System.Net.Mail.SmtpClient and Postfix

Question

0.00/5 (No votes)

See more:

I have my own Postfix server that we use every day with Thunderbird clients.

When I try to send mail through our Postfix server via System.Net.Mail.SmtpClient, I'm getting error 5.7.1 Relay Access Denied. To work around this, I've added our office's static IP address to $mynetworks. I would rather authenticate properly though.

I noticed Thunderbird clients create a log entry like this:

Aug 15 17:07:42 mail postfix/smtpd[28367]: connect from unknown[a.b.c.d]
Aug 15 17:07:42 mail postfix/smtpd[28367]: setting up TLS connection from unknown[a.b.c.d]
Aug 15 17:07:42 mail postfix/smtpd[28367]: Anonymous TLS connection established from unknown[a.b.c.d]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Aug 15 17:07:42 mail postfix/smtpd[28367]: 495BB420D1: client=unknown[a.b.c.d], sasl_method=PLAIN, sasl_username=myusername
Aug 15 17:07:42 mail postfix/cleanup[28150]: 495BB420D1: message-id=<520D0ADC.8010901@xxx.com>
Aug 15 17:07:42 mail postfix/qmgr[28127]: 495BB420D1: from=<administrator@xxx.com>, size=722, nrcpt=1 (queue active)
Aug 15 17:07:42 mail clamsmtpd: 1023D8: accepted connection from: 127.0.0.1
Aug 15 17:07:42 mail postfix/smtpd[28173]: connect from localhost[127.0.0.1]
Aug 15 17:07:42 mail postfix/smtpd[28173]: 72217420D6: client=unknown[a.b.c.d]
Aug 15 17:07:42 mail postfix/cleanup[28157]: 72217420D6: message-id=<520D0ADC.8010901@xxx.com>
Aug 15 17:07:42 mail postfix/qmgr[28127]: 72217420D6: from=<administrator@xxx.com>, size=1277, nrcpt=1 (queue active)
Aug 15 17:07:42 mail postfix/smtp[28144]: 495BB420D1: to=<dave@xxx.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.27, delays=0.16/0/0.04/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 72217420D6)
Aug 15 17:07:42 mail postfix/qmgr[28127]: 495BB420D1: removed

Notice the sasl_username part in the fourth line. This is showing that I logged in.

When I send from System.Net.Mail.SmtpClient my log shows this:

Aug 15 17:13:55 mail postfix/smtpd[28870]: connect from unknown[a.b.c.d]
Aug 15 17:13:55 mail postfix/smtpd[28870]: setting up TLS connection from unknown[a.b.c.d]
Aug 15 17:13:55 mail postfix/smtpd[28870]: Anonymous TLS connection established from unknown[a.b.c.d]: TLSv1 with cipher AES128-SHA (128/128 bits)
Aug 15 17:13:56 mail postfix/smtpd[28870]: NOQUEUE: reject: RCPT from unknown[a.b.c.d]: 554 5.7.1 <dave@xxx.com>: Relay access denied; from=<administrator@xxx.com> to=<dave@xxx.com> proto=ESMTP helo=<AMSTERDAM>
Aug 15 17:13:56 mail postfix/smtpd[28870]: lost connection after RCPT from unknown[a.b.c.d]
Aug 15 17:13:56 mail postfix/smtpd[28870]: disconnect from unknown[a.b.c.d]

Here I can't find any evidence that SmtpClient tried to log in even though I set

.Credentials = new NetworkCredential(username, password);

My code looks like this:

smtp = new SmtpClient(server, port);
smtp.UseDefaultCredentials = false;
smtp.Credentials = new NetworkCredential(username, password);
smtp.EnableSsl = true;
MailMessage mail = new MailMessage();
mail.To.Add(to);
mail.From = new MailAddress(from);
mail.Subject = subject;
mail.Body = body;
smtp.Send(mail);

Is there something special I have to do with SmtpClient, or maybe some setting I can change in /etc/postfix/main.cf?

Posted 15-Aug-13 7:34am

DaveWelsh

Add a Solution

Comments

jkirkerx 15-Aug-13 16:35pm

Do you have a minimum cipher requirement on the mail server?

Anonymous TLS connection established from unknown[a.b.c.d]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)

Anonymous TLS connection established from unknown[a.b.c.d]: TLSv1 with cipher AES128-SHA (128/128 bits)

you should search "554 5.7.1, postfix" on the interwebs for an anwser

DaveWelsh 16-Aug-13 12:46pm

Thanks jkirkerx,

I tried a few things:

1) I lowered the minimum required cipher strength to "low" by adding this line to my /etc/postfix/main.cf:

smtpd_tls_mandatory_ciphers = low

This didn't have any effect that I could detect.

2) I left the cipher strength at low and I tried changing the encryption protocol from TLSv1 to SSLv3 by adding this line of code:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

This resulted in a different line in my log file:

Aug 16 16:23:11 mail postfix/smtpd[31507]: Anonymous TLS connection established from unknown[a.b.c.d]: SSLv3 with cipher RC4-SHA (128/128 bits)

But the server still didn't authenticate me.

3) I tried authenticating without encryption enabled. This is what the log showed:

Aug 16 16:24:49 mail postfix/smtpd[31507]: connect from unknown[a.b.c.d]
Aug 16 16:24:49 mail postfix/smtpd[31507]: NOQUEUE: reject: RCPT from unknown[a.b.c.d]: 554 5.7.1 <dave@xxx.com>: Relay access denied; from=<administrator@xxx.com> to=<dave@xxx.com> proto=ESMTP helo=<amsterdam>
Aug 16 16:24:49 mail postfix/smtpd[31507]: lost connection after RCPT from unknown[a.b.c.d]
Aug 16 16:24:49 mail postfix/smtpd[31507]: disconnect from unknown[a.b.c.d]

So I'm starting to think that the .Net code is not even trying to log in.

DaveWelsh 16-Aug-13 13:50pm

I think the problem is that my server only accepts the PLAIN authentication method and I probably need something like NTLM or CRAM-MD5 enabled for the System.Net.Mail.SmtpClient to authenticate.

jkirkerx 18-Aug-13 0:28am

You can't change the .Net mail client, it's sort of fixed in what it does. You have to tweak your postfix server to negotiate a level of security that they can agree upon.

Add a relay premission to the client, like the ipaddress or ipaddress block of servers or clients that can relay.
I posted the log in the solution below at the end, sorry about that, didn't see it the first time.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

jkirkerx · Answer 1 · 2013-08-16T08:03:00

Your on the right track!, I'm not an expert at SMTP but I do have a couple hundred hours into it.

When using a mail server to relay a message to it's destination, your not really logging in to the mail server, your just passing a SMTP message through it as long as you meet the criteria of the mail server. The mail server will do the hard work of finding the destination mail server, and do it's work from there on.
Microsoft Exchange Mail Servers do require a windows login inside the network. I know many can argue that you have to login to pass a mail message, but that's another argument I'll save for a another day.

So if your not logging in, then what are you doing?

The mail server has a set of criteria to match your input from, such as
*Allowed IP Address range
*Port Numbers
*Domain Names
*SPT Record in your DNS Zone File
*SSL or TLS negotiation and request for keys
*Cipher negoiation
*Mail Server Black List
*Email Address Black list
*Connection or IP Address Black list

I use an Exchange Server, and the SMTP Mail server that is included in Windows Server 2003+, I think it's part of IIS Web Server. So on each web server we have, we have the SMTP Server setup on it. Our .Net Apps using the mail Client passes the mail message to the SMTP Server, which can relay to the exchange server, and then send the message out.

.Net --> SMTP Server in IIS --> Destination Mail Server

It took me a week to configure the whole thing, and to fix issues with sending to AOL, Time Warner and so on, and to rewrite my .net mail Client program.

You may want to consider changing your design, but I'm not sure how your infrastructure it setup.

/////////////////////////////////////////////////////////////////////////////////////
For what your trying to do,

.Net --> postfix server --> Destination Server

Looks like your going straight to your internal mail server from inside your network.

Fix the TLS negotiation, I think your postfix server is at issue here, and cannot settle on a protocol with the .Net mail Client. Check your port number to.

Below is an overview of how it works.

http://technet.microsoft.com/en-us/library/cc783349%28v=ws.10%29.aspx[^]

This is the RFC 3207 for TLS Negociation, which describes your exit code of 554

If the SMTP client decides that the level of authentication or
privacy is not high enough for it to continue, it SHOULD issue an
SMTP QUIT command immediately after the TLS negotiation is complete.
If the SMTP server decides that the level of authentication or
privacy is not high enough for it to continue, it SHOULD reply to
every SMTP command from the client (other than a QUIT command) with
the 554 reply code (with a possible text string such as "Command
refused due to lack of security").

Complete Document

http://www.ietf.org/rfc/rfc3207.txt[^]

I haven't worked with Linux in a while, never worked with postfix, but I know you can adjust the config file to change the level of security.

You connected on the first log entry, but was disconnected upon TLS negociation

XML

Aug 15 17:13:55 mail postfix/smtpd[28870]: Anonymous TLS connection established from unknown[a.b.c.d]: TLSv1 with cipher AES128-SHA (128/128 bits)
Aug 15 17:13:56 mail postfix/smtpd[28870]: NOQUEUE: reject: RCPT from unknown[a.b.c.d]: 554 5.7.1 <dave@xxx.com>: Relay access denied; from=<administrator@xxx.com> to=<dave@xxx.com> proto=ESMTP helo=<AMSTERDAM>

Relay access denied;

I didn't see that, relay access denied, plain and simple, go back and set your config file back to that date of the log file, and add a relay premission, solved!