i trying to get work Rails with Exchange server 2007. I trying to use difference auth methods with it: none, plain, ntlm, login. But none of them does not work and i see exceptions like this for every auth method:
504 5.7.4 Unrecognized authentication type
After long googling i try to use telnet to watch what auth methods supported:
ehlo
...
250-AUTH
250-STARTTLS
...
250-AUTH without any params, but in any manuals in internet this line usually looks like 250-AUTH NTLM LOGIN.
What auth method i should use with this server or i must to reconfigure the exchange?
Some mails servers (both incoming and outgoing) require encryption before they allow authentication.
Judging by the presence of STARTTLS, you are currently connected to port 25 or 587 without encryption.
Try to switch this connection into TLS mode by using the STARTTLS command and promoting your current plain socket to an SSL one. Then repeat EHLO and there should be some auth capabilities listed (e.g. "250-AUTH LOGIN PLAIN").
Related
I have a FreeRadius server set up that authenticates users through the PAM (SSSD for AD authentication + MFA via Google Authenticator).
It works well but when I configured it on my firewall I received a message like that :
When authenticating user xxx from 'ip from domain controller', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS.
I don't understand what this message exactly means. How can I secure the info between my FW/SSH console and the radius server and between the radius server and the domain controller ?
Can I still use PAM with PEAP/EAP-TTLS ? Is it just a mean to secure the network transaction or is it an authentication model ?
Thank you for your help.
The pam_radius plugin always uses pap, and the radius client with pam does not exist with PEAP/EAP-TTLS/EAP-TLS. PAP is less secure because it displays password in plain text. For security reasons you can either have a VPN which may need external hardware or have a TLS proxy like stunnel or nginx at the PAM -radius client and protect the radius packets with TLS. I will go for 2nd option as it is free and freeradius server can be configured to use radsec connection, but ofcourse you will now manage the certificates
I am using Google Business Apps for emails, and trying to send emails through PHPMailer. Now there is an issue with the SSL certificate so I have to turn off the SSL verification, but this errors is thrown up:
Auth method requested: XOAUTH2
Auth methods available on the server: PLAIN,LOGIN
SMTP Error: Could not authenticate.
Now my host isn't particularly helpful as its saying I need to use the correct email/pass, but that's not the way it works as we have to create an App via Google Developer and the connection is verified.
I am wondering if XOAUTH2 needs to be installed to the server? I have access to cPanel, but can't find the module.
Read the troubleshooting guide that the error links you to.
I'd bet that your ISP is intercepting your traffic and redirecting you to their own mail server, which will fail to match gmail's SSL certificate, and also lacks gmail's XOAUTH2 authentication scheme.
You should pay attention to why you're getting these errors - certificate verification is there to protect you and when it fails a check it's telling you that someone is intercepting your traffic and trying to MITM you - and by disabling it you've already given away your gmail credentials.
I'm sending emails using PHPMailer 5.2.10 with the next code:
function SendGmail($to,$subj,$body)
{
$mail = new PHPMailer(); // create a new object
$mail->IsSMTP(); // enable SMTP
$mail->SMTPDebug = 1; // debugging: 1 = errors and messages, 2 = messages only
$mail->SMTPAuth = true; // authentication enabled
$mail->SMTPSecure = 'ssl'; // "ssl" secure transfer enabled REQUIRED for GMail
$mail->Host = "smtp.gmail.com";
$mail->Port = 465; // 465 or 587
$mail->IsHTML(true);
$mail->Username = "admin#mydomain.ru";
$mail->Password = "********";
$mail->SetFrom("admin#mydomain.ru");
$mail->Subject = $subj;
$mail->Body = $body;
$mail->AddAddress($to);
return $mail->Send();
}
Note: we use Google Apps, so the mail domain is not google.com, but some other, let's say, mydomain.ru.
Everything was fine until Google had recently implemented another "security enhancement" (AFAIK forcing OAuth2 authorisation). Now PHPMailer->Send() returns the following text:
2015-05-12 06:49:15 CLIENT -> SERVER: EHLO 127.0.0.1
2015-05-12 06:49:15 CLIENT -> SERVER: AUTH LOGIN
2015-05-12 06:49:15 CLIENT -> SERVER: [some base64 string]
2015-05-12 06:49:15 CLIENT -> SERVER: [some base64 string]
2015-05-12 06:49:16 SMTP ERROR: Password command failed: 535-5.7.8 Username and Password not accepted. Learn more at 535 5.7.8 http://support.google.com/mail/bin/answer.py?answer=14257 u10sm3566045lbb.30 - gsmtp
2015-05-12 06:49:16 SMTP Error: Could not authenticate.
2015-05-12 06:49:16 CLIENT -> SERVER: QUIT
2015-05-12 06:49:16 SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting bool(false) Done!
Ok, I go to http://support.google.com/mail/bin/answer.py?answer=14257 and doing the following:
Logging to this account via web interface - everything's Ok,
Opening this link in browser: http://www.google.com/accounts/DisplayUnlockCaptcha - google says everything is Ok,
Opening this link: https://support.google.com/accounts/answer/6010255 and then this link: https://www.google.com/settings/security/lesssecureapps where I see the following:
"Access for less secure apps: * Turn off / * Turn on" - for normal gmail account,
("This setting is inaccessible for google apps accounts") - for google apps account (not the exact text but my translation from russian as google shows it).
Yes, I have tried both SSL and TLS, 485 or 587 ports and everything else I've found on stackoverflow.com and here: https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting . Nothing helped.
PHPMailer troubleshooting page suggests to use "an OAuth2 client class": http://www.phpclasses.org/package/7700-PHP-Authorize-and-access-APIs-using-OAuth.html - but I have no idea of how to integrate it into PHPMailer and why it's not integrated yet by PHPMailer developers (this class is under BSD license), while it's necessary now for one of the most popular mail servers. I found no documentation for this OAuth2 about integrating it into PHPMailer, and I'm sure I can't do it myself - my PHP knowledge is poor.
The question is:
How can I avoid this goddamn OAuth2 and send emails as I did it before this "security enhancement" (for google apps account)? --OR:
How to easily integrate OAuth2 class mentioned above into PHPMailer? --OR:
Are there any other easy-to-use PHP solutions to send emails using gmail?
Lots of thanks in advance.
Thank you for reading the docs, it's much appreciated! The problem is that google has imposed this complicated authentication mechanism without much regard for its users, as you have experienced. It doesn't improve security because ultimately you still have to submit a username and password over SSL to get your token. OAuth is an authorisation (what you can do) protocol, but google are using it indirectly as an authentication (who you are) protocol.
The reason that nobody has implemented it is that while it's very clever, OAuth is generally unpleasant and confusing to work with, which is why we'd be very happy if someone got around to implementing it!
This article is very helpful and might form the basis of a PHPMailer implementation. Though that adds a dependency on ZF2, the principles will be the same for any other OAuth implementation such as the one from PHPClasses I linked to or this one.
Sorry I can't be much more help on this.
Update: PHPMailer now supports OAuth for gmail. This article describes how to use it, and yes it is still quite unpleasant!
How can I avoid this goddamn OAuth2 and send emails as I did it
before this "security enhancement" (for google apps account)?
You can't. Unlike regular Google, Google Apps does not allow "less secure apps". And once your account has been flagged for extra security, you must switch to OAuth2.
How to easily integrate OAuth2 class mentioned above into PHPMailer?
You can't. Like the Thunderbird team, there is some pretty strong bias against OAuth2 in the PHP Mailer team. IMO, OAuth2 is a big improvement for email.
Are there any other easy-to-use PHP solutions to send emails
using gmail?
Yes. My solution for my own SMTP project, Postman, was to switch from PHP Mailer to Zend_Mail for OAuth2. Zend_Mail has had native OAuth2 support for quite a while.
Oops, that was my mistake, I've been editing the code in wrong place, not in the one it was executed from.
Strange, but in spite of OAuth2 and other google surprises, i had not to change anything to make old code work (just update password).
I am attempting to setup a freeradius server to authenticate against a web service. The reason for this is that there is a complicated workflow involving account status and mac address. The workflow seemed out of place to be in freeradius. So my user names, and encrypted passwords are stored remotely to the radius server. Everything works fine using radclient to test. When I started using the the Access Point, I learned it only communicates with the radius server via eap-tls. This means that the User-Password argument is not available for my script.
Is there a way to have eap auth check for user authentication against my script? By this i mean, can i get the password to send to my secondary service?
Alternately, is there a way to get the User-Password from the encrypted eap-message data?
Access points don't usually place restrictions on the EAP type. The device connecting to the AP negotiates an EAP type with FreeRADIUS. If it's using EAP-TLS it's probably a windows machine that hasn't been configured to do anything different.
Investigate EAP flavours to find out which ones are available. If you have EAP-TTLS-PAP you can send the plaintext password from the wireless client, and user it to authenticate against the web service.
In FreeRADIUS v3.0.x there's a rlm_rest module, which can perform basic auth on behalf of the user, with very little configuration.
How could i add sasl authentication on my Lua 5.1 IRC Bot?
Right now it sends a message to Nickserv to identify.
Is there any way at all to add SASL authentication?
I use the lua socket module to connect to IRC.
The complete source can be found at https://github.com/wolfy1339/Wolfybot
To fully support SASL you must first support CAP IRC extensions, and then SASL AUTH PLAIN.
You can find documentation on these via the IRCv3 specifications: http://ircv3.net/specs/extensions/sasl-3.1.html
CAP LS is used to determine if SASL is supported by the network, then once you have enabled it via CAP REQ, you can send AUTH PLAIN with your base64 encoded username and password.
IMPORTANT SECURITY NOTE: Make sure you also use SSL, as AUTH PLAIN offers NO security and BLOWFISH etc are not gauranteed to be portable to different services packages!