Diaries
Everything
Who's Online?
FAQ / Help

Print Story Documenting.
Technology
By blixco (Thu Feb 07, 2008 at 09:40:02 AM EST) (all tags)
Just placing this here to document a technical issue between exchange and certain users.  If we find a solution to this, google will find it, meaning some poor schmuck sysadmin like me will have a very valuable answer.

But for now, there is no solution.

Update [2008-2-13 11:42:37 by blixco]: now there is a solution, see below.


Our setup: we have two smtp virtual servers.  One is on port 25, allows anonymous connections, and only allows connections from our upstream spam filter provider.  The second smtp virtual server is on port 465, uses TLS, and requires authentication to our domain.  The server itself is in our DMZ, and only allows ports 80, 443, 25, and 465 from the outside.

Most users can authenticate to and use the smtp server on port 465.  Some of them (roughly ten so far)...notably one person in IT, one of our VPs, and one random user created yesterday...cannot.  Using Thunderbird, they get error 5.7.3, this user does not have permission to send as the user.  The debug logs on the exchange server show: user domain/user is not allowed to send as user@domain.com.

The smtp debug log shows smtp result code 454 (TLS unavailable at the moment) instead of 250-OK after the initial starttls (and a subsequent re-issuing of EHLO).

The client sees the server saying: 454, quit.

The choice of client does not seem to matter.  The problem is account-based, and not client or IP based.  Extensive logging (turning the logging up to 7 for all elements present in HKLM/CCS/Services/MSExchangeTransport/Diagnostics) shows nothing new; the transport insist that USER does not have the right to send as USER.

I've tried having the user log on as their fully qualified name (user@domain.com).  The trace shows that the username is what gets rejected, pre-authentication: MAIL FROM: user@domain.com gets a response of 454, pre-auth.

So, WTF?  I spent $100 last night opening a case with MSFT which, I feel, will result in several weeks worth of me repeating the same words over and over again (with new logs attached each time that show the same thing), followed by, eventually, either a patch or abandonment.

Regardless, I will update this entry with any resolution, since googling for this exact issue turns up a billion hits with no solutions.

Update [2008-2-7 9:55:35 by blixco]: This is apparently limited to Thunderbird and Mac Mail.

Update [2008-2-13 11:35:34 by blixco]: To fix: open active directory users and computers. Click View and select Advanced. Find the affected user, right-click, select Properties. In the Security tab, look for an object called SELF. If the SELF object ain't there, add it.

Make sure SELF has send-as, receive-as, and write permissions. There are a couple of other perms in there normally selected by default; leave them alone. Apply, then test.

This is apparently an artifact of migrating from an older (pre-win2k3) domain, and in our case were all users who had not ever used Outlook.

< A Day in the Life | BBC White season: 'Rivers of Blood' >

Login
Make a new account
Username:
Password:
Poll
MSFT support:
- Hope you got $100 bux. 100%

Votes: 1
Results | Other Polls
Related Links
- blixco's Diary
Google

Comment Controls
View: Display: Sort:
Documenting. | 19 comments (19 topical, 0 hidden) | Trackback
Google words: milf horny teens huge naturals by Rogerborg (4.00 / 10) #1 Thu Feb 07, 2008 at 09:47:08 AM EST
Wesley Crusher gay naked home movie Picard.

-
Metus amatores matrum compescit, non clementia.


YOU by blixco (4.00 / 8) #2 Thu Feb 07, 2008 at 09:54:53 AM EST
are not helping.
---------------------------------
"You bring the weasel, I'll bring the whiskey." - kellnerin
[ Parent ]

Coffee, meet Monitor and Keyboard. by greyrat (4.00 / 3) #5 Thu Feb 07, 2008 at 10:24:24 AM EST
Keyboard and Monitor, meet Coffee.
~
There is absolutely no correlation or causation amongst intelligence, power, talent and wealth.
Kha-Nyou
[ Parent ]

Look, we're all glad you have a new blog. by Christopher Robin was Murdered (4.00 / 3) #6 Thu Feb 07, 2008 at 10:46:58 AM EST
But give it a rest already. This hit-whoring is embarrassing everybody.

[ Parent ]

NOT! [nt] by greyrat (4.00 / 1) #7 Thu Feb 07, 2008 at 11:05:04 AM EST
[nt] == NOT!
~
There is absolutely no correlation or causation amongst intelligence, power, talent and wealth.
Kha-Nyou
[ Parent ]

logging ? by sasquatchan (2.00 / 0) #3 Thu Feb 07, 2008 at 09:55:45 AM EST
we don't need no stinkin' logging.

Can you telnet to the port and do raw SMTP commands with it ?

Is there any odd filtering going on ?

I ask about odd filtering, because in my past job, I worked for $LARGE_INTERNET_SECURITY_COMPANY and I had to debug a problem with logging in where our product's SMTP state engine didn't correctly reset itself under a very specific condition (based on what the encrypted password used to log into the SMTP server was). Very tricky, stupid thing. See if there's consistency in how login/pw are transported (plaintext, base-64, or other encryption methods -- find the RFC if you need info on that)



I canb telnet to the port by blixco (2.00 / 0) #8 Thu Feb 07, 2008 at 12:33:20 PM EST
and I can get as far as EHLO, then starttls.  But if I don't do starttls, I get to mail from: user@domain and I get disconnected.

No strange filtering, and no fixup-protocol on the pix.

Thepasswd / smtp-auth start with kerberos, then move to ntlm.  Thunderbird starts with kerberso, so the negotiation works for, say, 99 percent of my users.
---------------------------------
"You bring the weasel, I'll bring the whiskey." - kellnerin
[ Parent ]

As sasquatchan mentioned by wiredog (2.00 / 0) #4 Thu Feb 07, 2008 at 10:00:26 AM EST
Try using telnet. Encrypted passwords can sometimes have issues too.

Where are they sending from? Is it a wireless link?

A couple years back, while doing $classified for $company, I had to write a custom e-mail app. It had issues connecting using wi-fi at Starbucks, but not at Panera. It turned out that the mail server trusted one site, but not the other, so different SMTP logons were required.

Earth First!
(We can strip mine the rest later.)


Login location doesn't by blixco (2.00 / 0) #9 Thu Feb 07, 2008 at 12:33:56 PM EST
matter.  The account does, but no other factors seem to affect the outcome.
---------------------------------
"You bring the weasel, I'll bring the whiskey." - kellnerin
[ Parent ]

Have you tried deleting/recreating the account? by wiredog (2.00 / 0) #10 Thu Feb 07, 2008 at 12:36:57 PM EST
Maybe it's something bizarre like the username causing a problem. Possibly in conjunction with the unicode codepage.

Oooh, unicode! Have you looked to see if the user/server are using the same unicode pages? I've been bitten by that one.

Earth First!
(We can strip mine the rest later.)
[ Parent ]

It never really gets that far. by blixco (2.00 / 0) #11 Thu Feb 07, 2008 at 04:17:03 PM EST
I created an entirely new account yesterday as a common account for the affected users to send with, and that new account failed.

Yet another new account created seconds later with the same defaults worked.

??
---------------------------------
"You bring the weasel, I'll bring the whiskey." - kellnerin
[ Parent ]

Have you checked the pase of the moon? by mrgoat (4.00 / 2) #12 Thu Feb 07, 2008 at 05:07:22 PM EST
Maybe instead of debug logs you need chicken entrails.

Regardless, if it's happening to Thunderbird and  Mac Mail, and no where else, they'll likely tell you to use Outlook.

Years pass, things change, you end up living in Kansas. But the bag of dicks never leaves your side... - blixco
--top hat--
[ Parent ]

did the accounts you created... by Metatone (4.00 / 1) #14 Fri Feb 08, 2008 at 03:10:59 AM EST
have the same name?

[ Parent ]

Yes and no. by blixco (2.00 / 0) #15 Fri Feb 08, 2008 at 04:14:17 AM EST
I re-created one, and created another.

So, we've narrowed it to: smtp auth is working.  The error happens post-auth, it turns out.  The client auths, all is OK, then the client says

mail from:user@domain.com

and the client is told 454: tls ain't available right now.  On mozilla mail based clients, this causes a quit.
---------------------------------
"You bring the weasel, I'll bring the whiskey." - kellnerin
[ Parent ]

It's been almost 2 weeks by bruno (4.00 / 1) #13 Thu Feb 07, 2008 at 11:56:51 PM EST
Since I've been on Husi and this is all I get?  I was expecting to pass the next hour reading some exciting shit.  Adventures on the high seas and whatnot.  Instead I come to find crap about error 5.7.3 and authentication and abandonment.  WTF, indeed. 

I'm so lonely.  And so cold right now.



From the RFC by sasquatchan (2.00 / 0) #16 Fri Feb 08, 2008 at 12:02:55 PM EST
http://www.ietf.org/rfc/rfc2487.txt not sure who's doing what wrong. Sounds like it should be Unsure where the login/auth to the SMTP server comes in. (Assuming you're doing AUTH commands to log in, that's what I dealt with in my tricky error http://www.ietf.org/rfc/rfc2554.txt )



with the follow up duh by sasquatchan (2.00 / 0) #17 Fri Feb 08, 2008 at 12:03:56 PM EST
use wireshark (formerly ethereal) to watch how the two different programs work.

Best if done from same machine with same account. The look at the two traces and see what's different. (Pretty easy to do this).

[ Parent ]

Yep. by blixco (2.00 / 0) #18 Fri Feb 08, 2008 at 01:24:25 PM EST
I have traces from multiple conversations, plus heavy logging on both the server's MTA and the client.

Get this: anytime I say mail from:certainuser@mydomain.com, it fails.  Unless the certainuser auths as me.

???

Microsoft tells me, we have a very tiny bug.  But they won't give me the details yet.
---------------------------------
"You bring the weasel, I'll bring the whiskey." - kellnerin
[ Parent ]

In combined reply... by Metatone (4.00 / 1) #19 Fri Feb 08, 2008 at 03:03:28 PM EST
I seem to think I've read about a timeout bug in Exchange TLS which strict clients (e.g. Thunderbird, various Mac options) drop connection on, but lax clients are ok with.

[ Parent ]

Documenting. | 19 comments (19 topical, 0 hidden) | Trackback

Powered by Scoop   
 
All trademarks and copyrights on this page are owned by their respective companies. Comments and Stories are owned by the Poster and Licensed to "Hulver's site". See our Copyright page for more information.
faq | help | accounts