smtp-auth from localhost only??

Greetings.

I've been maintaining qmail servers for years now, but this is my
first smtp-auth installation.

----

Vital info:
qmail-1.03 with the 0.31 smtpd-auth patch
vpopmail 5.4.0

----

contents of /var/qmail/supervise/qmail-smtpd/run:

#!/bin/sh

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z
"$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open
relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 4000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c
"$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd "$LOCAL" /home/vpopmail/bin/vchkpw
/bin/true 2>&1

----

So, after the install, I telnet to port 25, and I see this:

(all hosts altered to protect the innocent...)

mpc@foo:~(1001)$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxx.xxx.net ESMTP
EHLO
250-xxx.xxx.net
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
QUIT
221 xxx.xxx.net
Connection closed by foreign host.

So far, so good. But, if I telnet in from a different machine, on a
different network, I get:

mpc@bar:~(45)$ telnet xx.xx.xx.xx 25
Trying xx.xx.xx.xx...
Connected to xx.xx.xx.xx.
Escape character is '^]'.
220 ********************* <-(not my edit, it's what comes back)
EHLO
502 unimplemented (#5.5.1)
HELO
250 xxx.xxx.net
QUIT
221 xxx.xxx.net
Connection closed by foreign host.


I'm perplexed. Was there a config option I missed, that tells
qmail-smtpd to only do smtp-auth 127.*??

Any clues?

MC> I'm perplexed.

Why ? Isn't

MC> 220 ********************* <-(not my edit, it's what comes back)

enough of a clue that you aren't actually talking directly
to your "qmail" SMTP Relay server but to something else entirely ?

Hint: We can now deduce what type of firewall you have.

Mark Clements <mclements@interpublic.com> wrote:
> Greetings.
>
> I've been maintaining qmail servers for years now, but this is my
> first smtp-auth installation.
>
> ----
>
> Vital info:
> qmail-1.03 with the 0.31 smtpd-auth patch
> vpopmail 5.4.0
>
> ----
>
> [...]
>
> So, after the install, I telnet to port 25, and I see this:
>
> (all hosts altered to protect the innocent...)
>
> mpc@foo:~(1001)$ telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 xxx.xxx.net ESMTP
> EHLO
> 250-xxx.xxx.net
> 250-AUTH LOGIN CRAM-MD5 PLAIN
> 250-AUTH=LOGIN CRAM-MD5 PLAIN
> 250-PIPELINING
> 250 8BITMIME
> QUIT
> 221 xxx.xxx.net
> Connection closed by foreign host.
>
> So far, so good. But, if I telnet in from a different machine, on a
> different network, I get:
>
> mpc@bar:~(45)$ telnet xx.xx.xx.xx 25
> Trying xx.xx.xx.xx...
> Connected to xx.xx.xx.xx.
> Escape character is '^]'.
> 220 ********************* <-(not my edit, it's what comes back)
> EHLO
> 502 unimplemented (#5.5.1)
> HELO
> 250 xxx.xxx.net
> QUIT
> 221 xxx.xxx.net
> Connection closed by foreign host.
>
>
> I'm perplexed. Was there a config option I missed, that tells
> qmail-smtpd to only do smtp-auth 127.*??
>
> Any clues?




Looks like there's a firewall between your client and the mailserver
including some smtp filtering.

> 220 ********************* <-(not my edit, it's what comes back)

This looks like e.g. cisco pix using smtp fixup
-> you can only use standard smtp with that configuration (HELO)
-> no esmtp
-> no smtp auth

Try connecting from a different internet connection (without smtp-filtering
firewall)

Best regards
Thomas.

"Thomas Krug" <dont-even-think-of-sending-me-spam@siw.de> wrote in message news:<c1p7nt$as5$02$1@news.t-online.com>...

> Looks like there's a firewall between your client and the mailserver
> including some smtp filtering.
>
> > 220 ********************* <-(not my edit, it's what comes back)
>
> This looks like e.g. cisco pix using smtp fixup

BINGO!!

After some investigation, that is exactly the config here.

Many thanks!!

M

Mark Clements <mclements@interpublic.com> wrote:
> "Thomas Krug" <dont-even-think-of-sending-me-spam@siw.de> wrote in
> message news:<c1p7nt$as5$02$1@news.t-online.com>...
>
>> Looks like there's a firewall between your client and the mailserver
>> including some smtp filtering.
>>
>>> 220 ********************* <-(not my edit, it's what comes back)
>>
>> This looks like e.g. cisco pix using smtp fixup
>
> BINGO!!
>
> After some investigation, that is exactly the config here.
>
> Many thanks!!
>
> M



You're welcome :-)
I've been through some bad time with that kind of searching as well.

Thomas.