalpol

Would someone explain the different types of authentications and what needs to be configured in the client to get them working?  I have been through the whole qmail-r13 to -r15 upgrade hell, and everything seems to be working now except for the SMTP-AUTH.  I am a little hampered here because I don't really understand what STARTTTLS and all that means.

Here's the output from telnet localhost 25:

 *Quote:*   

> 220 kalpol.com ESMTP
> 
> EHLO
> 
> 250-kalpol.com
> ...

 

So that looks ok, and Squirrelmail works all right running on localhost. But when I try to send email from Thunderbird on my laptop, it just asks for the password over and over.

Here's the lines from conf-smtpd:

 *Quote:*   

> # If you are interested in providing POP or IMAP before SMTP type relaying,
> 
> # emerge relay-ctrl, then uncomment the next 2 lines
> 
> #QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-c
> ...

 

which also seems OK.  Thunderbird was configured for SMTP user/pass, and TLS if available, and port 25.

So what is wrong here? What is TLS? What is STARTTLS? Should I use SSL now and if so, that means I need to open port 465 on the router, right?

Yes...somewhat confused.

Thanks!

----------

## ttuttle

kalpol:

I'm having the same problem as you, I'm trying to rebuild qmail with "notlsbeforeauth".  I'll report back when my 333 MHz Celeron finishes compiling it. ;-)

 *Quote:*   

> 
> 
> 12:50 - press return
> 
> 

 

I just saw that movie... it was *weird*!

----------

## ttuttle

OMGWTFBBQIHTFMTAIDGI

(oh my god what the f*** barbecue i hate this f***ing mail transfer agent i don't get it)

But it works!

I apparently hastily overwrote /var/qmail/control/conf-smtpd during an etc-update, and disabled smtp auth.

/me feels stupid.

Has anyone else noticed that everything except the qmail binaries (and maybe even them) is (or looks like) a shell script?

----------

## kalpol

 *ThinkingInBinary wrote:*   

> 
> 
> Has anyone else noticed that everything except the qmail binaries (and maybe even them) is (or looks like) a shell script?

 

Lots of addons have been made.  You can find the original qmail package at http://cr.yp.to, which is where I had the software and instructions for the  first few servers before I found Life with Qmail and then Gentoo  :Smile:  There were only a few scripts in that one. Now the software is so heavily patched it needs all kinds of stuff to keep it working, I guess.

Anyone up to explaining how the mail client should be configured for remote SMTP access?

 *Quote:*   

> I just saw that movie... it was *weird*!

 

Yes it was and you're the first person ever to figure out where the quote came from   :Smile:  another small connection, my nick is from a track on an Autechre album which (after I chose the nick and before I saw the movie) I discovered is on the soundtrack. Weird huh. Like the man said, patterns are everywhere.

----------

## powderedtoastdude

It would have been nice if an emerge message notified us of the notlsbeforeauth flag and the change in behavior (and the level of message that would show up in portlog-info, since I use that religiously to review emerge results).  

My MUA was set up for AUTH but not for TLS, and this change makes it look like AUTH was "broken" in the new ebuild (at least to those users in the AUTH but no TLS case).  I'm happy now that I've learned why, since enabling TLS in MUAs is usually no big deal.  Just would have been nice to know at emerge time.

$0.02,

ptd

----------

## ca_grover

AAARRRRGGGGGHHHHH!!!!!

I've been fighting this problem for the past week, with no luck.  The fix mentioned above (notlsbeforeauth) didn't do the trick for me.

I'm able to retrieve my mail over pop3 with KMail, but the moment I try to send I get an error:

```
Your SMTP server claims to support TLS, but negotiation was unsuccessful.

You can disable TLS in KDE using the crypto settings module.
```

This is a little misleading - it makes it tough to tell if it's a Kmail or qmail issue.  But, I've dutifully looked into both with no luck, even going as far to regenerate my certificates and verify EVERY step of the installation/configuration. (Following Gentoo's qmail/vpopmail guide - without Horde though).  Everything seems fine, but still fails.

I even turned on the recordio in my tcpserver settings (thanks to The qmail Handbook), to dig deeper.  Here's a sample output from my qmail-smtpd logs with the recordio bit enabled:

```
@4000000042a7f1ed1041377c tcpserver: status: 1/20

@4000000042a7f1ed104a864c tcpserver: pid 6568 from 192.168.0.20

@4000000042a7f1ed106597fc tcpserver: ok 6568 :::ffff:192.168.0.5:25 :::ffff:192.168.0.20::33274

 4000000042a7f1ed10fab7c4 6568 > 220 srv.open2space.com ESMTP

 4000000042a7f1ed111a3a2c 6568 < EHLO [192.168.0.20]

 4000000042a7f1ed111d89d4 6568 > 250-srv.open2space.com

 4000000042a7f1ed111da144 6568 > 250-STARTTLS

 4000000042a7f1ed111e8ba4 6568 > 250-AUTH LOGIN CRAM-MD5 PLAIN

 4000000042a7f1ed111e9f2c 6568 > 250-AUTH=LOGIN CRAM-MD5 PLAIN

 4000000042a7f1ed111eaecc 6568 > 250-SIZE 0

 4000000042a7f1ed111eba84 6568 > 250-PIPELINING

 4000000042a7f1ed111ec63c 6568 > 250 8BITMIME

 4000000042a7f1ed11478fa4 6568 < STARTTLS

 4000000042a7f1ed11712814 6568 > 220 ready for tls

, 000000042a7f1ed12b85db4 6568 < WSB§ñãH-gÇòSQºXæµdW=äÙh7hTsãÃ/<

@4000000042a7f1ed12b87cf4 6568 < 98532/fedcba`  +

@4000000042a7f1ed12d4de94 6568 > [EOF]

@4000000042a7f1ed12d6bb24 tcpserver: end 6568 status 256

@4000000042a7f1ed12d6ceac tcpserver: status: 0/20

```

As you can see it craps out right after the TLS stuff, and doesn't continue.....  (This was a test message to myself).

Any further tips?  Any other config files I can post to help?  Thanks bunches.

----------

## kalpol

Try 

chmod u+s /bin/checkpassword (or whatever your password program is in conf-smtpd)

That's what I did to get mine working. qmail reported just as yours does so hopefully that's it.

I think tcpserver's exit 256 means that an external program didn't do its job - I have seen that when ClamAV fails because the softlimit was too low.

----------

## ca_grover

Thanks kalpol, but /var/vpopmail/bin/vchkpwd was set that way already...  I re-ran the command just in case - no joy.

I've been doing some digging, and it looks like qmail 1.05-r15 introduced this problem, but courier-imap 4.0.1 also introduced an authentication change.  I *think* when I did my last emerge world I happend to get both of these...  So I'm checking out the resolution to courier-imap as well.

If worse comes to worse, I'll just do an emerge -C of all the packages involved in this issue and start from a (relatively) clean slate.  Luckily the server isn't TOOOO critical.

----------

## donjames

Hi,

I worked on qmail for over a year and never got it to work right.

I have been trying to get qmail set up on Gentoo for over six months and have yet to make it do SMTP AUTH.

qmail may be good software, but it is worthless with the current documentation.  I bought David Sill's book, The Qmail Handbook.  It is worthless.  I have found that the documentation on qmail is pretty much worthless, because it is out of date.

I am trying to get an ISP up and running and qmail has been nothing but grief.  I have deleted qmail from all of my email servers and installed a commercial product that is just great.  It does everything that I want to do and doesn't cost a fortune.

If anyone would like to know what I am using,  please email me.

I am through with qmail.  I'll NEVER attempt to use qmail again.

Sincerely,

Don James

Henderson, TExas USA

----------

