postal: CRAM-MD5 problems

Hello guys. First, thanks for great product.

The problem. We have old legacy software with CRAM-MD5 only SMTP AUTH mechanism in curl.

When i simulate this method from console i have error:

Command: curl --url smtp://myserver:25 --mail-rcpt 'me@my.domain' --mail-from 'curl@my.domain' --user 'me:mypassword' --upload-file message.txt --insecure --login-options AUTH=CRAM-MD5

Console error:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (67) Login denied

Log error:

[smtp.1:2293] [2017-11-23T14:16:57.048] DEBUG -- : [BRZAMY]    Connection opened from ::ffff:XXXXXXXX
[smtp.1:2293] [2017-11-23T14:16:57.048] DEBUG -- : [BRZAMY]    Client identified as ::ffff:XXXXXXXX
[smtp.1:2293] [2017-11-23T14:16:57.048] DEBUG -- : [BRZAMY] <= EHLO message.txt
[smtp.1:2293] [2017-11-23T14:16:57.056] DEBUG -- : [BRZAMY] => 250-My capabilities are
[smtp.1:2293] [2017-11-23T14:16:57.056] DEBUG -- : [BRZAMY] => 250 AUTH CRAM-MD5 PLAIN LOGIN
[smtp.1:2293] [2017-11-23T14:16:57.094] DEBUG -- : [BRZAMY] <= AUTH CRAM-MD5
[smtp.1:2293] [2017-11-23T14:16:57.094] DEBUG -- : [BRZAMY] => 334 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
[smtp.1:2293] [2017-11-23T14:16:57.094] DEBUG -- : [BRZAMY] <= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[smtp.1:2293] [2017-11-23T14:16:57.105] DEBUG -- : [BRZAMY] => 535 Denied
[smtp.1:2293] [2017-11-23T14:16:57.105] DEBUG -- : [BRZAMY]    Connection closed

When i change in curl CRAM-MD5 to LOGIN - all is fine.

How can i work with CRAM-MD5 method on Postal Server?

Env: postal version: 1.0.0-67d0f6514d-stable

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 19 (9 by maintainers)

Most upvoted comments

I see the problem! The username is wrong.

It should be in the format org/server. If you browse to the credentials page, and click “Read more about sending outgoing e-mails” it will give you the correct username.

The username is ignored for PLAIN auth because the password is sent in plain text and can be looked up directly. CRAM-MD5 requires more cryptographic magic, so it has to look up the server first!

It seems very likely that this is the same cause of the problem for other people, because it’s not made very clear on the authentication page.

+5
catphish on Jul 2, 2018

lol

Base64 decode will give them up anyway 😃

That’s odd,

Perhaps the earlier comment about the length of the password is accurate?

See below for the credentials used in testing the above log entries -

fortigate@m.amplia.co.tt - HqYrZMs73PSrxI4urfH7YP5a

test@amplia.co.tt - h8tDMHSKveG9XNmdlHEsVKCm

+1
lokival on Jul 2, 2018

This certainly seems like a bug. I’ll try to reproduce it.

+1
catphish on Dec 6, 2017
Read more comments on GitHub
← postal: Can't verify domain: [WARNING: No SPF record exists for this domain]
postal: Instant softfail →