Outlook smtp authentication missing
Mike Lewinski
mlewinski at massivenetworks.com
Mon May 29 22:58:42 CEST 2017
On our mail server the usernames are always full email address. The DNS across all domains is standardized to use this schema: pop3.domain.com (110/STARTTLS), imap.domain.com (143/STARTTLS) and smtp.domain (587/STARTTLS).
I've added SRV records to all domains for clients that might require SRV records. While we allow SSL on alternative ports 465/993/995, it is considered deprecated and we are doing our best to discourage it by setting appropriate weights on the SRV records.
We need users to authenticate before sending SMTP using their full email address and the same password that is used for POP3/IMAP.
I've used the automx-test command to examine the output. It contains the values I want, and is apparently being received by the client. But Outlook is not accepting the values, or more specifically not accepting one last checkbox requirement for SMTP authentication.
$ automx-test mike at xwebco.com
...
Testing Autodiscover (Microsoft Outlook(tm)) ...
Connecting to https://autodiscover.xwebco.com/autodiscover/autodiscover.xml ...
HTTP/1.1 200 OK
Date: Mon, 29 May 2017 19:32:24 GMT
Server: Apache
Content-Length: 1384
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/xml
<?xml version='1.0' encoding='utf-8'?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>SMTP</Type>
<Server>smtp.xwebco.com</Server>
<Port>587</Port>
<DomainRequired>off</DomainRequired>
<LoginName>mike at xwebco.com</LoginName>
<SPA>off</SPA>
<Encryption>TLS</Encryption>
<AuthRequired>on</AuthRequired>
<TTL>6</TTL>
</Protocol>
<Protocol>
<Type>POP3</Type>
<Server>pop3.xwebco.com</Server>
<Port>110</Port>
<DomainRequired>off</DomainRequired>
<LoginName>mike at xwebco.com</LoginName>
<SPA>off</SPA>
<Encryption>TLS</Encryption>
<AuthRequired>on</AuthRequired>
<TTL>6</TTL>
</Protocol>
<Protocol>
<Type>IMAP</Type>
<Server>imap.xwebco.com</Server>
<Port>143</Port>
<DomainRequired>off</DomainRequired>
<LoginName>mike at xwebco.com</LoginName>
<SPA>off</SPA>
<Encryption>TLS</Encryption>
<AuthRequired>on</AuthRequired>
<TTL>6</TTL>
</Protocol>
</Account>
</Response>
</Autodiscover>
These are the key values above that I'm expecting:
LoginName = mike at xwebco.com
Encryption = TLS
AuthRequired = on
This is what's actually in my /etc/automx.conf file. As you can see it is very simple. I do not need to transform any usernames or lookup anything in a database. I just need to extract domain name from email to construct the server names. The full email address is used for the service auth_identity values without exception.
[global]
backend = static
action = settings
account_name = %s
account_name_short = %s
smtp = yes
smtp_server = smtp.%d
smtp_port = 587
smtp_encryption = starttls
smtp_auth = plaintext
smtp_auth_identity = %s
smtp_refresh_ttl = 6
smtp_default = yes
pop = yes
pop_server = pop3.%d
pop_port = 110
pop_encryption = starttls
pop_auth_identity = %s
pop_auth = plaintext
pop_refresh_ttl = 6
imap = yes
imap_server = imap.%d
imap_port = 143
imap_encryption = starttls
imap_auth_identity = %s
imap_auth = plaintext
imap_refresh_ttl = 6
sign_mobileconfig = yes
sign_cert = /usr/lib/automx/fullchain.pem
sign_key = /usr/lib/automx/privkey.pem
I don't think the DNS is the problem, but I include it for my test domain just in case. Every domain gets a unique IP address with unique SSL certificate bound for IMAP/POP3/SMTP services. Every domain shares a host for autoconfig and autodiscover services. But you would see if you looked that the SSL is strictly configured in every case. The hostnames autoconfig.xwebco.com and autodiscover.xwebco.com have valid SSL just as much as every other host defined.
$ORIGIN xwebco.com.
$TTL 6m
;
@ IN SOA ns1.massivenetworks.net. support.massivenetworks.com. (
2017052302 ; serial
1h ; refresh
30m ; retry
7d ; expiration
1h ) ; minimum
;
@ NS ns1.massivenetworks.net.
@ NS ns2.massivenetworks.net.
@ NS ns3.massivenetworks.net.
;
autoconfig A 208.139.193.134
autodiscover A 208.139.193.134
;
imap A 208.139.204.2
lists A 208.139.204.2
mail A 208.139.204.2
pop3 A 208.139.204.2
smtp A 208.139.204.2
webmail A 208.139.204.2
;
@ MX 10 mail
;
;@ MX 10 xwebco.com.mx1.frii.rcimx.net.
;@ MX 20 xwebco.com.mx2.frii.rcimx.net.
;@ MX 30 xwebco.com.mx3.frii.rcimx.net.
;@ MX 40 xwebco.com.mx4.frii.rcimx.net.
;
_autodiscover._tcp SRV 0 1 443 autodiscover
_submission._tcp SRV 0 1 587 smtp
_pop3._tcp SRV 0 1 110 pop3
_pop3s._tcp SRV 10 1 995 pop3
_imap._tcp SRV 0 1 143 imap
_imaps._tcp SRV 10 1 993 imap
;
As shown in attached settings-1.png, the Outlook setup script will either successfully guess at or use the automx returned value pop3.xwebco.com for the incoming server name. The incoming username is also set to the full address. But "Test Account Settings" fails. When I click "More Settings" and go to the "Outgoing Server" tab, the box "My Server Requires Authentication" is not checked. If I simply check that box, then setup can proceed.
It appears that the client is receiving the value <AuthRequired>on</AuthRequired> shown in the automx-test output, but is simply ignoring it.
However to test this out I fired up Wireshark. I see a 500 Server Error on the wire and in my (non-SSL) httpd logs for apache there's this:
209.188.125.69 - - [29/May/2017:14:40:11 -0600] "GET /autodiscover/autodiscover.xml HTTP/1.1" 500 - "-" "WinHttpRequest"
I also see lots of DNS requests. Everything that Outlook shows in the field is apparently guessed, and not returned by automx.
In the SSL logs there's this:
209.188.125.69 - - [29/May/2017:14:40:11 -0600] "POST /autodiscover/autodiscover.xml HTTP/1.1" 200 500
209.188.125.69 - - [29/May/2017:14:40:11 -0600] "POST /autodiscover/autodiscover.xml HTTP/1.1" 200 1384
Both mail server and automx server have valid letsencrypt SSL certificates covering all hostnames defined in DNS.
log2.txt attached doesn't provide any useful errors. No other failures are recorded with the auto-mx test command. See auto-mx.txt attached for the full output.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: settings-1.png
Type: image/png
Size: 36703 bytes
Desc: settings-1.png
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20170529/2a1f845c/attachment-0001.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log2.txt
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20170529/2a1f845c/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: auto-mx.txt
URL: <https://mail.sys4.de/pipermail/automx-users/attachments/20170529/2a1f845c/attachment-0003.txt>
More information about the automx-users
mailing list