XEROX Machines Unable to Connect - Build 7348
Problem reported by Tyler Raley - 2/19/2020 at 11:17 AM
Being Fixed
Currently on Build 7348 (Feb 13, 2020). We have several users unable to connect their XEROX Machines through SMTP. We were also unsuccessful. Password checked several times over. Server logs below.

[2020.02.19] 12:33:40.677 [XX.XXX.XXX.XXX][43390198] rsp: 220 mail.firehousesolutions.com Wed, 19 Feb 2020 17:33:40 +0000 UTC - SmarterMail Enterprise
[2020.02.19] 12:33:40.677 XX.XXX.XXX.XXX][43390198] connected at 2/19/2020 12:33:40 PM
[2020.02.19] 12:33:40.677 [XX.XXX.XXX.XXX][43390198] Country code: US
[2020.02.19] 12:33:40.677 [XX.XXX.XXX.XXX][43390198] IP in whitelist
[2020.02.19] 12:33:40.677 [XX.XXX.XXX.XXX][43390198] IP in authentication bypass
[2020.02.19] 12:33:40.677 [XX.XXX.XXX.XXX][43390198] disconnected at 2/19/2020 12:33:40 PM
[2020.02.19] 12:33:41.006 [XX.XXX.XXX.XXX][27299892] rsp: 220 mail.firehousesolutions.com Wed, 19 Feb 2020 17:33:41 +0000 UTC - SmarterMail Enterprise
[2020.02.19] 12:33:41.006 [XX.XXX.XXX.XXX][27299892] connected at 2/19/2020 12:33:41 PM
[2020.02.19] 12:33:41.006 [XX.XXX.XXX.XXX][27299892] Country code: US
[2020.02.19] 12:33:41.006 [XX.XXX.XXX.XXX][27299892] IP in whitelist
[2020.02.19] 12:33:41.006 [XX.XXX.XXX.XXX][27299892] IP in authentication bypass
[2020.02.19] 12:33:41.021 [XX.XXX.XXX.XXX][27299892] cmd: EHLO XRX9C934E8EEDA9.MVFD.local
[2020.02.19] 12:33:41.037 [XX.XXX.XXX.XXX][27299892] rsp: 250-mail.firehousesolutions.com Hello [XX.XXX.XXX.XXX]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5 NTLM250-STARTTLS250-8BITMIME250-DSN250 OK
[2020.02.19] 12:33:41.055 [XX.XXX.XXX.XXX][27299892] cmd: AUTH NTLM
[2020.02.19] 12:33:41.055 [XX.XXX.XXX.XXX][27299892] Authentication failed - ntlm start
[2020.02.19] 12:33:41.055 [XX.XXX.XXX.XXX][27299892] rsp: 535 Authentication failed
[2020.02.19] 12:33:41.068 [XX.XXX.XXX.XXX][27299892] disconnected at 2/19/2020 12:33:41 PM


17 Replies

Reply to Thread
1
Jason Adams Replied
I am having the same issue, lately it seems that they deserve a name change #NotSoSmarterTools.

Come on folks, get it together!
1
Larry Duran Replied
Employee Post
Hey Tyler, it looks like it's trying to use NTLM to authenticate but it's never sending the initial NTLM data in the request.  This is how NTLM normally works,

Clients sends: AUTH NTLM [base64 encoded initial message]
Server sends: [base64 encoded challenge response]
Client sends: AUTH NTLM [base64 encoded authenticate message that's validated by the server]

So the client, the Xerox machine, isn't sending that first message in the auth, which is why the login fails.  I did find a Microsoft documentation that shows SMTP can actually send the AUTH NTLM command without including the initial message.  I'll add this to our bugs list for us to fix.  I don't have a Xerox machine to test against though but I can supply you with a custom build if you wouldn't mind testing it out.
Larry Duran
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ronald Raley Replied
Larry, we are crossing our fingers that this will be fixed in Friday's release.  Thank you for logging it.

We look forward to gettting our Xerox customers back in business.

Ron
0
Tyler Raley Replied
Upgraded to Build 7355 (Feb 20, 2020) and continue to experience issues connecting a XEROX. Password checked several times over. Server logs below. Thank you!

---------------------------

[2020.02.22] 12:35:20.411 [XX.XXX.XXX.XXX][13076009] rsp: 220 mail.firehousesolutions.com Sat, 22 Feb 2020 17:35:20 +0000 UTC - SmarterMail Enterprise
[2020.02.22] 12:35:20.411 [XX.XXX.XXX.XXX[13076009] connected at 2/22/2020 12:35:20 PM
[2020.02.22] 12:35:20.426 [XX.XXX.XXX.XXX][13076009] Country code: US
[2020.02.22] 12:35:20.426 XX.XXX.XXX.XXX][13076009] IP in whitelist
[2020.02.22] 12:35:20.426 [XX.XXX.XXX.XXX][13076009] IP in authentication bypass
[2020.02.22] 12:35:20.489 [XX.XXX.XXX.XXX][13076009] cmd: EHLO XRX9C934E8EEDA9.MVFD.local
[2020.02.22] 12:35:20.489 [XX.XXX.XXX.XXX][13076009] rsp: 250-mail.firehousesolutions.com Hello [24.245.101.238]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5 NTLM250-8BITMIME250-DSN250 OK
[2020.02.22] 12:35:20.520 [XX.XXX.XXX.XXX][13076009] cmd: AUTH NTLM
[2020.02.22] 12:35:20.520 [XX.XXX.XXX.XXX][13076009] Authentication failed - ntlm start
[2020.02.22] 12:35:20.520 [XX.XXX.XXX.XXX][13076009] rsp: 535 Authentication failed
[2020.02.22] 12:35:20.536 [XX.XXX.XXX.XXX][13076009] disconnected at 2/22/2020 12:35:20 PM
0
Sébastien Riccio Replied
I would say NTLM on SmarterMail is half broken.

At least my attempts to use NTLM as auth with the "Swiss Army Knife for SMTP" (swaks) result in failure:


madjik@prism:~ 10 $ swaks --to sriccio@xxx.com --from "madjik@xxx.com" --header "Subject: Test mail" --body "This is a test mail" --server mail03.xxx.com --port 587 --timeout 40s --auth NTLM --auth-user "madjik@xxx.com" --auth-password <redacted> -tls 
=== Trying mail03.xxx.com:587...
=== Connected to mail03.xxx.com.
<-  220 mail03.xxx.com xxx Mail Server; Sun, 23 Feb 2020 02:46:05 +01:00; Your IP: 94.103.97.100
 -> EHLO prism
<-  250-mail03.xxx.com Hello [94.x.x.x]
<-  250-SIZE 52428800
<-  250-AUTH LOGIN CRAM-MD5 NTLM
<-  250-STARTTLS
<-  250-8BITMIME
<-  250-DSN
<-  250 OK
 -> STARTTLS
<-  220 Start TLS negotiation
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/OU=Domain Control Validated/OU=GoGetSSL Wildcard SSL/CN=*.xxx.com"
 ~> EHLO prism
<~  250-mail03.xxx.com Hello [94.x.x.x]
<~  250-SIZE 52428800
<~  250-AUTH LOGIN CRAM-MD5 NTLM
<~  250-8BITMIME
<~  250-DSN
<~  250 OK
 ~> AUTH NTLM
<~* 535 Authentication failed
*** No authentication type succeeded
 ~> QUIT
<~  221 Service closing transmission channel
=== Connection closed with remote host.

The same attempt with LOGIN is ok:

=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/OU=Domain Control Validated/OU=GoGetSSL Wildcard SSL/CN=*.xxx.com"
 ~> EHLO prism
<~  250-mail03.xxx.com Hello [x.x.x.x]
<~  250-SIZE 52428800
<~  250-AUTH LOGIN CRAM-MD5 NTLM
<~  250-8BITMIME
<~  250-DSN
<~  250 OK
 ~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
 ~> bWFkamlrQGFyZWExMy5jb20=
<~  334 UGFzc3dvcmQ6
 ~> QW5nZWwxOTk4ISE=
<~  235 Authentication successful
 ~> MAIL FROM:<madjik@xxx.com>
<~  250 OK <madjik@xxx.com> Sender ok
 ~> RCPT TO:<sriccio@xxx.com>
<~  250 OK <sriccio@xxx.com> Recipient ok
 ~> DATA
<~  354 Start mail input; end with <CRLF>.<CRLF>
 ~> Date: Sun, 23 Feb 2020 02:52:43 +0100
 ~> To: sriccio@xxx.com
 ~> From: madjik@xxx.com
 ~> Subject: Test mail
 ~> Message-Id: <20200223025243.029859@prism>
 ~> X-Mailer: swaks v20181104.0 jetmore.org/john/code/swaks/
 ~> 
 ~> This is a test mail
 ~> 
 ~> 
 ~> .
<~  250 OK
 ~> QUIT
<~  221 Service closing transmission channel
=== Connection closed with remote host.
On another hand I wasn't able to test swaks with NTLM on another server as I can't find any SMTP server allowing NTLM (even our local "real" exchange server or the outlook.com server smtp.office365.com)

I wonder why this has been added to SmarterMail, was it a requirement for something ?

IMHO it would be better to add the basic and widely used auth PLAIN...


Sébastien Riccio
System & Network Admin

0
Sébastien Riccio Replied
Hi,

I did an additionnal test with a basic telnet command flow test:

sriccio@prism:~ 28 $ telnet mail03.xxx.com 587
Trying 94.103.96.141...
Connected to mail03.xxx.com.
Escape character is '^]'.
220 mail03.xxx.com xxxMail Server; Sun, 23 Feb 2020 08:39:08 +01:00; Your IP: 94.103.97.100
EHLO prism
250-mail03.xxx.com Hello [94.103.x.x]
250-SIZE 52428800
250-AUTH LOGIN CRAM-MD5 NTLM
250-STARTTLS
250-8BITMIME
250-DSN
250 OK
AUTH NTLM
535 Authentication failed

Here we can see SmarterMail rejects directly the authentication process when we send "AUTH NTLM"

If I understand correctly, after AUTH NTLM is sent by the client, the server should respond with a "334 ntlm supported", but in my test it just reply that auth is failed.
Source:

Here is the server-side log:

[2020.02.23] 08:39:08.284 [94.103.x.x][4394992] Country code: CH
[2020.02.23] 08:39:08.284 [94.103.x.x][4394992] IP in whitelist
[2020.02.23] 08:39:12.987 [94.103.x.x][4394992] cmd: EHLO prism
[2020.02.23] 08:39:12.987 [94.103.x.x][4394992] rsp: 250-mail03.xxx.com Hello [94.103.x.x]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5 NTLM250-STARTTLS250-8BITMIME250-DSN250 OK
[2020.02.23] 08:39:18.643 [94.103.x.x][4394992] cmd: AUTH NTLM
[2020.02.23] 08:39:18.643 [94.103.x.x][4394992] Authentication failed - ntlm start
[2020.02.23] 08:39:18.643 [94.103.x.x][4394992] rsp: 535 Authentication failed
[2020.02.23] 08:44:23.284 [94.103.x.x][4394992] rsp: 421 Command timeout, closing transmission channel
[2020.02.23] 08:44:23.284 [94.103.x.x][4394992] disconnected at 23.02.2020 08:44:23
Tested against latest (7355) build.

I guess the problem is not only with Xerox devices, but all devices/softwares supporting NTLM auth that first send "AUTH NTLM".

Sébastien Riccio
System & Network Admin

1
Ronald Raley Replied
Why did SmarterTools remove such basic functionality?  I'm just baffled.
0
Sébastien Riccio Replied
Well actually I think they did not remove anything, only added NTLM auth method and your xerox device detects it and tries to use it. But it seems the NTLM implemenation in SM is not working in all cases.
I can't speak for ST team so let's wait for a feedback from the team.
Sébastien Riccio
System & Network Admin

2
Larry Duran Replied
Employee Post
Just to clarify some things here.  Ronald Raley and Tyler Raley are the only ones who have a custom build with this potential fix in it.  Sebastien, your tests would result in failures as the fix is not in the public release.  Also, our NTLM for SMTP does respond with a "334 ntlm supported" when the client issues an "auth ntlm" command.  I was only able to test this using telnet commands as we don't have a Xerox machine that we could test against, which is why a custom build was produced instead of adding this into the public build.

This is what I get when I telnet the same commands to my local development server:

220 DEV.local
ehlo
250-DEV.local Hello [127.0.0.1]
250-SIZE 250-AUTH LOGIN CRAM-MD5 NTLM
250-8BITMIME
250-DSN
250 OK
auth ntlm
334 ntlm supported

The only way this would fail with "Authentication failed - ntlm start" is if there were some characters after "auth ntlm".  I'll send Ronald and Tyler another build to test against as it almost seems like the fix did not make it into the custom build.

Also, Sebastien you are correct that we recently added NTLM support as an additional authentication method.  I also would not say NTLM is not working in all cases.  We've recently patched some fixes for NTLM and IMAP, but we're not aware of any other NTLM issues.
Larry Duran
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Sébastien Riccio Replied
ok thanks larry. If there is no issue I won't spend more time trying to help

still:

auth ntlm
535 Authentication failed.

on latest public beta -> "production ready" <-  build....

telnet mail.smartertools.com 587
Trying 66.172.30.61...
Connected to mail.smartertools.com.
Escape character is '^]'.
220 mail.smartertools.com
ehlo
250-mail.smartertools.com Hello [94.103.x.x]
250-SIZE
250-AUTH LOGIN CRAM-MD5 NTLM
250-STARTTLS
250-8BITMIME
250-DSN
250 OK
auth ntlm
535 Authentication failed

?
Sébastien Riccio
System & Network Admin

1
Larry Duran Replied
Employee Post
Hey Sebastien, that is a correct response on the latest public release.  We haven't merged the fix for this issue into the public build as of yet until we verify the fix.  If the fix gets verified then I'll merge it and it should show up in the next public release.  At that point if you test it you will see the correct responses.
Larry Duran
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ronald Raley Replied
Larry, your custom build has been received and installed.  I am awaiting a test on the Xerox machine.  Thank you!
0
echoDreamz Replied
We had this issue to with many printers/scanners. Thankfully we were able to have the customers change the auth method to PLAIN instead of AUTO and that fixed the issue. Though, did result in a few really angry IT guys.
2
Ronald Raley Replied
Xerox test was a success!
1
Larry Duran Replied
Employee Post
Awesome Ronald, thanks for confirming the fix.  I'll get this merged into our next public release.
Larry Duran
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Webio Replied
Hello,

I'm on build 7398 and my customers are also experiencing this issue:

2020.04.08 08:27:39.133 [CLIENTREMOTEIP][39266409] rsp: 220 SM_HOST
2020.04.08 08:27:39.133 [CLIENTREMOTEIP][39266409] connected at 2020-04-08 08:27:39
2020.04.08 08:27:39.133 [CLIENTREMOTEIP][39266409] Country code: PL
2020.04.08 08:27:39.148 [CLIENTREMOTEIP][39266409] cmd: EHLO CLIENT_NAME
2020.04.08 08:27:39.148 [CLIENTREMOTEIP][39266409] rsp: 250-SM_HOST Hello [CLIENTREMOTEIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5 NTLM250-STARTTLS250-8BITMIME250-DSN250 OK
2020.04.08 08:27:39.148 [CLIENTREMOTEIP][39266409] cmd: STARTTLS
2020.04.08 08:27:39.148 [CLIENTREMOTEIP][39266409] rsp: 220 Start TLS negotiation
2020.04.08 08:27:39.367 [CLIENTREMOTEIP][39266409] cmd: EHLO CLIENT_NAME
2020.04.08 08:27:39.367 [CLIENTREMOTEIP][39266409] rsp: 250-SM_HOST Hello [CLIENTREMOTEIP]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5 NTLM250-8BITMIME250-DSN250 OK
2020.04.08 08:27:39.383 [CLIENTREMOTEIP][39266409] cmd: AUTH NTLM TlRMTVNTUAABAAAABQQAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
2020.04.08 08:27:39.383 [CLIENTREMOTEIP][39266409] Authentication failed - ntlm start
2020.04.08 08:27:39.383 [CLIENTREMOTEIP][39266409] rsp: 535 Authentication failed
2020.04.08 08:27:39.398 [CLIENTREMOTEIP][39266409] disconnected at 2020-04-08 08:27:39
1
Larry Duran Replied
Employee Post
Hey Webio, thanks for letting us know.  We think we found the issue and we'll get the fix into our next release.
Larry Duran
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread