More Than Just Web Design | INTERNET ENGINEERING | APPLICATION | DESIGN

Outlook Authentication

Posted: 23/01/11

It's Worse Than That, It's Outlook, Jim

One of our new customers has been having mail delivery issues, but sadly they're a little vague about what the problem is. It seems to be either ISP relay or Exchange related, neither of which fall under our jurisdiction.

That said, it seemed reasonable to use our servers as a relay host so that we could at least have a fighting chance of looking through mail server logs for any strangeness, colour or charm. Switching Outlook 2003 over to an SMTP authenticated connection turned out to be a lot more fun than we bargained for.

Despite configuring Outlook 2003 appropriately, the server logs showed no attempt by Outlook 2003 to authenticate itself. Thus the server bounced messages as an attempt to relay from an untrusted host. This was really odd, because other mail programs, like Thunderbird, Evolution and Kmail worked just fine. Even Outlook 2007 appeared to do the right thing. After much frustration, We finally figured out why Outlook 2003 wouldn't properly authenticate when sending mail: it was not performing the ESMTP AUTH (see RFC 4954) dialogue, even with the broken client support hack switched on. After a little head scratching and some surfing around, we discovered that the problem lay with the choice of authentication mechanism being offered by the server. Our Postfix server uses the Dovecot IMAP/POP server as its authentication backend, and we'd set:

auth default {
   mechanisms = cram-md5 plain
}

as the two supported mechanisms. Changing this to:

auth default {
   mechanisms = cram-md5 plain login
}

did the trick and Outlook 2003 managed to authenticate itself successfully.

Now, while were on a roll, we thought it might be fun to try and get our webservers to use an authenticated connection. Setting up Postfix main.cf was easy:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

but we got this in the logs:

#warning: SASL authentication failure: No worthy mechs found

Fortunately this was fixed thus:

apt-get install libsasl2-modules

apt-get install libsasl2-modules-sql