SMTP servers requiring encryption of authentication not useable from VMS Mail

All types of networks, network stacks, and protocols supported by OpenVMS.
Post Reply

Topic author
madsweeney
VSI Expert
Active Contributor
Posts: 28
Joined: Mon Jun 10, 2019 9:23 am
Reputation: 0
Status: Offline

SMTP servers requiring encryption of authentication not useable from VMS Mail

Post by madsweeney » Wed Apr 27, 2022 12:44 pm

--- Observation ---
It is getting more and more difficult these days to send email from OpenVMS. TCP/IP Services V5.7 sends mail by connecting to a distant server, determined from the MX record for the destination domain, on port 25. It appears that the service cannot send mail through an SMTP server that requires either encryption or authentication. If I am wrong about any of that, please correct me.

How does TCP/IP Services V6.0 address those issues?
---

TCP/IP V6.0 does not include features to support sending mail through SMTP servers requiring authentication and encryption. Please reply to this topic if your application or product requires extending OpenVMS to support sending mail through SMTP servers requiring authentication and encryption.
Dave "Mad" Sweeney
Chief Customer Advocate
VMS Software, Inc.
Burlington, MA 01803
USA


sms
Active Contributor
Posts: 49
Joined: Fri Aug 21, 2020 5:18 pm
Reputation: 0
Status: Offline

Re: SMTP servers requiring encryption of authentication not useable from VMS Mail

Post by sms » Wed Apr 27, 2022 3:20 pm

Code: Select all

> It is getting more and more difficult these days to send email from
> OpenVMS. [...]

   I suspect that that's what might have caused the following for me a
while ago:

From:   SMTP%"Postmaster@antinode.info"
To:     sms@antinode.info
CC:
Subj:   Returned mail
[...]
---- Transcript of session follows ----

%TCPIP-E-SMTP_UNREACHABL, cannot connect to remote host, t-online.de
-SYSTEM-F-UNREACHABLE, remote node is not currently reachable

---- Unsent message follows ----
[...]

   After multiple failures, figuring that "t-online.de" couldn't be that
dead, I tried it manually:

ITS $ telnet mx00.t-online.de 25
%TELNET-I-TRYING, Trying ... 194.25.134.8
%TELNET-I-SESSION, Session 01, host mx00.t-online.de, port 25
554 IP=76.76.60.100 - A problem occurred. (Ask your postmaster for help
or to contact tosa@rx.t-online.de to clarify.)

%TELNET-S-REMCLOSED, Remote connection closed
-TELNET-I-SESSION, Session 01, host mx00.t-online.de, port 25

   Asking my postmaster (self) was unproductive, and I was too lazy "to
contact tosa@rx.t-online.de to clarify", but my guess was that they
don't like port 25 much these days.

   Receiving e-mail has problems, too.  I assume that it was junk, so
not a great loss, but I was recently bombarded (10-second intervals?) by
connection attempts like, for example:

ITS $ type TCPIP$SMTP_RECV_RUN.LOG;13502
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
   SYS$REM_NODE: >173.225.99.7::<
send buf=220 its.antinode.info V5.7-ECO5A, OpenVMS V8.4-2L3 IA64 ready at Tue, 2
6 Apr 2022 07:25:24 -0500 (CDT) \0d\0a
recv buf=EHLO ylmf-pc\0d\0a
send buf=250 its.antinode.info Hello vps2384995.trouble-free.net, pleased to mee
t you\0d\0a
recv buf=AUTH LOGIN\0d\0a
send buf=500 Syntax error, command unrecognized\0d\0a

 Status in main 8428
%SYSTEM-F-LINKDISCON, network partner disconnected logical link
  TCPIP$SMTP   job terminated at 26-APR-2022 07:25:25.13

  Accounting information:
  Buffered I/O count:               1976      Peak working set size:     238528
  Direct I/O count:                  727      Peak virtual size:         411984
  Page faults:                     15005      Mounted volumes:                0
  Charged CPU time:        0 00:00:04.51      Elapsed time:       0 00:00:06.67


   I interpreted this as the remote (junk) server quitting when it got a
disappointing response.  And then, in this case, trying again
immediately afterward, flooding the system with processes trying to read
TCPIP$SMTP.CONF before getting that far.

   So, as a mere non-paying hobbyist/peon, I wouldn't mind an
enhancement which made TCPIP a little less obsolete.


   And, if anyone does dive into the SMTP stuff, my other complaint is
that reading my long (20k lines, mostly "Bad-Clients") TCPIP$SMTP.CONF
file takes too long (20s?).  If nothing else, a separate file for
"Bad-Clients" data might help.  Currently, with
"Accept-Unresolvable-Domains: FALSE", it would be easy to reject many
junk-mail connections quickly, without having to consider any of the
"Bad-Clients" data.  But, with everything in one file, it all gets read
every time, useful or not.


Topic author
madsweeney
VSI Expert
Active Contributor
Posts: 28
Joined: Mon Jun 10, 2019 9:23 am
Reputation: 0
Status: Offline

Re: SMTP servers requiring encryption of authentication not useable from VMS Mail

Post by madsweeney » Thu Apr 28, 2022 12:38 pm

I will need someone with more intimate knowledge of SMTP to answer your detailed questions, You are using SMTP mail directly from VMS and believe the issues may be related to authentication or encryption requirements of the SMTP server. thanks,
Dave "Mad" Sweeney
Chief Customer Advocate
VMS Software, Inc.
Burlington, MA 01803
USA


sms
Active Contributor
Posts: 49
Joined: Fri Aug 21, 2020 5:18 pm
Reputation: 0
Status: Offline

Re: SMTP servers requiring encryption of authentication not useable from VMS Mail

Post by sms » Thu Apr 28, 2022 6:44 pm

Code: Select all

> [...] You are using SMTP mail directly from VMS [...]

   Yup.  I'm guessing that the lack of encryption/authentication (which,
I gather, implies the use of port 587 rather than 25) is the cause of
that failure with "t-online.de".

   The other problems which I see are related to the long time needed to
process the large collection of "Bad-Clients" data in my TCPIP$SMTP.CONF
file.  Exposure to the Internet means exposure to barrages of e-mail
connection attempts, and, if every connection attempt demands much CPU
time, then any typical barrage can overwhelm the system.

   It would help if the SMTP receiver could quickly disqualify the
easy-to-disqualify senders ("Accept-Unresolvable-Domains: FALSE", for
example).  Segregating the "Bad-Clients" data some place else might be
one way to do that.

   Another possibility would be to pre-compile the "Bad-Clients" data
(at least) into some (indexed?) form which could be processed (much)
more quickly than serially reading and parsing the TCPIP$SMTP.CONF file
for every connection.  (Imagine Apache reading its httpd.conf for every
HTTP connection attempt.)  Or (like Apache) use a persistent server
which processes the configuration file once, and uses worker
subprocesses to handle individual connections.

   Some kind of throttle on connection attempts could help, too.  A
limit on the rate of connections from any particular IP address might
relieve the burden from a run-away junk-e-mail sender.

   Of course, if only a lone hobbyist actually uses VMS for his e-mail
server, then perhaps none of the potential improvements would be worth
the effort.  But I wouldn't expect any actual customers to make do with
the current limitations/problems.


debbee.west
VSI Expert
Member
Posts: 5
Joined: Mon Oct 07, 2019 11:10 am
Reputation: 0
Status: Offline

Re: SMTP servers requiring encryption of authentication not useable from VMS Mail

Post by debbee.west » Wed May 11, 2022 3:34 pm

VSI knows that our implementation of SMTP lacks some desirable features such as authentication, an SSL layer and the ability to switch the port. SMTP is on the list of things that we would like to see enhanced.

Now, as to the issue posted above, I dont think we have enough information to say why the connection to port 25 was closed. Clearly they are still operating on port 25 as that port answered. If I had to make a guess, I would surmise that they could not back translate your ip address and closed your connection out of hand. But, this is just a guess.

As for the other error in the receive log:

ITS $ type TCPIP$SMTP_RECV_RUN.LOG;13502
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
SYS$REM_NODE: >173.225.99.7::<
send buf=220 its.antinode.info V5.7-ECO5A, OpenVMS V8.4-2L3 IA64 ready at Tue, 2
6 Apr 2022 07:25:24 -0500 (CDT) \0d\0a
recv buf=EHLO ylmf-pc\0d\0a
send buf=250 its.antinode.info Hello vps2384995.trouble-free.net, pleased to mee
t you\0d\0a
recv buf=AUTH LOGIN\0d\0a
send buf=500 Syntax error, command unrecognized\0d\0a

Status in main 8428
%SYSTEM-F-LINKDISCON, network partner disconnected logical link
TCPIP$SMTP job terminated at 26-APR-2022 07:25:25.13

Clearly the connecting client can only send mail when they can authenticate. And, as stated previously, VMS does not have that feature at that time with the native SMTP package.


sms
Active Contributor
Posts: 49
Joined: Fri Aug 21, 2020 5:18 pm
Reputation: 0
Status: Offline

Re: SMTP servers requiring encryption of authentication not useable from VMS Mail

Post by sms » Wed May 11, 2022 5:49 pm

Code: Select all

> [...] Clearly they are still operating on port 25 as that port
> answered. [...]

   They seem to be "operating on port 25" enough to return a useless
error message.  It's less clear that they actually handle e-mail there.

> [...] If I had to make a guess, I would surmise that they could not
> back translate your ip address and closed your connection out of hand.
> But, this is just a guess.

   It wouldn't constitute absolute proof that your guess is wrong, but,
if you tried it yourself, you might see how plausible that guess was.

> 554 IP=76.76.60.100 - A problem occurred. [...]

   My own DNS server might be biased, but a popular external one seems
happy enough, too:

ITS $ nslookup 76.76.60.100 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Name:    antinode.info
Address:  76.76.60.100


> Clearly [...] VMS does not have that feature at that time with the
> native SMTP package.

   If you're keeping a list of potentially desirable SMTP features, I
can offer a couple more...

   1) If the logical name TCPIP$SMTP_RECV_TRACE enables them, the
resulting SYS$SPECIFIC:[TCPIP$SMTP]TCPIP$SMTP_RECV_RUN.LOG files can hit
version ";32767" which effectively disables them.  These should be
purged/renumbered automatically at some user-specified interval.

   This is a general problem with version-exhausting log files of
various kinds, so providing a more general tool of some kind might be
wiser than creating an SMTP-specific one.


   2) By default, the TCPIP$SMTP_RECV_RUN.LOG files contain no reliable
indication of the IP address of the remote system, only message traffic
which might include a DNS name which might be forged.  When tracking
abuse, a real IP address can be much more valuable than a forged/fake
DNS name.

   I've added some (probably non-exemplary) stuff to my own
TCPIP$SYSTEM:TCPIP$SMTP_RECV_RUN.COM to help with these deficiencies. 
For example (as seen above):

[...]
$!
$! 28-MAR-2003.  SMS.  If logging a transcript, show the remote node.
$!
$     if (f$trnlnm( "TCPIP$SMTP_RECV_TRACE") .NES. "")
$     then
$         write sys$output -
           "   SYS$REM_NODE: >''f$trnlnm( "SYS$REM_NODE")'<"
$     endif
$ !
$ ! start smtp receiver process
$ !
$ run:
[...]

   Better formatting might have been nice, but I might have been
reluctant to do too much of someone else's job.  (Or just-plain lazy.)

User avatar

volkerhalle
Valued Contributor
Posts: 58
Joined: Fri Aug 14, 2020 11:31 am
Reputation: 0
Status: Offline

Re: SMTP servers requiring encryption of authentication not useable from VMS Mail

Post by volkerhalle » Thu May 12, 2022 3:27 am

Debbee, Steven,

T-Online is blocking un-authenticated outgoing mail access to port 25 since 01-APR-2014. Sending mails via securesmtp.t-online.de requires TLS and authentification (via port 25 or port 587)

Volker.

Post Reply