search

msimerson / Mail-Toaster-6

Mail Toaster 6
https://github.com/msimerson/Mail-Toaster-6/wiki
BSD 3-Clause "New" or "Revised" License
46 stars 16 forks source link

Outlook 2010 and 2013 not able to SMTP using SMTP AUTH #202

Closed johannes73 closed 7 years ago

johannes73 commented 7 years ago

Expected behavior

Users using Outlook 2010 / 2013 to be able to SMTP using SMTP AUTH.

Observed behavior

SMTP sending works with other clients (Email in Windows 10, Apple Mail, IOS, webmail, etc). But not with Outlook 2010 / 2013. The clients gives the error code 0x800CCC69.

According to the Outlook log, haraka closes with "550 Host names have more than one DNS label":

2016.11.21 23:48:47 SMTP (mail.smartnet.se): Port: 587, Secure: Auto, SPA: yes 2016.11.21 23:48:47 SMTP (mail.smartnet.se): Finding host 2016.11.21 23:48:47 SMTP (mail.smartnet.se): Connecting to host 2016.11.21 23:48:47 SMTP (mail.smartnet.se): Connected to host 2016.11.21 23:48:50 SMTP (mail.smartnet.se): 220 haraka ESMTP Haraka 2.8.13 ready 2016.11.21 23:48:50 SMTP (mail.smartnet.se): [tx] EHLO DESKTOP3507CDS 2016.11.21 23:48:50 SMTP (mail.smartnet.se): 550 [DB2F7B85-9FA@haraka] Host names have more than one DNS label 2016.11.21 23:48:50 SMTP (mail.smartnet.se): Disconnecting from host 2016.11.21 23:48:50 SMTP (mail.smartnet.se): Disconnected from host

Steps to reproduce

FreeBSD 10.3 + MT6 install. SMTP to port 587 with SMTP AUTH activated, from client Outlook 2010 or Outlook 2013.

Hack to solve the problem

Add a line to /data/haraka/config/helo.checks.ini:

valid_hostname=false

Then it works. I am not sure - could this be done in a better way? Do I open up too much by disabling hostname checking?

msimerson commented 7 years ago

Background: MTA's (think: port 25) should always require a FQDN. That's been part of the RFCs for decades and the vast majority of legit MTAs that want to send you mail get this right. However, you will end up blocking a small number of valid emails, mostly from smaller mom-n-pop shops with an Exchange server sitting in the closet. Their HELO hostnames often look like server.local or something similarly naive. I'm generally content to block their mail and when they look into, I welcome them to the internet and point to them a few microsoft.com articles on how to configure their mail server properly.

Then there's Mail Submission Agents. Think SMTP on port 587, which is generally your own servers that are relaying mail to the rest of the internet. Those MUAs that use your server use all sorts of values for the HELO string, some valid, some less so. Either way, you don't want to be strict with them.

There's two ways to deal with this. One is how you solved it (don't require a FQDN for the HELO hostname). That's how I do it, and then I penalize the connection for using invalid HELO host names. That is more than compensated by the karma points they get for authenticating. That's why MT6 has only a single instance of Haraka.

The other solution is to run another MTA on port 587 as your MSA. The MSA doesn't need heavy filtering features, it just needs to require TLS and AUTH and then accept the message and then send it onwards.

johannes73 commented 7 years ago

Thank you, Matt, for explaining, it helps. So then, in practice, I will keep

valid_hostname=false

in /data/haraka/config/helo.checks.ini. (Maybe this could be default in the install, or an option during the install, for server owners with users with those frequent Outlook clients?)

Thanks again. By the way, is penalization of the connection for using invalid HELO host names done by default, or should I adjust the config for this?

msimerson commented 7 years ago

Penalized by default:

$ grep helo ../haraka-plugin-karma/config/karma.ini 
;hooks=connect,unrecognized_command,helo,ehlo,mail,rcpt,data,data_post
plugins=send_email, tls, access, helo.checks, data.headers, rspamd, spamassassin, avg, clamd, attachment
130 = helo.checks | fail | match | valid_hostname | -1  | HELO host invalid      | Use valid HELO hostname
131 = helo.checks | pass | match | forward_dns    |  1  | HELO host has forward DNS
132 = helo.checks | skip | match | forward_dns    | -1  | HELO host skipped
133 = helo.checks | fail | match | forward_dns    | -1  | HELO host fails forward DNS | Use valid HELO hostname
134 = helo.checks | fail | match | dynamic        | -1  | HELO host has dynamic name
135 = helo.checks | fail | match | reverse_dns    | -1  | HELO host missing rDNS
195 = data.uribl   | fail       | match  | helo                         | -2  | URI Blacklist | Don't send spam
msimerson commented 7 years ago

So then, in practice, I will keep valid_hostname=false in /data/haraka/config/helo.checks.ini. (Maybe this could be default in the install

Hmm, if one looks at the docs for helo.checks, they'd be forgiven for assuming that is the default, but apparently sometimes it's not.