I am running the Notes 8.5.1 FP1 client standalone. My organization recently began to require SSL and authentication to relay outbound SMTP, and I can’t make the Notes client talk to the SMTP server. (I can make the Thunderbird client work with the same server.)
Upon connection to its port 25, the server sends “220 smtp1.spsu.edu ESMTP Postfix”.
The Notes client should respond with EHLO (or perhaps HELO.) Thunderbird, which works, sends “EHLO [127.0.0.1]”.
However, what comes from Notes, as captured by Wireshark, is: \200@\001\003\000\000’\000\000\000\020\000\000\004\000\000\005\000\000/\000\0005\000\000 | \000\000\t\000\000b\000\000\003\000\000\002\000\000\001\000\000\001\001\000\200\002\000\200 | \246M\250’[\357\370k\245B|\351\357\253%
The server responds, “502 5.5.2 Error: command not recognized” which seems pretty reasonable to me! There’s a TCP/IP ACK for that message, but nothing from the Notes client.
The Notes client then waits until its timeout period expires and reports “Remote system no longer responding.”
Steps to reproduce:
Set up a Postfix server listening on port 25 and configured to allow smtp-auth with SSL.
Configure Notes 8.5.1 FP1 for SSL, and set the SSL protocol to “negotiated”. Supply appropriate account information, attempt to send a message, and capture the TCP/IP exchange with a network analyzer.
Any idea how to debug this? Is there something in the client or in notes.ini that could be changed to correct this problem?
I think you may be running into a port problem. The SMTP server should be configured to be accepting SMTP connections on port 25 and SSL/TLS connections on port 465. The Notes client should be configured to be using the port 465 if it’s negotiated SSL as the negotiation needs to take place on Port 25.
If you are using the Notes client to negotiate the port, make sure you have the SSL port configured to 465. It will (should) connect to port 25 first to negotiate which SSL protocol to use then continue on its way under port 465. If you choose to use "SSL v3.0 only) it will only connect to the configured port which should be 465.
Your example of sniffing the traffic using Wireshark didn’t show on which port you captured that traffic; I’ll go on a limb and say it’s finding SSL traffic instead of plain text because you’ve tried to set the SSL port to 25 in the Notes client.
As far as EHLO vs. HELO; The client should respond with EHLO because it is advertising that it uses the Extended SMTP protocol which is neeed for SMTP-AUTH.
I know SSL/TLS should be on 465, but the way the folks in our IT department have it configured, it’s on port 25. {sigh… were it not for the fact that I never speak ill of my colleagues…}
I have verified that the TCP conversation given in my original message is on port 25 for the server and a high-numbered port (1545 in this case) at the client, and double-checked that the port is set to 25 in the “advanced” tab for the account document.
Yes, the proper response is EHLO, but HELO would have given me an easier problem to report than the one I’ve got!
I have captured all the traffic, and the Notes client’s “binary stuff” comes immediately after the server’s “220,” that is, where EHLO should be. There should be some protocol negotiation before encrypted traffic starts. In particular, I should see “EHLO” from the client, a clear text “250” message from the server and a clear text “STARTTLS” message from the client before any encrypted traffic.
Although it’s on an oddball port, I can make this work with the Thunderbird client, so I should be able to make Notes work, too.
(For the curious, I’m using Notes stand-alone because I support a Notes/Domino installation elsewhere and it’s natural for me to use Notes.)
It’s been a while since I’ve looked at this so forgive me if I make a mistake here but my understanding is that there are two possible ways to get to SSL/TLS…
The first is to begin the handshake on a regular SMTP connection and then “upgrade” to TLS by using the STARTTLS command after ehlo . The second would be to immediately begin the SSL connection with the server.
I’m guessing that in your case, Notes is choosing the latter.
Have you tried explicitly matching the SSL type? Instead of “Negotiated” choose the other? I’ll have to go Google to find out which version allows you to skip STARTTLS…
I’m sure you’ve confirmed this, but I’ll ask anyway: Have you confirmed the Thunderbird client switchs to TLS after the initial ehlo?
I have Wireshark captures of Thunderbird working. (Ah, and Notes not working!) I’m sure Thunderbird issues a STARTTLS after sending EHLO.
I didn’t know it was possible to start directly in TLS, but even then I should be able to see Notes sending its own list of crypto capabilities and the server responding with an X.509 digital certificate, eh?
In this case,it’s the Notes client sending binary data first. That may be right,but I surely don’t understand it.
OK… I just set the port number to 465 and gave it a try. The Notes client makes its initial contact on 465 (not 25) and the server replies, “54 6.315090 168.28.176.203 10.5.1.103 ICMP Destination unreachable (Host administratively prohibited)”.
Does anybody have a Notes client doing smtp-auth? What do you have in the server account document, please?
The Notes client then sends “MAIL FROM:” and “RCPT TO:”. After “RCPT TO:” the server sends “554 5.7.1 <[redacted]>: Relay access denied”.
Apparently the server, which I do not control, is configured to deny relaying of unauthenticated senders. (Good.) However, it also won’t present the authentication challenge unless in TLS mode. That makes sense to me, too, as one wants the password to be encrypted.
I remain baffled. Does anyone have something like this working?
I don’t have any control over the server, so yes, Notes at 465 and server at 25, and the result was what I expected, but I’m grasping at straws.
I’ll try smtp-auth without TLS a little later this morning. It won’t work because the server’s not set up for it, but it may fail in a way that provides more insight than what I’ve got.