Closed Bug 73693 Opened 23 years ago Closed 3 years ago

Secure SMTP server needs proprietary authentication, not asking for authentication

Categories

(MailNews Core :: Networking: SMTP, defect)

Product:
MailNews Core
Component:
Networking: SMTP
Platform:
PowerPC
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: sheelar, Unassigned)

Details

Attachments

(1 file)

the SMTP interraction between my Moz mail client, and the msn SMTP server. I've edited my email addr out w/ "XXX"
1.70 KB, text/plain
Details 
Buildid:  2001-03-23-10  on MAC 9.0.4

While I was verifying bug 64777 found out Mac was not coming up with a password 
dialog while sending message using  SMTP server that needs password to send 
message.  I was using secure poisonivy server which requires a password to send 
the message.  
When I compose a message from the browser menu item- file/new->message,
compose and send a message should result in prompting with the password dialog 
to send the message.
change qa contact->myself, cc esther, John Myers.
QA Contact: esther → sheelar
*** Bug 77614 has been marked as a duplicate of this bug. ***
Hardware: PC → Macintosh
I'd like to confirm this bug under a 2001 build from October 30-31.  I noticed
the problem against an Exim server.  Mozilla recognizes the STARTTLS response to
the EHLO command, but ignores any AUTH response after starting the TLS session. 
Mozilla *may* work correctly if the server issues a "4xx MUST AUTH" connection,
but my server doesn't and instead refuses to relay because the user is not
authenticated.
QA Contact: sheelar → junruh
A protocol telemetry log would be most helpful.

setenv NSPR_LOG_MODULES SMTP:5

in a debug build would suffice.

Upping to critical. Changing OS to all (I'm on win2k). Nominating for 0.9.8
inclusion, and for nsbeta1. Did this work in Comm. 4.x?

This prevents MSN ISP subscribers who use email accounts other than their
msn.com account from using Mozilla mail, thus, migrating them to non Mozilla
mail clients, or over to msn.com email accounts. This means that netscape
webmail via the Mozilla email client will not work if MSN is your ISP.

MSN recently started blocking outbound port 25 messages destined for smtp
servers *other* than their own (smtp.email.msn.com). See
http://www.zdnet.com/zdnn/stories/news/0%2C4586%2C5080821%2C00.html for
reference. That means, that if you're using Mozilla mail with a non MSN account,
and MSN is your ISP, you either need to stop using your non MSN account, or you
need to configure your client to use smtp AUTH w/ secure passwords. This
configuration process is described here
http://supportservices.msn.com/us/content/qanda/qa_emailsecurity.htm#emailsecurity_outlook_98_or_2000
. You'll note that MSFT is obviously using this as an opportunity to point out
that you should exclusively be using Outlook. You can extrapolate the
instructions to Mozilla mail, but, because of this bug, it does you no good as
we don't every try to AUTH with the server.

I'll attatch my an SMTP log what illustrates the broken interraction. 

The instructions also suggest you use "Secure Password Authentication." I'm not
sure if that's different from SSL, but, I suspect it is considering if I tell
Mozilla mail to use SSL to connect w/ the smtp.email.msn.com smtp server using
SSL, it will not connect. So, I believe we have another bug that would require
impl of "Secure Password Authentication".? In this specific case, using Outlook,
I don't actually have to check that checkbox. Leaving it unchecked in Outlook
I'm still able to send mail; that's another issue though.
Severity: major → critical
Keywords: mozilla0.9.8, nsbeta1
OS: Mac System 9.x → All
The attached log shows the server advertising only the "MSN" SASL authentication
mechanism.  This mechanism isn't registered with IANA, which makes it
nonconforming.  The mechanism also is nonstandard and (as far as I know)
undocumented.

This is clearly anticompetitive behavior on the part of the server implementor.
 The server is clearly locking out SMTP clients other than their own.  There is
nothing Mozilla can do.
Perhaps Mozilla could throw up a dialog box stating that the server has locked
us out.  One problem is that there is no algorithmic way to detect whether a
particular unrecognized authentication mechanism is nonstandard or whether it is
standard but merely not supported by Mozilla.

No question that the behavior is anti-competative.

I think there are two bugs here: this one, and the one you and I site (the
proprietary PWD auth mechanism). I was able to use Outlook Express w/ out the
Secure Pwd Auth turned on (although they implied it was required). I think we
need to fix this bug and at least send over the uname and pwd. If we can't do
that, then let's remove the prefs dialog UI for it; which is obviously misleading.
The feature works just fine on servers that are standards-compliant; it can't be
removed.
huh? I don't know IMAP, but, I don't see any attempt in that log I posted on Moz
mail's part to send a username to what appears to be a std IMAP command comming
from the server "AUTH". Is that "AUTH" non-standard? Again, I think there are
two issues here; someone prove otherwise please.
Mozilla cannot send a username and password to smtp.email.msn.com because that
server does not advertise either of the password-based authentication mechanisms
Mozilla supports.  Similarly, Mozilla cannot send a client cert to a server that
doesn't advertise the capability to do SSL.

Password authentication is in the base spec for IMAP, but SMTP AUTH is is an
SMTP extension.  AUTH is standards track, but is not required to be implemented.
 Even if AUTH is implemented, there is no particular required mechanism.  See
RFC 2554.

The log you posted is SMTP, not IMAP.

Right, I meant to say SMTP, thanks for the clarification. Do I hear a WONTFIX
resolution for this bug?
Correcting Summary, closing WONTFIX.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
Summary: Secure SMTP sever needs authentication to send, not asking for authentication → MSN SMTP sever needs proprietary authentication, not asking for authentication
hmm, I'm not sure that's the right summary, other people have reported this
problem w/ other servers too (servers that would suprise me if they were using
the MS proprietary model as well; I think there's still another bug here :-) ).
Problems with other servers need to be filed separately, complete with telemetry
log.

reverting the settings to pre-Judson keywords and nominations. Moving back to
Mac OS only. Judson's issue is with the proprietary MSN protocol and we ended up
incorrectly hijacking this bug for that issue. While his issue looks to be a
won't fix we haven't looked into the original bug report which has nothing to do
with MSN  SMTP servers. We still need a log on the mac of the original situation
to start looking at that.
Severity: critical → major
Status: RESOLVED → REOPENED
Keywords: mozilla0.9.8, nsbeta1
Resolution: WONTFIX → ---
Summary: MSN SMTP sever needs proprietary authentication, not asking for authentication → Secure SMTP sever needs proprietary authentication, not asking for authentication
QA > esther
QA Contact: junruh → esther
Seing same behaviour with Mozilla 1.2.1 (built on Yellow Dog Linux 2.3 from
mozilla-1.2.1-0_rh7.srpm) and postfix-tls (postfix 1.1.11+tls0.7.15-0.woody1)
package in Debian Stable (woody).

Gave SASL option "noplaintext" to disable all plaintext authentication methods.
 When this option is in force Mozilla will _not_ authenticate, with or without
TLS.  EHLO AUTH string looks like this:

250-AUTH DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=DIGEST-MD5 CRAM-MD5 GSSAPI

Once I enable plaintext passwords again Mozilla authenitcades as soon as TLS has
been started.  The EHLO AUTH string now looks like this:

250-AUTH DIGEST-MD5 LOGIN PLAIN CRAM-MD5 GSSAPI
250-AUTH=DIGEST-MD5 LOGIN PLAIN CRAM-MD5 GSSAPI

Fortunately I can disable AUTH outside TLS so that plaintext passwords are a
viable alternative.

My preferences are as follows:

user_pref("mail.smtp.defaultserver", "smtp1");
user_pref("mail.smtpserver.smtp1.auth_method", 1);
user_pref("mail.smtpserver.smtp1.hostname", "smtps.langfeldt.net");
user_pref("mail.smtpserver.smtp1.port", 465);
user_pref("mail.smtpserver.smtp1.try_ssl", 2);
user_pref("mail.smtpserver.smtp1.username", "janl");
user_pref("mail.smtpservers", "smtp1,smtp1");

A interesting feature is the repitition of the same smtp server twice, also in
the GUI.  But this seems harmless.

This seems to be an old bug that has been addressed. It has either been fixed by
version 1.4b or is addressed by one or more of the following bugs: bug 150212,
bug 154099, bug 155172, bug 190775, bug 202148, bug 204371 . I say it should be
closed.

This is my first bug files, please excuse and errors or omissions.

My provider, Verizon, allows 4 email addresses. I set up 4, using the advanced
outgoing server (SMTP) settings, to create 4 outgoing servers so that I could
assign the unique userid/password to emails sent from each account, which is
required by Verizon. This worked fine for several months for both incoming and
outgoing mail. However about a week ago when I tried to send an email from one
of the accounts I received

'sending of message failed - The message could not be sent because connecting to
SMTP server outgoing.verizon.net failed. The server may be unavailable or
refusing SMTP connections. Please verify that your SMTP connection server
setting is correct and try again, or else contact your network administrator'

I contacted Verizon and all was O.K. their end, I am still able to use the email
address using Verizon's website. I can also receive emails on my local machine,
but cannot send. The other 3 addresses can send and receive. I tried installing
1.4 again. I also tried deleting and setting up the account again. I read on one
sight that multiple SMTP's could be problematic.

I am running W98 on a Pentium 3.
This bug is still there. Since 4 month now I´m using Opera to send my mails. I
have 3 mail accounts all at different domains. For none of them sending a mail
works.

error message:

An error occurred while sending mail. The mailserver responded: 5.7.1
<myemail@gmx.de>... Relaying denied. Please verify that your email address is
correct in your Mail preferences and try again.

I completely removed my Mozilla (1.5) and installed a new version (1.6) but that
did not help.

When I switched to Oprea for sending mails I got an error message with the same
errorcode as above (5.7.1) but with the authentication it worked then (for all
three accounts).
Unfortunately Mozilla doen´t ask for a password and there is no way to set one
(in the SMTP settings one can only set a username but no password).

Please fix this. Like this the Mozilla mail client is useless.

system: WindowsXP SP1
Mozilla can't implement an undocumented, proprietary mechanism.  There isn't a
much better response for it to take than to try sending the mail anyway. 
Suggest WONTFIX
In "Mail account settings -> Outgoing Server (SMTP) Settings" one can select a
checkbox called "use name and password" and then enter a "user name". BUT THERE
IS NO FIELD FOR THE "PASSWORD"!!! That is the problem.

Opera asked me for the authentication password, Mozilla does not!

When all this is "an undocumented, proprietary mechanism", why do I have the
options in the settings to turn it on and specify a user name? And why do other
email clients can do it?
(In reply to comment #25)
> In "Mail account settings -> Outgoing Server (SMTP) Settings" one can select a
> checkbox called "use name and password" and then enter a "user name". BUT THERE
> IS NO FIELD FOR THE "PASSWORD"!!! That is the problem.
> 
> Opera asked me for the authentication password, Mozilla does not!
> 
> When all this is "an undocumented, proprietary mechanism", why do I have the
> options in the settings to turn it on and specify a user name? And why do other
> email clients can do it?

antx:  Have you possibly changed your password at some point before this stopped
working?  If so, mozilla is probably sending the wrong password.  You are
correct that there is no way to enter the password in the Preferences dialog. 
But the first time you try and send, Mozilla will prompt for the password.  It
will only do this if there is no saved password for the server.  To check if
there is a saved password, go to Tools->Password Manager->Manage Saved passwords
and then scroll down the list until you see entries beginning with 'smtp://'. 
If you see your server and username that is not working, try deleting them and
then try and send a mail message. 

Kevin
Kevin: yes, I checked this. There is no SMTP password stored in my password
manager. I even removed all passwords from the manager, but Mozilla never asked
for a password for the SMTP authentication after that either.

Before this stopped working I never needed a password for authentication. It was
from one day to another that it stopped. Only with Opera I figured that the
authentication was the problem (Mozilla's error message was not quite helpful). 

Thanx anyway for your response!
antx:

A log file with an attempt to send a message would be very helpful.  See
http://www.mozilla.org/quality/mailnews/mail-troubleshoot.html  -- Use SMTP
instead of IMAP when setting variables, e.g. ENV:NSPR_LOG_MODULES=SMTP:5

Also, your settings in Opera that work would be advantageous.

Kevin
This may sound strange now, but I got it to work, even if I don´t understand it.
That's what I did:

- set NSPR_LOG_MODULES=SMTP:5  and  set NSPR_LOG_FILE=c:\temp\mylog.txt  and 
start mozilla
- composed a mail and tried to send it: without success.
- quit mozilla and checked the logfile: two SMTP servers where mentioned there
both for diferent accounts.
- I started mozilla again, removed in the SMTP-settings->Advanced the one
SMTP-server that I was not using in this test.
- composed another mail and tried to send it: without success.
- I quit mozilla and started mozilla again, composed another mail and tried to
send it: and now I got the request for a password. I typed my PW and the mail
was sent out.

I put the other SMTP-server in again (and removed the PW from the PW-manager)
just to test if this was really it, but I got the request for the password
again. Unfortunately the logfile from the first test got overwritten and since I
now get the password request my new logfile is most likely useless.

(btw. my other two email accounts work now as well... very weird)
Product: MailNews → Core
Assignee: mscott → nobody
Status: REOPENED → NEW
QA Contact: esther
Summary: Secure SMTP sever needs proprietary authentication, not asking for authentication → Secure SMTP server needs proprietary authentication, not asking for authentication
Product: Core → MailNews Core
QA Contact: networking.smtp

WFM per comment 29

Status: NEW → RESOLVED
Closed: 23 years ago3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: