Print Page | Close Window

iPhones and SMTP auth

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6190
Printed Date: 22 October 2017 at 12:51am


Topic: iPhones and SMTP auth
Posted By: WebGuyz
Subject: iPhones and SMTP auth
Date Posted: 09 August 2007 at 6:43pm

Got 4 customers trying to set up iPhones for outbound mail and not being able to. They can receive emails from our Smartermail mail server, but I use SFE for SMTP auth for outbound sending of mail.

Has anyone using SMTP auth in SFI/SFE been able to authenticate iPhones for outgoing email?

Thanks!



-------------
http://www.webguyz.net



Replies:
Posted By: LogSat
Date Posted: 09 August 2007 at 6:50pm
In SpamFilter, under the "Debug View" tab under Settings, could you please enable the Debug Monitor? You'll need to enter the IP of the customer in the "IP to monitor" field.

This should show the SMTP transactions that IP is performing, and could give a clue as to what is happening.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: WebGuyz
Date Posted: 09 August 2007 at 10:24pm
I have to wait for one of the affected users to call me back. In the regular log I see an IP address connect and then a few seconds later a disconnect and nothing in between.

-------------
http://www.webguyz.net


Posted By: atifghaffar
Date Posted: 10 August 2007 at 1:23am
I think its related

http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID= 5796&KW=mac

Cram-md5 by default i guess.




-------------
best regards

Atif


Posted By: WebGuyz
Date Posted: 10 August 2007 at 1:31am
According to the users CRAM-MD5 is one of the choices but so is PASSWORD which is what I tell them to try. Googling around it seems many people are having issues with iPhones and outbound emails but I'm just not sure where the fault lays. Wish I had one to play with.

-------------
http://www.webguyz.net


Posted By: WebGuyz
Date Posted: 10 August 2007 at 10:17am

Atif,

   Your probably right. I had a Blackjack user who could not do outgoing using SF to authenicate. In debug I saw the SFE hello and what it supported but the BJ never authenticated. I created a dns entry that went straight to our Smartermail box and bam, it worked right away!!

Here is what Smartermail sends:

rsp: 250-mail99.webguyz.net Hello [166.217.199.183] 250-SIZE 31457280 250-AUTH LOGIN CRAM-MD5 250 OK

Here is what SF sends:

>>EHLO Inbox
<<250-AUTH LOGIN PLAIN
<<250-8BITMIME
<<250-SIZE 30720000

<<250 HELP

So for now I have a work around for the macs, iphone, blackjack's and pegasus mail clients that don't work with SF authentication, but it would be nice if CRAM-MD5 were added so I could centralize all authenticating users. Have sent an email to my iPhone users telling them to use a special DNS entry. Will let you know if they become happy campers.

Thanks!



-------------
http://www.webguyz.net


Posted By: LogSat
Date Posted: 10 August 2007 at 10:49pm
Most likely we will not be adding CRAM-MD5 support to SpamFilter. To use CRAM-MD5, SpamFilter should have access to the actual user's password.

This is not possible if using Unix's password files, and would require significantly lowering Active Directory's security by configuring it for reversible encryption for passwords (which could also require resetting all of the user's passwords). LDAP directories may support CRAM-MD5 authentication requests.

We'll be verifying the above assumptions, as they may not be 100% accurate, but this was currently the reason to not supporting that standard.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: atifghaffar
Date Posted: 13 August 2007 at 6:17pm
WebGuyz,

In my experience (trial and error), Its best to separate all different mail servers.
SF(I|E) are best left as MX Servers.

I have separate servers doing the following.

MX Server (SFI)
Accept mails from other mailservers for AuthorizedTo emails and forward to incoming mailserver. DO not ALLOW SMTP-AUTH (Relaying only)

Outgoing servers that do only one thing.
Send mails to other MX.

SMTP-AUTH Servers.
Similar like the outgoing servers except that they only auth SMTP-AUTH (No Relaying, even for the master domain or any other domin)

This keeps things nicely separated to also debug....




-------------
best regards

Atif


Posted By: WebGuyz
Date Posted: 13 August 2007 at 9:07pm
We do have separate servers for inbound (SFE) Main (smartermail) and outbound gateways(smartermail).
 
The only reason I am using SFE for auth is to protect against the spammers who bypass MX servers and try to send directly to servers. Our users use mail.xxxx.com for both incoming and outgoing servers (which is our main server) . While smartermail won't relay for a non-customer, it will attempt to deliver email to that server if its a valid domain on that server and it will attempt dictionary attacks against that server.
 
If way back when I had created a separate dns entry for outgoing and pointed it to a different server then this would have been moot. But since I had hundreds of users already setup that way SF fit the bill to authenticate using the same outgoing mail server as before.
 
Looking at Openldap or MS's free AD/AM as a possiblity of standardizing on LDAP for auth when I get some time.


-------------
http://www.webguyz.net


Posted By: LogSat
Date Posted: 19 December 2008 at 11:05pm
FYI we just made available in the registered user area a pre-release of SpamFilter v4.1.2.796 that should finally allow SMTP AUTH with the iPhone and Mac OS X Mail.app

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: WebGuyz
Date Posted: 21 December 2008 at 4:36pm
woohoo!!

-------------
http://www.webguyz.net


Posted By: WebGuyz
Date Posted: 22 December 2008 at 3:50pm
Originally posted by LogSat LogSat wrote:

Most likely we will not be adding CRAM-MD5 support to SpamFilter. To use CRAM-MD5, SpamFilter should have access to the actual user's password.

This is not possible if using Unix's password files, and would require significantly lowering Active Directory's security by configuring it for reversible encryption for passwords (which could also require resetting all of the user's passwords). LDAP directories may support CRAM-MD5 authentication requests.
 
Roberto,
 
   We use Unix password file for authentication. Is this still true for the new version with CRAM-MD5 support? I don't have a Mac or Iphone to test with after loading the new version.


-------------
http://www.webguyz.net


Posted By: LogSat
Date Posted: 23 December 2008 at 4:02pm
Actually we didn't enable CRAM-MD5 support in SpamFilter, so everything is as it was. You can still use all previous authentication methods (Unix crypt, Active Directory with non-reversible encryption, etc), they are not affected by this new feature.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: WebGuyz
Date Posted: 23 December 2008 at 4:25pm
I thought CRAM-MD5 was what iphone used. Confused
 
I guess I'll just have to wait until I get a call (if I get call ;-) about someone asking how to get an Iphone or Mac box working for outgoing email by way of authentication thru the most current version.
 
Thanks!


-------------
http://www.webguyz.net


Posted By: LogSat
Date Posted: 23 December 2008 at 4:43pm
It's one of the ones used by Apple, but not the only one. To be honest I can't be sure if they recently enabled a new AUTH extension or we got lucky in our tests and found one they do support... but it seems to work with both devices (iPhone v2.2 and Leopard OS X 10.5.6)

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: WebGuyz
Date Posted: 24 December 2008 at 2:38pm
So Iphone users should choose PASSWORD as the authentication method, correct?

-------------
http://www.webguyz.net


Posted By: LogSat
Date Posted: 24 December 2008 at 3:20pm
Correct.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window