i hate mail

[solarbird]

iOS's mail application doesn't try to authenticate smtp connections unless it's forced to. (apparently.) if it can attempt to send mail without AUTHing, it will, and nothing you can do seems to change that. failure to actually be able to send mail doesn't make it go, "huh, mebbe I should AUTH."

if your sendmail server behaviour changes based on authentication (specifically, to act like a smarthost and allow relays it otherwise wouldn't), this fucks you for sending mail from your iphone.

setting up a second host with exim4 to get around this means trying to get exim4 to acknowledge the concept of AUTH in response to an EHLO in ANY FUCKING WAY WHATSOEVER. which is supposed to be trivial but is instead INSANITY IN A SHELL. NOTHING I've done results in AUTH coming online. much less being required. fuuuuuuuuuuuuuuuck.

no reports or errors, of course. it's just insert coin, say hokaydo! and then change NOTHING WHATSOEVER.

hey, exim4 fans, you got anything here? i didn't think anything in the world could make me go, "y'know, sendmail docs are pretty clear," until I started poking around at exim4. at least, if you want to do anything that isn't handled by the six-screen eximconfig script. which this most definitely isn't.

(i want _some_ damn thing to pick up for smtp over ssh, _require_ auth, then relay whatever it gets to our actual mail server, all so we can fucking send mail from these phones, before I kill everyone. apparently that's hard. YES I WOULD INSTALL SENDMAIL except the fucking package manager won't let me change MTAs without uninstalling the webserver, which is a whole 'nother can of FUUUUUUUUUCK YOUUUUUUUUUU. AAAAAAAAAAAAAAAAAAAGH KJSHE FLKHWEFLIUH LEFIUFS)

i'm going to bed now. somebody be a dear and hand me the large animal tranquillisers. thanks.

Comments

[lyonesse.livejournal.com]

i presume that you will need to set up some kind of dyndns to reverse-resolve your phone to something that you can then allow (like a name in .murkworks.net)....

[solarbird]

iOS's Mail will authenticate if forced to. I just need something which requires it to do so.

[rfunk.livejournal.com]

I started my sysadmin career long ago by digesting the Sendmail Bat Book in a day.
I've messed with Exim on systems that had it installed by default.
And I've set up Postfix to handle multiple domains on a server. Multiple times.

So believe me when I tell you that Postfix is the only way to go while retaining your sanity.

(It helps if you can tell the client to use a port other than 25, so you can put different rules on 25 than on the "submission" port.)

[solarbird]

Then there's that part where if I try to change the mailer package, Debian decides I need to uninstall the webserver.

And I intend to block port 25. This'll be on 587 and ssh-tunnelled only.

[rfunk.livejournal.com]

Yeah, I hate that Debian is so wedded to Exim.... but any non-Exim package that doesn't have an alternate dependency that Postfix can satisfy is broken.

Sometimes apt-get seems to get unhappy about broken dependencies that will actually be fine once everything is configured, so it should work to let it remove the web server, then reinstall it. It's also likely that aptitude would be smarter than apt-get about that sort of thing (assuming you're not already using aptitude).

One of those multi-domain Postfix installs I mentioned was done on a Debian server that also had Apache installed (all from packages), so it is possible. I'd dig into it, but now all my machines are running Ubuntu.

[solarbird]

it should work to let it remove the web server, then reinstall it
This is our primary webserver. So, no.

I just wish there was some way to force iOS Mail to authenticate.

[wrog]

Not only is it possible but I just did it, or at least I was able to go into aptitude, delete exim4, exim4-base, exim4-config, and exim4-daemon-heavy, and add postfix and it's not reporting any conflicts

...and in particular no conflicts with my apache2 installation, which is a stock installation straight from the packages -- about the only weird thing I'm doing is using the multithreaded mpm module, which apparently nobody does these days, but that shouldn't matter for anything external to apache...)

Since I don't have a real Postfix config ready to go and I need to keep a working mail server, I'm not quite up for typing 'g' to see what explodes when I Actually Do it. But at least this shows your webserver package, whatever it is, is just b0rken.

... which I realize may not help you a whole lot, though if this is indeed an apache1 packaging issue, and that's what you're using, an upgrade to apache2 apparently would be one way out of this box.

[theprimarydave.livejournal.com]

I've only used Ubuntu, but since it's based on Debian, it might work out. Have you tried installing postfix (which is all I touch right now) BEFORE uninstalling exim? If it satisfies the dependency for the web server, it's just getting to that point that is the problem, then you might be able to do it that way. I'm pretty sure that's what I did on my very first Ubuntu install, which also used exim as the default.

Alternately, you might be able to use some combination of options that lets you remove exim and add postfix in the same command, but I'm still learning the debian package manager, so I don't know if that's possible.

i apologize for the language, but:

[discogravy.livejournal.com]

+1 on postfix. fuck exim, fuck exim a lot (and really fuck sendmail, fuck it so fucking hard).

try using dpkg to uninstall exim instead of apt-get (or aptitude or whatever). you may need to apt-get install httpd (or whatever webserver -- ultimately the problem is that the www server was isntalled as a dep for the smtp server and not as it's own package (lesson: package maintainers are stupid). i'm sort of surprised that neither the apt tools nor dpkg have a direct "--ignore-deps" option

removing the www server and reinstalling shouldn't cause any major problems although i can totally understand your reticence to do that. huge potential PITA.

[wrog]

So, I just stumbled across something in /usr/share/doc/exim4-base/README.Debian.gz that might possibly be of use.

Is the iOS client capable of making SSL/TLS connections to the mail server (i.e., can it be configured to always do this when you send mail)? Because according to this, that appears to be the only way you can get exim4 (or at least Debian-configured exim4) to do AUTH.

Herewith the salient bits:

2.3. SMTP-AUTH

   Exim can do SMTP AUTH both as a client and as a server.

   AUTH PLAIN and AUTH LOGIN are disabled for connections which are not
   protected by SSL/TLS per default. These authentication methods use
   cleartext passwords, and allowing the transmission of cleartext
   passwords on unencrypted connections is a security risk. Therefore, the
   default configuration configures Exim not to use and/or allow AUTH
   PLAIN and AUTH LOGIN over unencrypted connections.

   It is thus recommended to set up Exim to use TLS to encrypt the
   connections. Please refer to Section 2.2, "Using TLS" for
   documentation about this. Note that most Microsoft clients need special
   handling for TLS.

ETA: and, of course, now I see a few comments above (buh) that you are using ssh tunneling, in which case the question is, are you doing this outside of the respective mail processes (e.g., running a separate ssh client on iOS to make your tunnel to the [unencrypted but blocked by your firewall] SMTP port) or are you letting Exim handle the TLS stuff itself directly (i.e., having it listen and accept SSL connections itself at an exposed port)?

My guess is the former approach is probably doomed (i.e., if that has anything to do with what you were actually doing, and if not then nevermind... :-)