Hi Jochen,
With your help I selected "Do not use CRAM-MD5 authentication even if it is advertised"
It's now woking.
Thank you very much for your help.
Do you know if there is any way to remove the emails with the user name and password from the archives?
Thanks,
Gary
On 12 Jun 2013 at 23:08, Jochen (Jochen Bern Jochen.Bern@LINworks.de) commented about Re: [stunnel-users] Getting Stunnel working with :
On 12.06.2013 21:28, Gary Kuznitz wrote:
On your first post I didn't see the difference in port numbers. I have corrected that. I'm getting this log from my email client: --- Wed, 12 Jun 2013 12:22:46 --- Connect to 'localhost' port 10115, timeout 60. 12:22:46.960 [*] Connection established to 127.0.0.1 12:22:47.226 >> 0120 220 vms173007pub.verizon.net -- Server ESMTP (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))\0D\0A
First and foremost, this shows that your e-mail client can now talk to the server, which means that stunnel's job (the SSL negotiation) gets done successfully.
12:22:47.288 >> 0042 250-AUTH DIGEST-MD5 PLAIN LOGIN CRAM-MD5\0D\0A 12:22:47.288 >> 0022 250-AUTH=LOGIN PLAIN\0D\0A
This part of the server's reply to the EHLO command shows the auth mechanisms the server supports; CRAM-MD5 is listed ...
12:22:47.288 << 0015 AUTH CRAM-MD5\0D\0A
... and your client requests it.
12:22:47.335 >> 0050 334 PDEzNTYyOTY5MjEuMTIxMTA1NTFAdm1zMTczMDA3Pg==\0D\0A
The servers issues (a base64 encoded version of) "1356296921.12110551@vms173007" as a "random" string challenge.
12:22:47.335 << 0058 YXR1cHJlcyBkYTlmZTI3MWFjODNjYWUxOTVjNmZhZWQ5ZGE0NTUzYg==\0D\0A
This is a base64 encoded version of "atupres da9fe271ac83cae195c6faed9da4553b". "atupres" should be your username and da9fe271ac83cae195c6faed9da4553b the HMAC-MD5 digest of the challenge with your password as the key.
I don't know a tool to compute HMAC-MD5 digests that is readily available under Windows, I'm afraid. If you're desperate, try http://www.freeformatter.com/hmac-generator.html (note that they won't know a) on which server and b) with what username you'll be using the password ...).
12:22:47.397 >> 0066 500 5.7.0 Unknown AUTH error -1 (Internal authentication error).\0D\0A
... and there the server says it cannot verify that.
Do you have any idea why I am getting [that]?
I can think of several *possible* reasons, but ultimately, the server doesn't tell us what exactly is wrong.
- It may be that the server is announcing CRAM-MD5 auth though it actually does *not* support it. (The DIGEST-MD5 and CRAM-MD5 mechs require that the server *knows* the (plaintext) password, while for PLAIN and LOGIN, storing only a hash of the password is enough, and foils attackers who manage to steal a copy of the password database.) Enforcing use of a different mechanism can probably be done through your e-mail client's settings, but I'm afraid that it's usually rather cryptic how exactly to do that ... If you want to have a *manual* try at another mech, here's a web page explaining what to input for PLAIN and LOGIN: http://www.gadgetwiz.com/protocols/smtp-auth-example.html and here's an MS KB article with a base64 en-/decoder: http://support.microsoft.com/kb/191239 Problem is that the strings to be base64 encoded are supposed *not* to have an end-of-line, and sometimes even to contain NUL bytes ("\0") ... Verify that your method of choice properly reproduces the examples in the howto page. :-C
- I'm a bit surprised that your username supposedly is "atupres", rather than "atupres@your.dom.ain", "atupres%your.dom.ain" or something to that effect ... ?
- The obvious one, a mistyped password ...
Regards, J. Bern -- *NEU* - NEC IT-Infrastruktur-Produkte im http://www.linworks-shop.de/: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH http://www.LINworks.de/ Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel