smtp authentication (sendmail relay)

smtp authentication (sendmail relay)

[Harry Putnam]

[ALERT patience requireed]

Finding myself in an unusaual temporary situation where for technical reasons
I cannot relay my outgoing mail through my normal ISP smtp machine.

My setup is single user running Redhat linux 6.2.  Connected by ppp to an ISP 
and sending with local sendmail to ISP mail machine

Normally I set the smart_host to my ISPs smtp.machine.  That is temporarily
broken for now.

I have a second smtp.server that I can use.  The smtp side of newsguy.com.
I use that pop server routinely.  But suddenly find I don't know how to
authenticate my relay to an smtp.server that is not part of the isp I'm dialed
up with.  I know how to set /etc/sendmail.cf to relay to that server but not
how to authenticate my outgoing relay to that machine.

In fact, not really sure where those smtp negotiations get handled.

Re: smtp authentication (sendmail relay)

[Kai Großjohann]

On Sun, 17 Dec 2000, Harry Putnam wrote:

> I have a second smtp.server that I can use.  The smtp side of
> newsguy.com.  I use that pop server routinely.  But suddenly find I
> don't know how to authenticate my relay to an smtp.server that is
> not part of the isp I'm dialed up with.  I know how to set
> /etc/sendmail.cf to relay to that server but not how to authenticate
> my outgoing relay to that machine.

I don't know that ISP, but it is possible for them to use your IP
address for authentication.  To get the right IP address, you have to
use their server for dialin, of course.

Another common scheme is smtp-after-pop.  Here, the idea is that you
connect to the POP server, and if that's successful, then for 5
minutes (or whatever) you're (your IP address is) allowed to use the
SMTP server.

I think there are also schemes for doing authentication within SMTP,
but I think they are rarely used.  They are also non-standard, I
think. 

kai
-- 
A large number of young women don't trust men with beards.  (BFBS Radio)

Re: smtp authentication (sendmail relay)

[jas]

On Sun, 17 Dec 2000, Harry Putnam wrote:

> I have a second smtp.server that I can use.  The smtp side of newsguy.com.
> I use that pop server routinely.  But suddenly find I don't know how to
> authenticate my relay to an smtp.server that is not part of the isp I'm dialed
> up with.  I know how to set /etc/sendmail.cf to relay to that server but not
> how to authenticate my outgoing relay to that machine.
> 
> In fact, not really sure where those smtp negotiations get handled.

Perhaps you could use modern smtpmail.el which support SMTP
authentication (RFC 2554), rather than a local sendmail?  If so, customize
the `smtpmail' group.

Hopefully Emacs will contain smtpmail.el with AUTH support in the
future.  XEmacs mail-lib in CVS contains it now.

Re: smtp authentication (sendmail relay)

[Stainless Steel Rat]

* Harry Putnam <reader@newsguy.com>  on Sun, 17 Dec 2000
| In fact, not really sure where those smtp negotiations get handled.

If newsguy is doing what I suspect they are doing, they don't.
Authenticated SMTP hooks into POP authentication.  When you authenticate
yourself to the POP server, a flag is set that allows you to use that
host's SMTP server to relay mail.  That flag is cleared after some set
period.

It is probably a bit more complex than this, but this is what the end users
see.
-- 
Rat <ratinox@peorth.gweep.net>    \ When not in use, Happy Fun Ball should be
Minion of Nathan - Nathan says Hi! \ returned to its special container and
PGP Key: at a key server near you!  \ kept under refrigeration.

Re: smtp authentication (sendmail relay)

[Harry Putnam]

Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Gro_johann) writes:
> On Sun, 17 Dec 2000, Harry Putnam wrote:
> 
> > I have a second smtp.server that I can use.  The smtp side of
> > newsguy.com.  I use that pop server routinely.  But suddenly find
> > I
> > don't know how to authenticate my relay to an smtp.server that is
> > not part of the isp I'm dialed up with.  I know how to set
> > /etc/sendmail.cf to relay to that server but not how to
> > authenticate
> > my outgoing relay to that machine.
> 
> I don't know that ISP, but it is possible for them to use your IP
> address for authentication.  To get the right IP address, you have
> to
> use their server for dialin, of course.

Hoping it won't be considered too off-topic to discuss the nitty
gritty details of mail sending and retrieval here:

First let me say, that it appears the easiest temporary way may be to
just let gnus do the pop and smtp transactions.  I haven't actually
done that before but it is fairly well documented here and on
gnu.emacs.gnus. So shouldn't have too much trouble with that.

However as is ofter the case, I'm looking for a more optimal solution,
that could be used by simply overwriting sendmail.cf and restarting
sendmail.

Let me explain my situation a little better, making use of the nifty 
`picture mode' and listing the tools involved:

                My machine .. running local sendmail for send and 
                fetchmail/sendmail/procmail  for retrieval.
                             _______ 
                             |      |
                             | Me   |
                             |______| 
                             /      \  
                            /        \  
                           /          \
                          /            \
                      ISP|ISPsmtp    Newsguy|POP3
                                                
So.. I connect to a local ISP, use there SMTP server to relay my
outgoing
mail via my local sendmail.  No special authentication is required,
apparently done transparently, from the ISP authentication (login).
 (sendmail.cf set to this smtp.server as the machine to relay to)

(That is temporarily broken)

I collect mail from newsguys' POP3 server using fetchmail, in the
simplest
possible format, which includes authentication:

cat .fetchmailrc
poll pop.newsguy.com proto pop3 nodns user reader password xxxxxxxx
Fetchmail drops it in /var/spool/mail where gnus snarfs it.

To direct sendmail to deliver to a different smpt server, is no harder
than
editing the single line in sendmail.cf:

DSsmtp:smtp.MYLOCAL.ISP
                        
to read
                                                
DSsmtp:smtp.newsguy.com

And restarting sendmail.

But when doing this, the connection is rejected by newsguy since no
authentication is provided.  The hub of my question is how to provide
that
authentication and not have to make other changes in my current setup.

I want to be able to simply overwrite sendmail, restart it and....
bingo.  Now relying thru server smtp.XXX.XXX

One would expect that Newsguy.com would have this kind of info readily
available but apparently there techs only deal with `windows' clients.

 > 
 > Another common scheme is smtp-after-pop.  Here, the idea is that
 > you
 > connect to the POP server, and if that's successful, then for 5
 > minutes (or whatever) you're (your IP address is) allowed to use
 > the
 > SMTP server.

This sounds like a possible option...

 > 
 > I think there are also schemes for doing authentication within
 > SMTP,
 > but I think they are rarely used.  They are also non-standard, I
 > think. 

Is this last `within' scheme what I am describing above?


 jas@slipsten.extundo.com writes:

 > On Sun, 17 Dec 2000, Harry Putnam wrote:
 > 
 > > I have a second smtp.server that I can use.  The smtp side of
 > > newsguy.com.

[...]

 > 
 > Perhaps you could use modern smtpmail.el which support SMTP
 > authentication (RFC 2554), rather than a local sendmail?  If so,
 > customize
 > the `smtpmail' group.

Another posssible way .. thanks.

 > 
 > Hopefully Emacs will contain smtpmail.el with AUTH support in the
 > future.  XEmacs mail-lib in CVS contains it now.

 "Robin S. Socha" <robin@socha.net> writes:

 > * Harry Putnam <reader@newsguy.com> writes:
 > 
 > > Finding myself in an unusaual temporary situation where for
 > > technical
 > > reasons I cannot relay my outgoing mail through my normal ISP
 > > smtp
 > > machine.
 > 
 > You are now reader@socha.net, PWD R34d3r
 > To login, use reader@socha.net, to relay over this machine, get
 > POP3
 > first (smtp after pop). https://socha.net:666/webmail/ is also
 > there,
 > altough the account settings are slightly broken ;-)

Thanks Robin.. same as above solution `smtp after pop'.

Due to your characteristic breivity... Its not clear if there would be
a way to do what I've described above on that smtp server.  Please set
-v to the next higher level....  : )

Re: smtp authentication (sendmail relay)

[Simon Josefsson]

Stainless Steel Rat <ratinox@peorth.gweep.net> writes:

> | In fact, not really sure where those smtp negotiations get handled.
> 
> If newsguy is doing what I suspect they are doing, they don't.
> Authenticated SMTP hooks into POP authentication.

There is SMTP AUTH (rfc 2554) and SMTP STARTTLS (rfc 2246 + 2595) too,
they are better than the POP cludge.

Harry might use telnet to find out if it's supported by the server or
not, just say "ehlo foo" to the server, and notice if STARTTLS or AUTH
CRAM-MD5 is part of the response.

$ telnet test.smtp.org 25
Trying 209.220.147.188...
Connected to test.smtp.org.
Escape character is '^]'.
220 test.smtp.org ESMTP Sendmail 8.11.2.Beta1 ready at Sun, 17 Dec 2000 10:38:48 -0800 (PST); see http://test.smtp.org/
ehlo foo
250-test.smtp.org Hello slipsten.extundo.com [195.42.214.241], pleased to meet you
250-ENHANCEDSTATUSCODES
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250-STARTTLS
250 HELP

Re: smtp authentication (sendmail relay)

[Kai Großjohann]

On 17 Dec 2000, Harry Putnam wrote:

> However as is ofter the case, I'm looking for a more optimal
> solution, that could be used by simply overwriting sendmail.cf and
> restarting sendmail.

To find out what the newsguy.com smtp server wants, it might be
easiest to talk to it directly:

    telnet smtp.newsguy.com 25

Make liberal use of the HELP command...  Without authentication, the
typical command sequence is this:

/----
| HELO lucy.cs.uni-dortmund.de
| MAIL FROM: <Kai.Grossjohann@cs.uni-dortmund.de>
| RCPT TO: <reader@newsguy.com>
| DATA
| From: Kai Grossjohann <Kai.Grossjohann@cs.uni-dortmund.de>
| To: Harry Putnam <reader@newsguy.com>
| Subject: test
| 
| testing the test
| .
\----

HELO tells the other smtp server who my machine is.  MAIL FROM and
RCPT TO (including the colon and the angle brackets) give the envelope
sender and recipient, DATA indicates that the mail itself follows
(terminated by a line which contains only a dot).  The message itself
also contains From and To, but these are the headers, not the
envelope.  If the envelope says the message goes to John, and the
header says Paul, then the message will go to John.

You might wish to compare with what you see.

>  > I think there are also schemes for doing authentication within
>  > SMTP, but I think they are rarely used.  They are also
>  > non-standard, I think.
> 
> Is this last `within' scheme what I am describing above?

Could be.  This depends on whether the SMTP server asks you for
authentication. 


>  "Robin S. Socha" <robin@socha.net> writes:

>  > You are now reader@socha.net, PWD [...]
>  > To login, use reader@socha.net, to relay over this machine, get
>  > POP3
>  > first (smtp after pop). https://socha.net:666/webmail/ is also
>  > there,
>  > altough the account settings are slightly broken ;-)
> 
> Thanks Robin.. same as above solution `smtp after pop'.
> 
> Due to your characteristic breivity... Its not clear if there would
> be a way to do what I've described above on that smtp server.
> Please set -v to the next higher level....  : )

You need to tell Gnus to get mail from machine socha.net, logging in
with given login and password.  (It's not clear to me whether the
login name should be "reader" or "reader@socha.net".)  And then you
put socha.net as smarthost into sendmail.cf, and for a couple of
minutes after getting mail, you can do "sendmail -q" and the mail will
be relayed.

For the above scheme, it's not important that you actually HAVE mail
at that machine.  It's sufficient for you to CONTACT the machine, then
the SMTP-after-POP will work.

kai
-- 
A large number of young women don't trust men with beards.  (BFBS Radio)

Re: smtp authentication (sendmail relay)

[Harry Putnam]

Simon Josefsson <sj@extundo.com> writes:

> Harry might use telnet to find out if it's supported by the server or
> not, just say "ehlo foo" to the server, and notice if STARTTLS or AUTH
> CRAM-MD5 is part of the response.

[...] snipped examples

Newsguy, bars telnet access to port 25 and has for a couple years.
All you can get there is no response to commands.

So I guess there is no way to set authentication info in sendmail.cf or
something similar eh.

Re: smtp authentication (sendmail relay)

[Kai Großjohann]

On 17 Dec 2000, Harry Putnam wrote:

> Newsguy, bars telnet access to port 25 and has for a couple years.
> All you can get there is no response to commands.

??

How does the mail get sent, then?  Sending a mail involves connecting
to port 25, and whether or not that connection is via telnet is
immaterial.  I think.

But your second sentence seems to imply that it accepts the
connection, just doesn't respond when you type something.  When you do
"telnet smtp.newsguy.com 25", do you get a `connection refused' error,
or something else?

kai
-- 
A large number of young women don't trust men with beards.  (BFBS Radio)

Re: smtp authentication (sendmail relay)

[Lloyd Zusman]

Harry Putnam <reader@newsguy.com> writes:

> Simon Josefsson <sj@extundo.com> writes:
> 
> > Harry might use telnet to find out if it's supported by the server or
> > not, just say "ehlo foo" to the server, and notice if STARTTLS or AUTH
> > CRAM-MD5 is part of the response.
> 
> [...] snipped examples
> 
> Newsguy, bars telnet access to port 25 and has for a couple years.
> All you can get there is no response to commands.

Here's my `typescript' of a telnet SMTP session to newsguy.  As you
can see, it worked perfectly.  Soon after recording this session, I
went back and sent myself some email via another telnet session to
`smtp.newsguy.com', and it worked fine.

Did you connect to `smtp.newsguy.com' or perhaps some other `newsguy'
host?


 Script started on Sun Dec 17 16:16:46 2000
 1> telnet smtp.newsguy.com 25
 Trying 209.155.56.71...
 Connected to smtp.newsguy.com.
 Escape character is '^]'.
 220 newsguy.com ESMTP Sendmail 8.11.0/8.9.1; Sun, 17 Dec 2000 13:14:33 -0800 (PST)
 ehlo asfast.com
 250-newsguy.com Hello IDENT:root@acholado.net [216.182.19.128], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-EXPN
 250-VERB
 250-8BITMIME
 250-SIZE 2000000
 250-DSN
 250-ONEX
 250-ETRN
 250-XUSR
 250 HELP
 quit
 221 2.0.0 newsguy.com closing connection
 Connection closed by foreign host.
 2> exit

 Script done on Sun Dec 17 16:17:20 2000


> So I guess there is no way to set authentication info in sendmail.cf or
> something similar eh.
> 
> 
> 
> 
> 
> 

-- 
 Lloyd Zusman
 ljz@asfast.com

Re: smtp authentication (sendmail relay)

[Harry Putnam]

Stainless Steel Rat <ratinox@peorth.gweep.net> writes:

> * Harry Putnam <reader@newsguy.com>  on Sun, 17 Dec 2000
> | In fact, not really sure where those smtp negotiations get handled.
> 
> If newsguy is doing what I suspect they are doing, they don't.
> Authenticated SMTP hooks into POP authentication.  When you authenticate
> yourself to the POP server, a flag is set that allows you to use that
> host's SMTP server to relay mail.  That flag is cleared after some set
> period.
> 
> It is probably a bit more complex than this, but this is what the end users
> see.

So, if that is the case then I should be able to relaty through them
since that is my source of POP3.   So does the relay have to happen in
conjunction with a POP3 retrieval .... Any one know how that is setup?

Maybe the messages from a staight on attempt to relay will provide a
clue.

Couldn't think of a way to get more verbose stuff since telnet is
disabled:

bsd > cat .bashrc|mail -v -s"TESTnewsguySMTP" reader@newsguy.com
reader@newsguy.com... Connecting to smtp.newsguy.com. via smtp...
reader@newsguy.com... Deferred: Connection refused by
smtp.newsguy.com.
bsd >

Re: smtp authentication (sendmail relay)

[Lloyd Zusman]

Harry Putnam <reader@newsguy.com> writes:

> Stainless Steel Rat <ratinox@peorth.gweep.net> writes:
> 
> > * Harry Putnam <reader@newsguy.com>  on Sun, 17 Dec 2000
> > | In fact, not really sure where those smtp negotiations get handled.
> > 
> > If newsguy is doing what I suspect they are doing, they don't.
> > Authenticated SMTP hooks into POP authentication.  When you authenticate
> > yourself to the POP server, a flag is set that allows you to use that
> > host's SMTP server to relay mail.  That flag is cleared after some set
> > period.
> > 
> > It is probably a bit more complex than this, but this is what the end users
> > see.
> 
> So, if that is the case then I should be able to relaty through them
> since that is my source of POP3.   So does the relay have to happen in
> conjunction with a POP3 retrieval .... Any one know how that is setup?

Well, I'm not sure if relay works via newsguy's SMTP server or not,
since I only used it to send mail to a newsguy email address that I
have.

> Maybe the messages from a staight on attempt to relay will provide a
> clue.

Yep.  I agree.  Enclosed at the bottom of this email is another
typescript showing the following scenario:

(1)  Connect to `smtp.newsguy.com' via telnet for an SMTP session, and
     attempt to relay ... this fails.

(2)  Connect to `pop.newsguy.com' via telnet for a POP3 session, and
     then immediately log out.

(3)  Re-connect to `smtp.newsgiy.com' via telnet for an SMTP session,
     and re-attempt the same relay ... this time, it succeeds.

> Couldn't think of a way to get more verbose stuff since telnet is
> disabled:

On a Unix-like machine you can type `script' from your shell, and then
enter interactive commands, such as the telnet commands to the newsguy
servers that I issued.  When you're done, you type `exit' from your
shell, and everything that appeared on your screen since you last
typed `script' will be stored in a file called `typescript', in your
local directory.  Edit out any passwords and any control characters
from this file (especially the ^M characters), and this is an exact
log of what took place within the telnet sessions.

> [ ... ]

Here's the typescript log for what I described above:

 Script started on Sun Dec 17 16:34:01 2000
 1> telnet smtp.newsguy.com 25
 Trying 209.155.56.71...
 Connected to smtp.newsguy.com.
 Escape character is '^]'.
 220 newsguy.com ESMTP Sendmail 8.11.0/8.9.1; Sun, 17 Dec 2000 13:31:53 -0800 (PST)
 ehlo asfast.com
 250-newsguy.com Hello IDENT:root@acholado.net [216.182.19.128], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-EXPN
 250-VERB
 250-8BITMIME
 250-SIZE 2000000
 250-DSN
 250-ONEX
 250-ETRN
 250-XUSR
 250 HELP
 mail from: ljz@asfast.com
 250 2.1.0 ljz@asfast.com... Sender ok
 rcpt to: ljz@nyct.net
 550 5.7.1 ljz@nyct.net... Relaying denied - please authenicate by logging into the pop server
 quit
 221 2.0.0 newsguy.com closing connection
 Connection closed by foreign host.
 2> telnet pop.newsguy.com 110
 Trying 209.155.56.72...
 Connected to pop.newsguy.com.
 Escape character is '^]'.
 +OK QPOP (version 2.3a) at perry.pathlink.com starting.  <22701.977088806@perry.pathlink.com>
 user XXXXXXXXXX
 +OK Password required for elhipo.
 pass YYYYYYYYYY
 +OK elhipo has 8 messages (11553 octets).
 quit
 +OK Pop server at perry.pathlink.com signing off.
 Connection closed by foreign host.
 3> telnet smtp.newsguy.com 25
 Trying 209.155.56.71...
 Connected to smtp.newsguy.com.
 Escape character is '^]'.
 220 newsguy.com ESMTP Sendmail 8.11.0/8.9.1; Sun, 17 Dec 2000 13:33:58 -0800 (PST)
 ehlo asfast.com
 250-newsguy.com Hello IDENT:root@acholado.net [216.182.19.128], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-EXPN
 250-VERB
 250-8BITMIME
 250-SIZE 2000000
 250-DSN
 250-ONEX
 250-ETRN
 250-XUSR
 250 HELP
 mail from: ljz@asfast.com
 250 2.1.0 ljz@asfast.com... Sender ok
 rcpt to: ljz@tiac.net
 250 2.1.5 ljz@tiac.net... Recipient ok
 data
 354 Enter mail, end with "." on a line by itself
 Subject: This is a test of newsguy relay after a pop access
 
 It looks like the test succeeded
 
 .
 250 2.0.0 eBHLYBM22848 Message accepted for delivery
 quit
 221 2.0.0 newsguy.com closing connection
 Connection closed by foreign host.
 4> exit
 
 Script done on Sun Dec 17 16:37:05 2000


-- 
 Lloyd Zusman
 ljz@asfast.com

Re: smtp authentication (sendmail relay)

[Harry Putnam]

Lloyd Zusman <ljz@asfast.com> writes:

>  Script started on Sun Dec 17 16:16:46 2000
>  1> telnet smtp.newsguy.com 25
>  Trying 209.155.56.71...
>  Connected to smtp.newsguy.com.
>  Escape character is '^]'.
>  220 newsguy.com ESMTP Sendmail 8.11.0/8.9.1; Sun, 17 Dec 2000 13:14:33 -0800 (PST)
>  ehlo asfast.com

[...]
Ekkkk.   I'll be damned:
  bsd > telnet smtp.newsguy.com 25
  Trying 209.155.56.71...
  telnet: connect to address 209.155.56.71: Connection refused
  telnet: Unable to connect to remote host
  reader@satellite /anex/reader
bsd > date
Sun Dec 17 14:01:54 PST 2000


And... Newsguy tech staff have told me over the phone that  telnet is not
allowed.

Not sure what the deal is now.

Re: smtp authentication (sendmail relay)

[Lloyd Zusman]

Harry Putnam <reader@newsguy.com> writes:

> Lloyd Zusman <ljz@asfast.com> writes:
> 
> >  Script started on Sun Dec 17 16:16:46 2000
> >  1> telnet smtp.newsguy.com 25
> >  Trying 209.155.56.71...
> >  Connected to smtp.newsguy.com.
> >  Escape character is '^]'.
> >  220 newsguy.com ESMTP Sendmail 8.11.0/8.9.1; Sun, 17 Dec 2000 13:14:33 -0800 (PST)
> >  ehlo asfast.com
> 
> [...]
> Ekkkk.   I'll be damned:
>   bsd > telnet smtp.newsguy.com 25
>   Trying 209.155.56.71...
>   telnet: connect to address 209.155.56.71: Connection refused
>   telnet: Unable to connect to remote host
>   reader@satellite /anex/reader
> bsd > date
> Sun Dec 17 14:01:54 PST 2000
> 
> 
> And... Newsguy tech staff have told me over the phone that  telnet is not
> allowed.
> 
> Not sure what the deal is now.

Well, the only thing I can think of is reverse DNS.  Many servers
don't allow connection to them unless the connecting host's IP address
has a valid reverse DNS entry.  The IP address of machine from which I
was connecting indeed does have a valid reverse DNS entry, and so
perhaps this is why my connection works.

In case you don't know what "reverse DNS" is, it's a function of DNS
service which will return your domain name when your IP address is fed
to it.  Normal, "forward" DNS goes in the opposite direction: it
returns an IP address when a domain name is supplied.

The people who supply your IP (i.e., your ISP) are responsible for
supplying reverse DNS for your IP address.  Ask your ISP if this can
be enabled.  It's extremely common these days for ISP's to provide
reverse DNS, because for security reasons, most servers on the net
(SMTP, NNTP, telnetd, ftpd, etc. etc. etc.) are requiring valid
reverse DNS from those who connect to them.

If your ISP won't supply this service, I regrettably must suggest that
you switch ISP's.  And by the way, if your ISP says that reverse DNS
isn't possible with dynamic IP's, this isn't true, since many, many
ISP's routinely supply proper reverse DNS entries for their dynamic IP
customers.

HTH

-- 
 Lloyd Zusman
 ljz@asfast.com

Re: smtp authentication (sendmail relay)

[Colin Walters]

Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:

> How does the mail get sent, then?  Sending a mail involves
> connecting to port 25, and whether or not that connection is via
> telnet is immaterial.  I think.

Maybe it drops anything that tries telnet options negotiation?

Re: smtp authentication (sendmail relay)

[Lloyd Zusman]

And one more point ...

Harry Putnam <reader@newsguy.com> writes:

> [ ... ]
>
> And... Newsguy tech staff have told me over the phone that  telnet is not
> allowed.
> 
> [ ... ]

It turns out that when you do a "telnet [hostname] 25", this looks to
the receiving host no different than a connection via any other means.
Therefore, no matter what the newsguy staff might have said, there is
essentially no way for a remote SMTP server to disable telnet access
via port 25 and still allow other forms of SMTP access, at least
when the basic protocol is being used.

Just a point of information that I meant to add to my previous message
about this.

And once again, HTH.


-- 
 Lloyd Zusman
 ljz@asfast.com

Re: smtp authentication (sendmail relay)

[Harry Putnam]

Lloyd Zusman <ljz@asfast.com> writes:


[...]

> 
> Here's the typescript log for what I described above:

[...] snipped dialog

>  Subject: This is a test of newsguy relay after a pop access
>  
>  It looks like the test succeeded

I can't seem to get connected to smtp server.  My transcript tells a
different story:
 (but at least I was able to connect to pop server)
   bsd > telnet pop.newsguy.com 110
   Trying 209.155.56.72...
   Connected to pop.newsguy.com.
   Escape character is '^]'.
   +OK QPOP (version 2.3a) at perry.pathlink.com starting.
   <32050.977092832@perry.pathlink.com>
   user xxxxx
   +OK Password required for xxxxx
   pass xxxxxxx
   +OK xxxxx has 0 messages (0 octets).
   quit
   +OK Pop server at perry.pathlink.com signing off.
   Connection closed by foreign host.
   
   bsd > telnet smtp.newsguy.com 25
   Trying 209.155.56.71...
   telnet: connect to address 209.155.56.71: Connection refused
   telnet: Unable to connect to remote host
   
   Script done on Sun Dec 17 14:44:35 2000

I notice a lengthy pause between typing the telnet command to connect
to smtp server and the error message being returned.

Possibly something to do with my ISP DNS machine?.  But seemsno way to
connect to smtp server.

Seem there would be tools to manage this... I seem to recall something
about fetchmail .... but not recognizing it in man page.

Re: smtp authentication (sendmail relay)

[Lloyd Zusman]

Colin Walters <walters@cis.ohio-state.edu> writes:

> Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:
> 
> > How does the mail get sent, then?  Sending a mail involves
> > connecting to port 25, and whether or not that connection is via
> > telnet is immaterial.  I think.
> 
> Maybe it drops anything that tries telnet options negotiation?

Well, I was able to make a normal telnet connection to that host.

And besides, when you use telnet to connect a port other than 23 (the
standard telnet port), no telnet options negotiation is done.  As
the telnet man page states:

  ...  When connecting to a non-standard port, telnet omits any
  automatic initiation of TELNET options.  ...

-- 
 Lloyd Zusman
 ljz@asfast.com

Re: smtp authentication (sendmail relay)

[Lloyd Zusman]

Harry Putnam <reader@newsguy.com> writes:

> Lloyd Zusman <ljz@asfast.com> writes:
> 
> > [...]
>
> I can't seem to get connected to smtp server.  My transcript tells a
> different story:
>  (but at least I was able to connect to pop server)
> [ ... ]
> 
> I notice a lengthy pause between typing the telnet command to connect
> to smtp server and the error message being returned.
> 
> Possibly something to do with my ISP DNS machine?.  But seemsno way to
> connect to smtp server.

Yes, I really think it has to do with the fact that your ISP is not
supplying reverse DNS for your connection.  Determine your IP address
using `ifconfig' or some other means, and then type:

  nslookup www.xxx.yyy.zzz

where "www.xxx.yyy.zzz" is your IP address.

If you get a response which contains something like this ...

   can't find www.xxx.yyy.zzz: Non-existent host/domain

... then it would be almost certain that your ISP is not providing
reverse DNS for your connection.  They really *should* supply this,
because as I mentioned earlier, more and more services on the internet
are requiring proper reverse DNS in order for you to connect to them,
and I'm pretty sure that a large service like newsguy would indeed be
set up in this fashion.

It's possible that this can be fixed very quickly by contacting your
ISP and requesting that they set up reverse DNS for you.  The DNS
configuration is complicated, and quite often small errors creep in
which disable things like reverse DNS.  I have found from my own
experience that ISP's often screw up reverse DNS, and that the tech
support people at an ISP frequently only have to make a quick fix to
some config file in order to get your reverse DNS working.

If this is the case, your problems will be a lot closer to being
solved after only making one short phone call to your ISP.

And in any case, you really *should* have proper reverse DNS these
days if you want to access services on the internet, irrespective
of these specific SMTP problems.


> Seem there would be tools to manage this... I seem to recall something
> about fetchmail .... but not recognizing it in man page.

Fetchmail might indeed handle this.  But again ... without proper
reverse DNS, it doesn't matter whether you access your SMTP via telnet
or fetchmail or sendmail or whatever.


-- 
 Lloyd Zusman
 ljz@asfast.com

Re: smtp authentication (sendmail relay)

[Russ Allbery]

Harry Putnam <reader@newsguy.com> writes:

>    bsd > telnet smtp.newsguy.com 25
>    Trying 209.155.56.71...
>    telnet: connect to address 209.155.56.71: Connection refused
>    telnet: Unable to connect to remote host
   
>    Script done on Sun Dec 17 14:44:35 2000

> I notice a lengthy pause between typing the telnet command to connect to
> smtp server and the error message being returned.

> Possibly something to do with my ISP DNS machine?.  But seemsno way to
> connect to smtp server.

Perhaps your ISP is one of the ones that blocks port 25 connections to any
systems other than their local customer relay servers to try to cut down
on spam from their customers?

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

Re: smtp authentication (sendmail relay)

[Harry Putnam]

Lloyd Zusman <ljz@asfast.com> writes:

> Well, the only thing I can think of is reverse DNS.  Many servers
> don't allow connection to them unless the connecting host's IP address
> has a valid reverse DNS entry.  The IP address of machine from which I
> was connecting indeed does have a valid reverse DNS entry, and so
> perhaps this is why my connection works.

Bingo... I think you've hit on it.  Turns out I can connect to
smtp.newsguy.com from my DSL connection at a different location. 
(Same ISP)  So apparently they are not supplying it for dialin
accounts.

Re: smtp authentication (sendmail relay)

[Lloyd Zusman]

Harry Putnam <reader@newsguy.com> writes:

> Lloyd Zusman <ljz@asfast.com> writes:
> 
> > Well, the only thing I can think of is reverse DNS.  Many servers
> > don't allow connection to them unless the connecting host's IP address
> > has a valid reverse DNS entry.  The IP address of machine from which I
> > was connecting indeed does have a valid reverse DNS entry, and so
> > perhaps this is why my connection works.
> 
> Bingo... I think you've hit on it.  Turns out I can connect to
> smtp.newsguy.com from my DSL connection at a different location. 
> (Same ISP)  So apparently they are not supplying it for dialin
> accounts.

Great!  Well ... sort-of "great!" ... it's good to know why this is a
problem, but it still has to be corrected.  Your ISP should provide
reverse DNS for dial-in accounts, because as I mentioned earlier, it's
hard to use the net these days without reverse DNS (as you are
discovering), and this service is routinely provided by the majority
of ISP's these days.  If yours refuses to give you reverse DNS
service, I strongly suggest you change ISP's, if at all possible.

Contact me privately if you want to discuss some ways for you to
work around this reverse DNS problem.

-- 
 Lloyd Zusman
 ljz@asfast.com

Re: smtp authentication (sendmail relay)

[Steinar Bang]

>>>>> Harry Putnam <reader@newsguy.com>:

> [...]
> Ekkkk.   I'll be damned:
>   bsd > telnet smtp.newsguy.com 25
>   Trying 209.155.56.71...
>   telnet: connect to address 209.155.56.71: Connection refused
>   telnet: Unable to connect to remote host
>   reader@satellite /anex/reader
> bsd > date
> Sun Dec 17 14:01:54 PST 2000


> And... Newsguy tech staff have told me over the phone that telnet is
> not allowed.

"telnet" may be, but telnetting to some other port should be possible
to distinguish from any other TCP connection to that port.

This is what happened when I tried it:

$ telnet smtp.newsguy.com smtp
Trying 209.155.56.71...
Connected to smtp.newsguy.com.
Escape character is '^]'.
220 newsguy.com ESMTP Sendmail 8.11.0/8.9.1; Sun, 17 Dec 2000 23:44:19 -0800 (PST)
ehlo viffer.metis.no
250-newsguy.com Hello [194.19.99.131], pleased to meet you
250-ENHANCEDSTATUSCODES
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 2000000
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
quit
221 2.0.0 newsguy.com closing connection
Connection closed by foreign host.

Re: smtp authentication (sendmail relay)

[Harry Putnam]

Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:

[...]snipped good summary

> For the above scheme, it's not important that you actually HAVE mail
> at that machine.  It's sufficient for you to CONTACT the machine, then
> the SMTP-after-POP will work.

Nice summary Kai, helpful to have a printout to see what commands are needed.

Re: smtp authentication (sendmail relay)

[Glenn Shiffer]

I just got to reading this thread-

Glad to see you got the answer, it's a strange system, but the way it was
explained to me when I used newsguy was this way they wern't and open relay.

Once the relay authinticates you, it will stay open for about 4 hours.

Glenn

----- Original Message -----
From: "Harry Putnam" <reader@newsguy.com>
To: "Kai Großjohann" <Kai.Grossjohann@CS.Uni-Dortmund.DE>
Cc: <ding@gnus.org>
Sent: Monday, December 18, 2000 7:13 PM
Subject: Re: smtp authentication (sendmail relay)


> Kai.Grossjohann@CS.Uni-Dortmund.DE (Kai Großjohann) writes:
>
> [...]snipped good summary
>
> > For the above scheme, it's not important that you actually HAVE mail
> > at that machine.  It's sufficient for you to CONTACT the machine, then
> > the SMTP-after-POP will work.
>
> Nice summary Kai, helpful to have a printout to see what commands are
needed.
>
>

Re: smtp authentication (sendmail relay)

[Harry Putnam]

"Glenn Shiffer" <fubar@pobox.com> writes:

> I just got to reading this thread-
> 
> Glad to see you got the answer, it's a strange system, but the way it was
> explained to me when I used newsguy was this way they wern't and open relay.
> 
> Once the relay authinticates you, it will stay open for about 4 hours.
> 
> Glenn

When I first started using newsguy, it was still `zippo' and
`superzippo'.  I always wished they hadn't made that dorky name
change.  I liked `reader@superzippo.com' better but The Zippo company
of cigarette lighter fame sued them and they had to change there name.

Back then you could telnet right into the pop server, login, stomp
around in there, run a shell, edit/read or whatever /var/spool/mail/USER

I remember getting a message from some automated cron job on their pop
server for weeks after I had a vi session crash and leave a *.swp file
in there. 

That was early  97 or so.

My trouble turned out to be a little different.  

Not a reverse MX lookup.  That was in place 

The bank of phones that my dialup at home uses goes to a machine that
talks to my ISP some 130 miles away it does something (unknown)
unusual and the smtp server won't talk to it.  Same reason the smtp
server on newsguy wouldn't talk to it. (I think) .... They are
supposed to be fixing that.