AUTH being ignored

[gziskind]

I am setting up Haraka using the auth/flat_file plugin, and messages are being allowed to be sent to the mail server even with out authenticating.

The EHLO command returns AUTH LOGIN as an option, but instead of denying new commands without authentication, it allows the client to issues MAIL FROM, RCPT TO, and DATA commands without authenticating. It seems like auth is being requested but no action is being taken based on that auth.

Here is a sample of my telnet commands that I am issuing to debug:

220 haraka.test ESMTP Haraka 2.5.0 ready
EHLO localhost
250-haraka.test Hello localhost [127.0.0.1], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SIZE 500000
250 AUTH LOGIN
MAIL FROM: test@test.com
250 sender <test@test.com> OK
RCPT TO: receiver@test.com
250 recipient <receiver@test.com> OK
DATA
354 go ahead, make my day
Subject: Test

Body
.
250 2.0.0 Ok: queued as 244E56160F (C3E12E8C-696E-4248-AF8F-71CCEF6A5729.1)
QUIT
221 haraka.test closing connection. Have a jolly good day.

Am I missing any options for this to work properly?

[baudehlo]

If you don't issue AUTH the mail is treated as inbound, and queue'd appropriately (I don't know what you have setup as a queue plugin), assuming Haraka can receive mails for test.com.

On Fri, Jan 9, 2015 at 4:35 PM, gziskind notifications@github.com wrote:

I am setting up Haraka using the auth/flat_file plugin, and messages are being allowed to be sent to the mail server even with out authenticating.

The EHLO command returns AUTH LOGIN as an option, but instead of denying new commands without authentication, it allows the client to issues MAIL FROM, RCPT TO, and DATA commands without authenticating. It seems like auth is being requested but no action is being taken based on that auth.

Here is a sample of my telnet commands that I am issuing to debug:

220 haraka.test ESMTP Haraka 2.5.0 ready EHLO localhost 250-haraka.test Hello localhost [127.0.0.1], Haraka is at your service. 250-PIPELINING 250-8BITMIME 250-SIZE 500000 250 AUTH LOGIN MAIL FROM: test@test.com 250 sender test@test.com OK RCPT TO: receiver@test.com 250 recipient receiver@test.com OK DATA 354 go ahead, make my day Subject: Test

Body . 250 2.0.0 Ok: queued as 244E56160F (C3E12E8C-696E-4248-AF8F-71CCEF6A5729.1) QUIT 221 haraka.test closing connection. Have a jolly good day.

Am I missing any options for this to work properly?

— Reply to this email directly or view it on GitHub https://github.com/baudehlo/Haraka/issues/810.

[smfreegard]

It's working as it should as far as I can see. If @test.com is in your rcpt_to.in_host_list configuration, then it's effectively inbound mail and therefore no authentication required. If you tried to send to @hotmail.com though; it would reject it as 'relaying denied' as the client hasn't authenticated and it's being sent to a non-local domain.

[gziskind]

Well I guess my question is, why is authentication not required for inbound mail?

[baudehlo]

How would that work?

Everyone sending you mail would need your username/password.

On Fri, Jan 9, 2015 at 4:59 PM, gziskind notifications@github.com wrote:

Well I guess my question is, why is authentication not required for inbound mail?

— Reply to this email directly or view it on GitHub https://github.com/baudehlo/Haraka/issues/810#issuecomment-69406281.

[smfreegard]

The only time AUTH is required is for mail on port 587.

[gziskind]

Ahhh im starting to see what I'm missing here.

I'm using the mail server as a relay to forward it to another mail server, and not as a endpoint for incoming mail. I'd say its an outbound mail server.

Am i missing a set of plugins or a configuration to make this work?

[smfreegard]

That should work out of the box. You're testing this on localhost (e.g. you connected to 127.0.0.1) which is automatically allowed to relayed without authentication. Try it from another host and you'll see that everything will be rejected with 'Relaying Denied' unless you authenticate.

[smfreegard]

Oh - and BTW; don't just offer AUTH LOGIN. You'll need to offer PLAIN too if you want maximum compatibility as there are likely quite a few MUAs that don't support LOGIN. There's no downside to offering both; they're effectively the same thing anyway.

[gziskind]

alright ill keep that in mind when deploying the real system. That was just a simple test i setup to see if it was working.

[gziskind]

It seems like it still behaves the same from a remote server though.

ehlo localhost
250-haraka.test Hello [172.16.212.165], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SIZE 500000
250 AUTH PLAIN
mail from: someone@blah.com
250 sender <someone@blah.com> OK
rcpt to: <redacted-email>
250 recipient <redacted-email> OK
data
354 go ahead, make my day
Subject: test

Body
.
250 2.0.0 Ok: queued as B920E219CC (C4088898-6B86-44FE-ABFB-29BECFDF4F2B.1)
quit

Also note I sent it to a valid gmail address.

[smfreegard]

Then you have a plugin that is incorrectly setting connection.relaying = true; somewhere.

[gziskind]

The plugins I have configured are

auth/flat_file dnsbl helo.checked max_unrecognized_commands queue/smtp_forward

I cant find a connection.relaying = true in those ones.

[smfreegard]

Run:

echo LOGDEBUG > /path/to/haraka/config/loglevel

Then run a message through and paste the entire log here.

[gziskind]

Ok I figured out what the issue was. I had the destination email domain listed under config/host_list, and it allows emails to come through without authentication if its listed there. After removing it, emails only come through with proper authentication.

Thanks for you help.