SMTP 587 TLS auth failure
Brought to you by:
mbhangui
Menu
▾
▴
#31 SMTP 587 TLS auth failure
We are trying to configure our mailbox in a CRM software Lusha.
The SMTP connection is failing with following error message. (100.21.76.215) is the IP of Lusha system. Martin.Bandi1 is the name of mbox we are configuring.
@4000000065cf4bfc15624bec tcpserver: pid 3745885 from 100.21.76.215
@4000000065cf4bfc156852e4 tcpserver: ok 3745885 mail.softenger.com[11.0.0.92]587 [100.21.76.215]:57128:maxperip=25
@4000000065cf4bfc15685e9c tcpserver: status: 3/40 un-encrypted session, pid=3745885, IP 100.21.76.215
@4000000065cf4bfe0018ecdc qmail-smtpd: pid 3745885 from ::ffff:100.21.76.215 ssl-version=TLSv1.2
@4000000065cf4bfe310f518c qmail-smtpd: pid 3745885 from ::ffff:100.21.76.215 AUTH USER [martin.bandi1@softenger.com] status=[1] AUTH CRAM-MD5 TLS=TLSv1.2 auth failure
@4000000065cf4c0d042fad9c qmail-smtpd: pid 3745885 from ::ffff:100.21.76.215 read error: client dropped connection:
While configuring the mbox in Lusha portal, we are able to define on the server-name and port number. however option to define the 'Encryption Method' as SSL/TLS or STARTLS is not available. (this is typically visible when you configure the outlook settings)
In our mail-server for SMTP 587 configuration, the FORCE_TLS variable is not SET, STARTTLS variable is not SET,
The support person from Lusha says that error message he is able to see is mismatched TLS . He also confirmed that they use TLS 1.2. The mail-server is providing all the certificates correctly. I think he used openssl utility to test this part.
Based on our conversation with support team, I guess they are trying SSL/TLS first and giving up, before trying STARTTLS
Is there something we need to change in our configuration that will possibly offer SSL/TLS first.
From the log you provided, I believe it is trying CRAM-MD5 authentication. This requires plain text password in the database. Not something I like. To make any CRAM methods work, you need to use vpasswd -C or vmoduser -C option. Also ENABLE_CRAM needs to set for the SMTP port that the CRM server is using.
We don't have plain text passwords in the database. This change of CRAM-MD5 is this user specific or applicable for entire mail-server.
Will ENABLE_CRAM, will work alongside LOGIN, else I will have to create a separate port for this configuration specially for Lusha.
Last edit: Abhijit Chaphekar 2024-02-16
It can be user specific. So only those users for whom the passwords are stored in clear text will be able to login using CRAM methods (CRAM-MD5, CRAM-SHA1, CRAM-SHA256, CRAM-SHA512, etc)
Another observation in the LOGS, would it make any difference if the AUTH was LOGIN instead of CRAM-MD5?
If you can configure the CRM server to use LOGIN or PLAIN, it should be better and will work with existing password encryption. CRAM and SCRAM methods are a different animal. Though CRAM methods eliminate the real passwords being exchanged on the wire, the danger is that if someone steals your MySQL database, the person will have no difficulty in knowing the passwords.
Last edit: Manvendra Bhangui 2024-02-16
Will first push the Lusha team to switch to LOGIN, if that doesn't work, will try this change.
Noted. Thank you.
You can put across few things to the Lusha team
A thing about the support for CRAM authentication methods in indimail-mta is that you can use the current encrypted password when authenticating. You can get the encrypted password from vuserinfo. However, ENABLE_CRAM needs to be set
You can read more in the indimail wiki
https://github.com/indimail/indimail-mta/wiki/0-IndiMail-Wiki#challenge-response-authentication-mechanisms
Issue was resolved in a couple of days. Sorry missed closing this ticket.