Error: SMTP Error: 503 Authentication is allowed only once per connection

Infos about System

  • passbolt - latest from DockerHub (Container run on Kubernetes Cluster)
  • Emails should be send via Secure Mail Gateway from T-Systems. This SMG does only support port 25. Also TLS is run over port 25. other tools work fine with this SMG

We are currently unable to send emails with the following error - I’m not sure but it’s probably a bug in passbolt because I can’t enforce an auth mechanism directly.

Thanks for your help.


[image]

cake passbolt send_test_email --recipient=

Open source password manager for teams

Debug email shell

Email configuration

Host: otc-de-out.mms.t-systems-service.com
Port: 25
Username:
Password: *********
TLS: true
Sending email from: Passbolt <>
Sending email to:

Trace
[220] <LOOK HOST because only 2 links at post> ESMTP

EHLO localhost
[250] <LOOK HOST because only 2 links at post> Hello localhost [IP]
[250] SIZE 104857600
[250] 8BITMIME
[250] PIPELINING
[250] PIPE_CONNECT
[250] AUTH LOGIN
[250] CHUNKING
[250] STARTTLS
[250] HELP
STARTTLS
[220] TLS go ahead
EHLO localhost
[250] <LOOK HOST because only 2 links at post> Hello localhost [IP]
[250] SIZE 104857600
[250] 8BITMIME
[250] PIPELINING
[250] PIPE_CONNECT
[250] AUTH LOGIN
[250] CHUNKING
[250] HELP
AUTH PLAIN AG90Yy1ldS1kZS0wMDAwMDAwMDAwMTAwMDAzMzA3NEBvdGMtZXUtZGUubG9naW4A*****
[504] PLAIN authentication mechanism not supported
Could not send the test email.
Error: SMTP Error: 503 Authentication is allowed only once per connection

@TuxMK Can you list the docker environment variables you are currently using? Also, the general format of the values, but change what you need to for security reasons.

@garrett sure

|Added manually|PAAS_APP_NAME|passbolt|Edit Delete|
|Added manually|PAAS_NAMESPACE|default|Edit Delete|
|Added manually|PAAS_PROJECT_ID|f221102b82ac49eea1a9f6e0204b113a|Edit Delete|
|Added manually|APP_FULL_BASE_URL|xxxxxxxxx|Edit Delete|
|Added manually|DATASOURCES_DEFAULT_HOST|xxxxxx|Edit Delete|
|Added manually|DATASOURCES_DEFAULT_USERNAME|xxxxxxxxx|Edit Delete|
|Added manually|DATASOURCES_DEFAULT_PASSWORD|xxxxxxx|Edit Delete|
|Added manually|DATASOURCES_DEFAULT_DATABASE|xxxxxxxxx|Edit Delete|
|Added manually|DATASOURCES_DEFAULT_PORT|3306|Edit Delete|
|Added manually|DATASOURCES_QUOTE_IDENTIFIER|true|Edit Delete|
|Added manually|PASSBOLT_REGISTRATION_PUBLIC|false|Edit Delete|
|Added manually|TZ|Europe/Berlin|Edit Delete|
|Added manually|EMAIL_DEFAULT_TRANSPORT|default|Edit Delete|
|Added manually|EMAIL_DEFAULT_FROM|xxxxx@xxxxxxxx|Edit Delete|
|Added manually|EMAIL_TRANSPORT_DEFAULT_HOST|otc-de-out.mms.t-systems-service.com|Edit Delete|
|Added manually|EMAIL_TRANSPORT_DEFAULT_PORT|25|Edit Delete|
|Added manually|EMAIL_TRANSPORT_DEFAULT_TLS|true|Edit Delete|
|Added manually|EMAIL_TRANSPORT_DEFAULT_USERNAME|xxxxxxxxx@xxxxxxxxx|Edit Delete|
|Added manually|EMAIL_TRANSPORT_DEFAULT_PASSWORD|xxxxxxxxxxx|Edit Delete|
|Added manually|EMAIL_TRANSPORT_DEFAULT_CLASS_NAME|Smtp|

@TuxMK Thank you that is helpful. I looked for documentation from t-systems-services but couldn’t find anything. Are you referencing a set of requirements they provide? Can you link to those?

My first thought is that we might need to take the different parts and create a Data Source Name URI string as described here Mailer - 4.x. I am having trouble finding a previous example here in the forum but I think we did one like this before. The auth would go into the URI string.

I believe it would use EMAIL_TRANSPORT_DEFAULT_URL for this.

@garrett This is the link to ducumentation: Help Center

I still don’t quite understand why the specific URI can help, because Telekom got the feedback (if I read the log correctly) that the attempted login via Plain Auth is not permitted and the second login by passbolt (with another auth mechanism) is no longer allowed in the current session, right? So Passbolt should either offer a way to force a certain auth mechanism or reestablish the connection after each failed login?!

Thanks for help.

@TuxMK Thank you for the documentation.

If I understand correctly, this is a gateway service that is redirecting traffic to your mail server?

Did you set up your server with postfix or exim?

You said that other services have accessed it okay - can you provide an example?

And you are correct, as it is saying AUTH LOGIN so no PLAIN is permitted.

Also, EMAIL_TRANSPORT_DEFAULT_CLIENT may be needed to announce your are coming from a domain or ip that you have whitelisted on your mail server. Sometimes with gateways localhost is blocked.

Additional: I have confirmed that CakePHP runs _auth() which starts with _authPlain() and then _authLogin(). You can find it in the /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php file for reference.

We don’t recommend altering the source code because it will get overwritten. However, if you want to modify it to start with _authLogin and see if that solves the problem, it would be helpful to know.

@garrett Thanks for Help! So in principle the users of our Passbolt instance are happy again

So what did I do: I built a container with the following Dockerfile and then commented out the following lines in SmtpTransport.php

./Dockerfile

FROM passbolt/passbolt:3.6.0-1-ce

COPY ./usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php
#RUN chmod 644 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Mailer/Transport/SmtpTransport.php

SmtpTransport.php

...
line 285

 /*
        $replyCode = $this->_authPlain($username, $password);
        if ($replyCode === '235') {
            return;
        }
*/

line 290
...

do you think that EMAIL_TRANSPORT_DEFAULT_CLIENT will still help us - probably not, right?

Trace
[220] otc-de-mta02.mms.t-systems-service.com ESMTP
> EHLO localhost
[250] otc-de-mta02.mms.t-systems-service.com Hello localhost [xx.xx.xx.xx]
[250] SIZE 104857600
[250] 8BITMIME
[250] PIPELINING
[250] PIPE_CONNECT
[250] AUTH LOGIN
[250] CHUNKING
[250] STARTTLS
[250] HELP
> STARTTLS
[220] TLS go ahead
> EHLO localhost
[250] otc-de-mta02.mms.t-systems-service.com Hello localhost [xx.xx.xx.xx] //here our remote / WAN ip was displayed
[250] SIZE 104857600
[250] 8BITMIME
[250] PIPELINING
[250] PIPE_CONNECT
[250] AUTH LOGIN
[250] CHUNKING
[250] HELP
> AUTH LOGIN
[334] XXxXxxxXXXX
> *****
[334] XXXxxXXxxxX
> *****
[235] Authentication succeeded
> MAIL FROM:<mail@hostname.eu>
[250] OK
> RCPT TO:<mail@hostname.eu>
[250] Accepted
> DATA
[354] Enter message, ending with "." on a line by itself
> From: Passbolt <mail@hostname.eu>
To: m.klute@endoo.eu
Date: Fri, 01 Jul 2022 04:49:12 +0000
Message-ID: <ce71f8ca6d53415e8fb25231c78e9fc2@passbolt-65747948f5-bvdpr>
Subject: Passbolt test email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Congratulations!
If you receive this email, it means that your passbolt smtp configuration is working fine.




.
[250] OK id=1o78ae-0003lr-Mb
> QUIT
The message has been successfully sent!

a short answer to your last first message:

if I understand correctly, this is a gateway service that is redirecting traffic to your mail server?
→ no - it is basically an SMTP server like any other, which considers outgoing messages from a security perspective and, if necessary, blocked when sending, but the login to the SMG does not differ in principle from the login to a regular Postfix mail server (with the exception of various regulations such as no plain and only one login per connection - as we have now seen)

Did you set up your server with postfix or exim?
→ Unfortunately, I cannot answer this question because we do not operate our own mail server and only use the SMG for sending. If this is of great relevance, then I can try to find out the SMG’s software from the provider (Telekom).

you said that other services have accessed it okay - can you provide an example?
→ yes exactly, our own Java backend applications work perfectly and after my small change also Passbolt (-;
Please let me know if it’s helpful if I ask our development team for a small code snipet.

All in all - how do we proceed here? Should we report a bug or feature request? And where is the best place to do this?

@TuxMK That’s a great workaround, nice job! :tada: :muscle:

All those questions were only for my understanding, and you’ll be fine with how the mail server is. The only real change needed was your workaround it seems. I have not encountered this specific problem before with other users and I think it’s uncommon for mail gateways to restrict authentication to one attempt so I wouldn’t consider it a bug. Not many results returned when I searched that phrase on the internet. The app did not have a catch for that specific error and so returned whatever the server said which was SMTP Error: 503 Authentication is allowed only once per connection

The way you approached the solution is probably the most ideal way and now we have it documented which is great.

Thank you for posting back with the results!

Note to team: @_jc maybe we could propose that a catch be added to the smtp debug as I saw that extends the source code related to this? I think 503 is generic though, and this message is unique to the gateway in this case.

@garrett - In the meantime I have received feedback from Telekom (T-Systems) - this may help to be able to optimize the passbolt-mail-client.

“It is a security requirement based on SMTP RFC that authentication is only allowed once per connection. Also, we have explicitly disabled the authentication level on the SMG.
And it is also visible in the connection test that SMG does not communicate any authentication level to the sending system. It is also a fault of the sending system to use an unannounced feature. It must be attached on the sender side.”

@TuxMK Thanks for the follow up. I’m not sure which RFC they are referring to but I have read that the restriction applies only if the AUTH command is successful. (see page 3 below in restrictions section) If, however, the AUTH command is not successful another AUTH command is permitted.[0]

Do you understand what they mean by unannounced feature?

[0] RFC 4954 - SMTP Service Extension for Authentication see page 6

EDIT: They must be meaning if PLAIN is not announced then PLAIN should not be attempted. I tend to agree with this. But, their overly restrictive application of AUTH makes them the first vendor I’m aware of that produced the results we saw. After all, it’s possible to offer multiple methods of AUTH.

@garrett robably an unhelpful answer form telekom - sorry (-;

“With “unannounced feature” we mean, that it is clear during communication, that the PLAIN authentication is not supported.
You can see that after the EHLO we only offer AUTH LOGIN.
So the client should not try to use AUTH PLAIN at all as it already knows, that only LOGIN is offered.”

@TuxMK Well, I’m happy it’s working for you now. I’m sure someone else will run into this at some point. Thanks for the extra info.

@TuxMK Out of curiosity I searched for the history of CakePHP code on this. AUTH PLAIN only smtp servers cannot be used · Issue #14634 · cakephp/cakephp · GitHub

They used to only have AUTH LOGIN and then someone points out that is considered obsolete and AUTH PLAIN is the common approach now. So now they offer both, starting with AUTH PLAIN.

The link to obsolete was Simple Authentication and Security Layer (SASL) Mechanisms which shows a list of available formats, see mechanism column.

Learned something new today.