From mlewinski at massivenetworks.com Mon May 29 22:58:42 2017 From: mlewinski at massivenetworks.com (Mike Lewinski) Date: Mon, 29 May 2017 20:58:42 -0000 Subject: Outlook smtp authentication missing Message-ID: On our mail server the usernames are always full email address. The DNS across all domains is standardized to use this schema: pop3.domain.com (110/STARTTLS), imap.domain.com (143/STARTTLS) and smtp.domain (587/STARTTLS). I've added SRV records to all domains for clients that might require SRV records. While we allow SSL on alternative ports 465/993/995, it is considered deprecated and we are doing our best to discourage it by setting appropriate weights on the SRV records. We need users to authenticate before sending SMTP using their full email address and the same password that is used for POP3/IMAP. I've used the automx-test command to examine the output. It contains the values I want, and is apparently being received by the client. But Outlook is not accepting the values, or more specifically not accepting one last checkbox requirement for SMTP authentication. $ automx-test mike at xwebco.com ... Testing Autodiscover (Microsoft Outlook(tm)) ... Connecting to https://autodiscover.xwebco.com/autodiscover/autodiscover.xml ... HTTP/1.1 200 OK Date: Mon, 29 May 2017 19:32:24 GMT Server: Apache Content-Length: 1384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/xml email settings SMTP smtp.xwebco.com 587 off mike at xwebco.com off TLS on 6 POP3 pop3.xwebco.com 110 off mike at xwebco.com off TLS on 6 IMAP imap.xwebco.com 143 off mike at xwebco.com off TLS on 6 These are the key values above that I'm expecting: LoginName = mike at xwebco.com Encryption = TLS AuthRequired = on This is what's actually in my /etc/automx.conf file. As you can see it is very simple. I do not need to transform any usernames or lookup anything in a database. I just need to extract domain name from email to construct the server names. The full email address is used for the service auth_identity values without exception. [global] backend = static action = settings account_name = %s account_name_short = %s smtp = yes smtp_server = smtp.%d smtp_port = 587 smtp_encryption = starttls smtp_auth = plaintext smtp_auth_identity = %s smtp_refresh_ttl = 6 smtp_default = yes pop = yes pop_server = pop3.%d pop_port = 110 pop_encryption = starttls pop_auth_identity = %s pop_auth = plaintext pop_refresh_ttl = 6 imap = yes imap_server = imap.%d imap_port = 143 imap_encryption = starttls imap_auth_identity = %s imap_auth = plaintext imap_refresh_ttl = 6 sign_mobileconfig = yes sign_cert = /usr/lib/automx/fullchain.pem sign_key = /usr/lib/automx/privkey.pem I don't think the DNS is the problem, but I include it for my test domain just in case. Every domain gets a unique IP address with unique SSL certificate bound for IMAP/POP3/SMTP services. Every domain shares a host for autoconfig and autodiscover services. But you would see if you looked that the SSL is strictly configured in every case. The hostnames autoconfig.xwebco.com and autodiscover.xwebco.com have valid SSL just as much as every other host defined. $ORIGIN xwebco.com. $TTL 6m ; @ IN SOA ns1.massivenetworks.net. support.massivenetworks.com. ( 2017052302 ; serial 1h ; refresh 30m ; retry 7d ; expiration 1h ) ; minimum ; @ NS ns1.massivenetworks.net. @ NS ns2.massivenetworks.net. @ NS ns3.massivenetworks.net. ; autoconfig A 208.139.193.134 autodiscover A 208.139.193.134 ; imap A 208.139.204.2 lists A 208.139.204.2 mail A 208.139.204.2 pop3 A 208.139.204.2 smtp A 208.139.204.2 webmail A 208.139.204.2 ; @ MX 10 mail ; ;@ MX 10 xwebco.com.mx1.frii.rcimx.net. ;@ MX 20 xwebco.com.mx2.frii.rcimx.net. ;@ MX 30 xwebco.com.mx3.frii.rcimx.net. ;@ MX 40 xwebco.com.mx4.frii.rcimx.net. ; _autodiscover._tcp SRV 0 1 443 autodiscover _submission._tcp SRV 0 1 587 smtp _pop3._tcp SRV 0 1 110 pop3 _pop3s._tcp SRV 10 1 995 pop3 _imap._tcp SRV 0 1 143 imap _imaps._tcp SRV 10 1 993 imap ; As shown in attached settings-1.png, the Outlook setup script will either successfully guess at or use the automx returned value pop3.xwebco.com for the incoming server name. The incoming username is also set to the full address. But "Test Account Settings" fails. When I click "More Settings" and go to the "Outgoing Server" tab, the box "My Server Requires Authentication" is not checked. If I simply check that box, then setup can proceed. It appears that the client is receiving the value on shown in the automx-test output, but is simply ignoring it. However to test this out I fired up Wireshark. I see a 500 Server Error on the wire and in my (non-SSL) httpd logs for apache there's this: 209.188.125.69 - - [29/May/2017:14:40:11 -0600] "GET /autodiscover/autodiscover.xml HTTP/1.1" 500 - "-" "WinHttpRequest" I also see lots of DNS requests. Everything that Outlook shows in the field is apparently guessed, and not returned by automx. In the SSL logs there's this: 209.188.125.69 - - [29/May/2017:14:40:11 -0600] "POST /autodiscover/autodiscover.xml HTTP/1.1" 200 500 209.188.125.69 - - [29/May/2017:14:40:11 -0600] "POST /autodiscover/autodiscover.xml HTTP/1.1" 200 1384 Both mail server and automx server have valid letsencrypt SSL certificates covering all hostnames defined in DNS. log2.txt attached doesn't provide any useful errors. No other failures are recorded with the auto-mx test command. See auto-mx.txt attached for the full output. -------------- next part -------------- A non-text attachment was scrubbed... Name: settings-1.png Type: image/png Size: 36703 bytes Desc: settings-1.png URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log2.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: auto-mx.txt URL: