TLS packet with unexpected length : Exim4 + Office 365

Support Debian
#1

Bonjour,

Je dois faire communiquer un serveur Debian avec Exchange Online (faisant partie d’Office 365) en s’authentifiant avec un compte utilisateur Exchange. Les comptes utilisateurs sont gérés uniquement par Office 365 (pas d’AD)

Remarque : Avec Exchange, il est également possible d’utiliser la fonction de serveur relais mais ce n’est pas une authentification avec un compte utilisateur.

En dehors des configurations ci dessous, les autres fichiers de configuration sont ceux générés par la configuration par défaut.

Versions utilisées :
Debian : 7.4
Exim4 + Exim4-base + Exim4-config + Exim4-daemon-light : 4.80-7

cat /etc/exim4/update-exim4.conf.conf

dc_eximconfig_configtype=‘smarthost’
dc_other_hostnames=’'
dc_local_interfaces=‘127.0.0.1 ; ::1’
dc_readhost=’‘
dc_relay_domains=’'
dc_minimaldns=‘false’
dc_relay_nets=’'
dc_smarthost='smtp.office365.com::587’
CFILEMODE='644’
dc_use_split_config='false’
dc_hide_mailname='false’
dc_mailname_in_oh='true’
dc_localdelivery=‘mail_spool’

cat /etc/exim4/passwd.client

smtp.office365.com:server-debian@mydomain.com:password

cat /etc/email-addresses

user: me@mydomain.com
root: me@mydomain.com

cat /etc/aliases

root: me@mydomain.com
user: me@mydomain.com

Paramètre SMTP pour Exchange Online
Nom de serveur : smtp.office365.com
Port : 587
Méthode de chiffrement : TLS

Test d’envoi d’un message et log :

/usr/sbin/exim4 -v me@mydomain.com

from: server-debian@mydomain.com
to: me@mydomain.com
subject: test
message
.

LOG: MAIN
<= server-debian@mydomain.com U=root P=local S=357
root@servername:/# delivering 1WimKT-00086V-SP
R: smarthost for me@mydomain.com
T: remote_smtp_smarthost for me@mydomain.com
Transport port=25 replaced by host-specific port=587
Connecting to outlook-emeasouth.office365.com [2a01:111:f400:9414::12]:587 … connected
SMTP<< 220 DBXPR07CA011.outlook.office365.com Microsoft ESMTP MAIL Service ready at Fri, 9 May 2014 15:04:37 +0000
SMTP>> EHLO servername
SMTP<< 250-DBXPR07CA011.outlook.office365.com Hello [IP server debian]
250-SIZE 78643200
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250 CHUNKING
SMTP>> STARTTLS
SMTP<< 220 2.0.0 SMTP server ready
SMTP>> EHLO servername
SMTP<< 250-DBXPR07CA011.outlook.office365.com Hello [IP server debian]
250-SIZE 78643200
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
SMTP>> MAIL FROM:server-debian@mydomain.com SIZE=1391
SMTP>> RCPT TO:me@mydomain.com
SMTP>> DATA
SMTP<< 530 5.7.1 Client was not authenticated
LOG: MAIN
TLS error on connection to outlook-emeasouth.office365.com [2a01:111:f400:9414::12] (recv): A TLS packet with
unexpected length was received.
SMTP>> QUIT
LOG: MAIN
TLS error on connection to outlook-emeasouth.office365.com [2a01:111:f400:9414::12] (send): The specified session has been invalidated for some reason.
LOG: MAIN
** me@mydomain.com R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:server-debian@mydomain.com SIZE=1391: host outlook-emeasouth.office365.com [2a01:111:f400:9414::12]: 530 5.7.1 Client was not authenticated
LOG: MAIN
<= <> R=1WimKT-00086V-SP U=Debian-exim P=local S=1356
delivering 1WimKy-00086n-3y
R: smarthost for server-debian@mydomain.com
T: remote_smtp_smarthost for me@mydomain.com
Transport port=25 replaced by host-specific port=587
Connecting to outlook-emeasouth.office365.com [2a01:111:f400:9800::2]:587 … connected
LOG: MAIN
Completed
SMTP<< 220 DBXPR03CA003.outlook.office365.com Microsoft ESMTP MAIL Service ready at Fri, 9 May 2014 15:04:42 +0000
SMTP>> EHLO servername
SMTP<< 250-DBXPR03CA003.outlook.office365.com Hello [IP server debian]
250-SIZE 78643200
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250 CHUNKING
SMTP>> STARTTLS
SMTP<< 220 2.0.0 SMTP server ready
SMTP>> EHLO servername
SMTP<< 250-DBXPR03CA003.outlook.office365.com Hello [IP server debian]
250-SIZE 78643200
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
SMTP>> MAIL FROM:<> SIZE=2414
LOG: MAINRCPT TO:server-debian@mydomain.com
TLS error on connection to outlook-emeasouth.office365.com [2a01:111:f400:9800::2] (recv): A TLS packet with unexpected length was received.ot authenticated
SMTP>> QUIT
LOG: MAIN
TLS error on connection to outlook-emeasouth.office365.com [2a01:111:f400:9800::2] (send): The specified session has been invalidated for some reason.
LOG: MAIN
** server-debian@mydomain.com R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:<> SIZE=2414: host outlook-emeasouth.office365.com [2a01:111:f400:9800::2]: 530 5.7.1 Client was not authenticated
LOG: MAIN
Frozen (delivery error message)

Qu’en pensez vous ?

#2

Le message important dans le dialogue SMTP avec le serveur me semble être celui-ci :

Dans les lignes qui précèdent, on voit qu’exim n’a pas envoyé d’authentification. L’explication est probablement donnée dans l’extrait suivant de la section concernant /etc/exim4/passwd.client dans la page de manuel de exim4_files :

[code] Please note that target.mail.server.example is currently the value that
exim can read from reverse DNS: It first follows the host name of the
target system until it finds and IP address, and then looks up the
reverse DNS for that IP address to use the outcome of this query (or
the IP address itself should the query fail) as index into
/etc/exim4/passwd.client.

   This  goes  inevitably  wrong  if the host name of the mail server is a
   CNAME (a DNS alias), or the reverse lookup does  not  fit  the  forward
   one.

   Currently, you need to manually lookup all reverse DNS names for all IP
   addresses that your SMTP server host name points  to,  for  example  by
   using  the host command.  If the SMTP smarthost alias expands to multi-
   ple IPs, you need to have multiple lines for all the hosts.  When  your
   ISP changes the alias, you will need to manually fix that.

   You  may  minimize  this  trouble by using a wild card entry or regular
   expressions, thus reducing the risk of divulging the  password  to  the
   wrong  SMTP server while reducing the number of necessary lines.  For a
   deeper discussion, see the Debian BTS #244724.[/code]

Le nom d’hôte spécifié dans ce fichier doit correspondre au reverse DNS de l’adresse IPv4 ou IPv6 du serveur. Pour commencer, voici ce que donne la résolution DNS directe de smtp.office365.com (attention, le résultat peut être différent pour vous voire varier dans le temps) :

$ host smtp.office365.com smtp.office365.com is an alias for smtp.outlook.office365.com. smtp.outlook.office365.com is an alias for outlook.office365.com. outlook.office365.com is an alias for outlook.office365.com.glbdns.microsoft.com. outlook.office365.com.glbdns.microsoft.com is an alias for outlook-emeasouth.office365.com. outlook-emeasouth.office365.com has address 132.245.228.12 outlook-emeasouth.office365.com has address 132.245.228.201 outlook-emeasouth.office365.com has address 157.56.250.38 outlook-emeasouth.office365.com has address 157.56.251.54 outlook-emeasouth.office365.com has address 157.56.251.210 outlook-emeasouth.office365.com has address 157.56.251.220 outlook-emeasouth.office365.com has address 157.56.253.22 outlook-emeasouth.office365.com has address 157.56.255.50 outlook-emeasouth.office365.com has address 132.245.211.242 outlook-emeasouth.office365.com has address 132.245.211.252 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:8814::9 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:9414::2 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:9414::12 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:9800::2 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:1000::6 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:8000::2 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:8000::12 outlook-emeasouth.office365.com has IPv6 address 2a01:111:f400:8800::12
Outre le fait que ce nom pointe vers plusieurs adresses IPv4 et IPv6, la plupart de ces adresses n’ont pas de reverse DNS, et quand il existe le reverse DNS ne correspond pas à smtp.office365.com. Donc exim n’utilise pas les paramètres d’authentification.

Solutions proposées dans l’extrait cité :

  • utiliser un wildcard * à la place du nom d’hôte, pas gênant puisque tout passe par un même smarthost ;
  • ou créer une ligne pour chaque adresse IPv4 ou reverse DNS quand il existe, avec le risque que les adresses changent dans le temps.
#3

L’information sur les reverse dns m’avait échappé.
Effectivement, en mettant un wildcard * à la place du nom d’hôte cela fonctionne très bien et c’est la solution la plus simple dans mon cas.

Merci beaucoup

#4

bonjour,

j’ai le même problème d’authentification

j’aimerai avoir une précision concernant le wilcart a mettre à la place du nom d’hôte

je suppose qu’il faut rentrer dans le fichier passwd.client et remplacer truc@truc.fr:password par * si je comprend bien

j’ai essayé comme ça, mais ça ne fonctionne pas, j’ai toujours une erreur d’authentification

merci pour le retour et le complément d’information