-
1. Re: Security for sending mail out
rgjawanda Jun 16, 2006 9:02 PM (in response to rgjawanda)I should specify that the admi@mydomain.com
was create using the createMailbox function
in the jmx-console. It isn't a real user on the system. -
2. Re: Security for sending mail out
gohip Jun 17, 2006 3:52 PM (in response to rgjawanda)550 is not authorized, meaning it sounds like you configured JBoss Mail to require authentication, when sending email. You could test, by telnetting, and trying to authenticate
if you selected require ssl, it is a pain to test auth, and you need to use openssl, if not using ssl, then you just pass the user, and password, swimilar to this...
Note: this was gathered from, web, not sure where...
Testing
I use the plain authentication method for testing. To do this you need to convert the username and password into a base64 encoded string. For example, if you have username user and password pass, you would type:
server$ printf 'user\0user\0pass' | mimencode
dXNlcgB1c2VyAHBhc3M=
So the string is the username and password joined together with \0 between them. The username is needed twice. To test it, telnet to the SMTP port of your server and type the auth commands.
server$ telnet mail.my.server 25
Trying 10.1.2.3
Connected to 10.1.2.3.
Escape character is '^]'.
220 mail.my.server ESMTP Postfix
EHLO blah
250-mail.my.server
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-AUTH=LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-XVERP
250 8BITMIME
auth plain dXNlcgB1c2VyAHBhc3M=
235 Authentication successful
I've used a EHLO instead of the normal HELO as this is an extended hello, so the server gives you a list of things it can do. Notice that there are two AUTH lines, this is due to the broken_sasl_auth_clients line in /etc/postfix/main.cf.
You may have different authentication modules, it depends on what packages you have installed.
The important thing is the server's response to your commands is 235 Authentication successful. This means that it recognizes the username and password. If it doesn't, it returns a 535 Error: authentication failed. If you get a failed message, check the mail logs. The logs should tell you why the authentication failed.
Instead of using the plain authentication, you might want to use the LOGIN method. Once again mimencode is used to get the base64 encoding:
server$ printf 'user' | mimencode
dXNlcg==
server$ printf 'pass' | mimencode
cGFzcw==
You now have the two base64 encoded strings, to test this method is very similar to the PLAIN method.
server$ telnet 10.1.2.3 25
Trying 10.1.2.3...
Connected to 10.1.2.3.
Escape character is '^]'.
220 my.mail.server ESMTP Postfix
EHLO blah
250-my.mail.server
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-AUTH=LOGIN PLAIN CRAM-MD5 DIGEST-MD5
250-XVERP
250 8BITMIME
auth login
334 VXNlcm5hbWU6
dXNlcg==
334 UGFzc3dvcmQ6
cGFzcw==
235 Authentication successful
You might wonder what that strange text is after the 334 numbers. Once again mimencode can help. It's a base64 encoding of the response from the mail server. -
3. Re: Security for sending mail out
rgjawanda Jun 18, 2006 3:53 PM (in response to rgjawanda)I don't want to have to authenticate.
I just don't want people using my system as a relay but I don't really know much about relays.
I want to be able to telnet to port 25 and use e-mail without auth
I have these
Should I set the first 2 to false
Thanks for your help.
Ron
true
true
false
AUTH LOGIN PLAIN
true
10000000 -
4. Re: Security for sending mail out
rgjawanda Jun 18, 2006 3:55 PM (in response to rgjawanda)Woops... It took out my xml tags.
Should the first 3 be false?
AuthRequired true
AuthAllowed true
VerifyIdentity true
RelayByDomain false
AuthMethods AUTH LOGIN PLAIN -
5. Re: Security for sending mail out
gohip Jun 18, 2006 4:37 PM (in response to rgjawanda)authrequired, should be false if you dont want to require auth
authallowed, can stay where it is, i.e. true
verifyidentity, ehh, dont know how that will effect anything means make sure the person sending email, is the same person that authenticated
Relaybydomain is always false
I think...
the way it works, is that auth is not required, if someone is sending an email to a user with a local mailbox...
but if email is being sent through the mail server, auth should be required
if you dont require auth, when sending an email through mail server, it is a bad thing
my boss, setup smtp service on our windows 2003 server, and within hours, someone had found it, and used it to send out approx 10,000 emails
beware...
why dont you want to have to auth? -
6. Re: Security for sending mail out
rgjawanda Jun 18, 2006 4:57 PM (in response to rgjawanda)Thanks for the tips. I'll use auth.
Back to the drawing board for me.
I'm really close with the listener.
Thanks -
7. Re: Security for sending mail out
rgjawanda Jun 18, 2006 10:39 PM (in response to rgjawanda)I got the authentication working sort of. I had to modify the CMDAuth slightly to put a | as well as a \0 for the tokenizer. I just couldn't get my string base64 encoded so that the tokenizer could understand it. Strange.
Also, it is only the username\0password now. Maybe it was 2 usernames before but the code does not need 2 usernames.
Anyway the auth works.
Now I have the strangest thing. I authenticate ok and then it tries to send the mail using someone else's smtp host.
My server IP is 209.161.247.125
mail73.megamailservers.com is my ISP's mail server.
I send the mail from user@localhost to my gmail account.
It says relaying is denied but I noticed it isn't even my mail server.???
???
Do you have any idea why it would be doing that?
When Jboss mail isn't running I can't telnet to my ip on port 25 so I know it is jboss doing it.
This is bad. I think they will have me on the bad persons list because I tried to send about 100 times.
Thanks
Ron
... 46 more
22:30:18,171 INFO [STDOUT] S:
220 mail73.megamailservers.com ESMTP Sendmail 8.13.6/8.13.1; Sun, 18 Jun 2006 22
:30:21 -0400
22:30:18,171 INFO [STDOUT] C:
EHLO [192.168.1.103]
22:30:18,203 INFO [STDOUT] S:
250-mail73.megamailservers.com Hello [209.161.247.125], pleased to meet you
22:30:18,203 INFO [STDOUT] S:
250-ENHANCEDSTATUSCODES
22:30:18,203 INFO [STDOUT] S:
250-PIPELINING
22:30:18,203 INFO [STDOUT] S:
250-8BITMIME
22:30:18,203 INFO [STDOUT] S:
250-SIZE 52428800
22:30:18,203 INFO [STDOUT] S:
250-DSN
22:30:18,203 INFO [STDOUT] S:
250-AUTH PLAIN LOGIN
22:30:18,203 INFO [STDOUT] S:
250-STARTTLS
22:30:18,203 INFO [STDOUT] S:
250-DELIVERBY
22:30:18,203 INFO [STDOUT] S:
250 HELP
22:30:18,203 INFO [STDOUT] C:
MAIL FROM:<rjawanda@localhost>
22:30:18,265 INFO [STDOUT] S:
250 2.1.0 <rjawanda@localhost>... Sender ok
22:30:18,265 INFO [SMTPSender] Sending mail from: <rjawanda@localhost>
22:30:18,265 INFO [STDOUT] C:
RCPT TO:<ronjawanda@gmail.com>
22:30:18,343 INFO [STDOUT] S:
550 5.7.1 <ronjawanda@gmail.com>... Relaying denied: You must check for new mail
before sending m\
22:30:18,343 INFO [STDOUT] S:
ail. [209.161.247.125]
22:30:18,343 ERROR [SMTPSender] Invalid Address: <ronjawanda@gmail.com>
22:30:18,343 WARN [SMTPSender] Skipped data send, no valid addresses
22:30:18,343 ERROR [LogInterceptor] TransactionRolledbackLocalException in metho
d: public abstract void javax.jms.MessageListener.onMessage(javax.jms.Message),
causedBy: -
8. Re: Security for sending mail out
gohip Jun 19, 2006 12:06 PM (in response to rgjawanda)I see some typos in the email acct you were trying to use at gmail, sure it is valid?
and with the auth, i had issues with that also.
in your out, i see ronjawanda, and rjawanda... -
9. Re: Security for sending mail out
rgjawanda Jun 19, 2006 8:41 PM (in response to rgjawanda)No that isn't it. rjawanda@localhost is my local user account. ronjawanda@gmail.com is my e-mail account on gmail.
It should not be sending e-mail using their e-mail server but should be using mine to send out.
Do you see what I mean. It assumes I am trying to use mail73.megamailservers.com (which isn't mine) as a relay machine.
It is doing the wrong thing.
Maybe I'm configured wrong somehow but I cant see why it would be connecting to that Ip address.
It has me baffled. -
10. Re: Security for sending mail out
rgjawanda Jun 19, 2006 9:00 PM (in response to rgjawanda)After your authentication are you actually able to send out mail?
I have no idea now how to configure my system.
It said 10 minutes to configure but I am totally lost.
I can receive no problem but sending out is a comlete nightmare.
Right out of th box I use the webmail and can't send mail to anyone.
I must be doing something wrong in the configuration.
I'm going to give up in 2 more days I think. Then I'll go back to MS mail server. I've about had it. I can send e-mail with Microsoft mail server (ie: running IIS SMTP mail on my machine so I know it isn't my machine).
Guess I've run on too long here. I'll have to have a beer and forget about it. -
11. Re: Security for sending mail out
gohip Jun 20, 2006 3:40 PM (in response to rgjawanda)you didnt enable relaying to other mail servers, or realying to gateway mail servers? you left those blank, correct?
I dont know why it would attempt to send the mail through their mail server, I have never seen that... -
12. Re: Security for sending mail out
gohip Jun 20, 2006 3:43 PM (in response to rgjawanda)and, yes, after auth I can send mail out through my mail server to a server, such as gmail, or if I add gmail.com, as an allowed relay domain, it allows me to send there without authenticating, but note, this would mean, anyone could send mail through our mail server to gmail, thus opening up spam possiblities.
if you would like to post your jboss-service.xml, or mail it to me, I'll glance at it, and try and point out differeneces if any.
Beer, sounds good! -
13. Re: Security for sending mail out
gohip Jun 20, 2006 4:01 PM (in response to rgjawanda)looking again at your output, gmail thinks your trying to relay mail, which it wont let you, the domain, after your email user name, i.e. localhost, should be changed, to exactly match your "real" domain
also try hotmail, or yahoo, as they are not as picky, it took me a while to get mail to pass gmail's spam filters
heres an example:
telnet into new JBossMail smtp server
say ehlo "YOUR COMPUTER NAME"
say mail from "user@your.domain.com"
say mail to "user@gmail.com"
send data info
quit
now when the mail server, goes to connect to gmail
it has to say ehlo your.domain.com
right now, it is not, based on this...
EHLO [192.168.1.103]
22:30:18,203 INFO [STDOUT] S:
250-mail73.megamailservers.com Hello [209.161.247.125], pleased to meet you
and
22:30:18,265 INFO [SMTPSender] Sending mail from: <rjawanda@localhost>
your telling gmail, that your server name is 192.168.1.103
your also telling gmail that your user authenticated, or has a mailbox at localhost, which is a lie
then this 209.161.247.125, is what gmail, really deduces your ip address to be
gmail, will continue to think your relaying, at a minimum, until you fix that user@localhost
then, it may still get pissed off, or at least junked, if mail server name sending from, does not match what you connecting with physically, i.e. the NIC
mail73.megamailservers.com , what is this, is it one of gmails servers, i didnt see it in list...
> gmail.com
Server: ns2.ph.cox.net
Address: 68.2.16.25
Non-authoritative answer:
gmail.com MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.google.com
gmail.com MX preference = 50, mail exchanger = gsmtp163.google.com
gmail.com MX preference = 50, mail exchanger = gsmtp183.google.com
gmail.com MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google.com
gmail.com nameserver = ns2.google.com
gmail.com nameserver = ns3.google.com
gmail.com nameserver = ns4.google.com
gmail.com nameserver = ns1.google.com
gmail-smtp-in.l.google.com internet address = 64.233.163.114
gmail-smtp-in.l.google.com internet address = 64.233.163.27
alt1.gmail-smtp-in.l.google.com internet address = 64.233.185.114
alt1.gmail-smtp-in.l.google.com internet address = 64.233.185.27
alt2.gmail-smtp-in.l.google.com internet address = 64.233.183.114
alt2.gmail-smtp-in.l.google.com internet address = 64.233.183.27
gsmtp163.google.com internet address = 64.233.163.27
gsmtp183.google.com internet address = 64.233.183.27
ns1.google.com internet address = 216.239.32.10
ns2.google.com internet address = 216.239.34.10
ns3.google.com internet address = 216.239.36.10
ns4.google.com internet address = 216.239.38.10 -
14. Re: Security for sending mail out
gohip Jun 28, 2006 10:30 PM (in response to rgjawanda)still alive there rgjawanda?