exim configuration: 503 AUTH command used when not advertised

smtp configuration authentication exim

Solution 1

The 503 AUTH command used when not advertised essentially explains itself, it didn't offer the client the option to use the AUTH command. This is most likely because the client used HELO rather than EHLO (which I would note you used when you did your telnet test).

SMTP Authentication is part of Extended SMTP, which is initiated with the EHLO command; "plain old" SMTP did not support authentication and so it is technically an illegal command, even though some SMTP servers may still allow it.

Best possible solution is to tell your program to use Extended SMTP (EHLO) if possible, otherwise there might be an exim command to force it to allow AUTH on HELO type connections.

** UPDATE **

According to this post here: http://www.exim.org/lurker/message/20040901.063858.126f66ac.en.html

EHLO (not HELO) must be given by client before AUTH.

That is, AUTH command could not be used unless advertised (through EHLO, according to auth_advertise, etc). This behavior was hardened in Exim 4.20 and is not an option.

Looks like you need a differnt MTA if your can't get your application to do EHLO. Or, do you require authentication, can you accomplish the same thing using IP based ACL's?

FINAL SOLUTION

Exim does have a work around for this, using allow_auth_unadvertised as described here, you can do something like this:

hosts   = *
control = allow_auth_unadvertised

Solution 2

I had a similar problem. This message can occur even if EHLO is used, when the server is running Exim.

In WHM > Home > Service Configuration > Exim Configuration Manager, the option "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" was set to the default (On). I'm not sure if I did this or not, and it is ordinarily a great idea for security, but forces the mailserver to enable (advertise) only the STARTTLS command, not AUTH. So when my script sends AUTH, the error message the server sends is correct. Further information is at http://blog.networkpresence.co/?p=8923 . Someday when I have time I will find out how to change my script to use TLS, so I can turn that Exim option On for security.

ADDED 11/19/19:

I have found how to change my local "send email" script to use TLS, and I have changed my server back to requiring either TLS or STARTTLS.

Why did I do this?

Because several websites I use require secure mailservers when sending email notifications. I had a devil of a time figuring out why they kept complaining about my email address: it was because my mailserver accepted insecure connections!

Thinking about it further, I realized that all Web operations should be secure (this is the basic idea behind the Let's Encrypt project, which was the first to provide free security certificates that renew automatically).

Two changes need to be made to a PHP "send email" application that uses the fsockopen function to change it from an insecure to a secure connection with the mailserver (this will eliminate the 503 error message the right way):

Change the fsockopen port argument from 25 to 465.
Change the fsockopen host argument scheme from (empty) to ssl:// . So, if the host was "mail.example.com", change it to "ssl://mail.example.com".

It may also be necessary to enable the line "LoadModule ssl_module modules/mod_ssl.so" in the httpd.conf file (for local Apache servers) or make some other local change to make PHP internet transports work. I'm not sure about this. Just these two changes worked for me right away.

Author by

satya

Updated on September 18, 2022

Comments

satya almost 2 years
I had a doubt.Is this possible to call one function/method present inside one class using object prototype in Javascript ? If possible then can anybody make the below code correct.
```
(function(){
    window.Peer=function(){
        var peer=this;
        peer.getMessage=function(){
            alert("hello!!! This is very good site.")
        }
    }
})();


<button type="button" id="btn">Click here</button>
<script>
document.getElementById('btn').onclick=function(){
    Peer.prototype.getMessage();
}
```
The above code throwing error.Please give me some idea to resolve this.
- becomingwisest almost 13 years
  
  This bypasses your question, but you could also set exim to allow relaying from the ip address of your windows server. This may be required if you can't get your application to do ehlo as Coding Gorilla mentions.
- AbdelKh almost 13 years
  
  @Christopher: Thanks, that seems like an easier way to approach it. Although I believe this machine is on a dynamic IP...
- Daniel Cheung almost 9 years
  
  you can test with Inspect Element within Console
- Daniel Cheung almost 9 years
  
  you can run it as it using Peer(getMessage()) or Peer.call(getMessage())
- Jaromanda X almost 9 years
  
  FYI you are getting an error because you haven't added the function to Peer.prototype
- satya almost 9 years
  
  @Jaromanda X : Can you make this correct.?
- EML over 2 years
  
  Bad idea to set allow_auth_unadvertised on exim. The protocol explicitly requires advertising, and your client program is broken, period. This feature should never have got into exim. One server I'm responsible for doesn't advertise AUTH (it has alternative authentication) but occasionally gets attacked for days on end by automated clients who AUTH anyway, then just guess names/passwords. I've 'fixed' this by terminating clients who send unwanted AUTHs. IMO, unwanted AUTHs are a good indication that the client is a hacker.
AbdelKh almost 13 years

Strange, sounds like it's breaking the protocol then. I'd be interested to hear if anyone has more information on advertising AUTH on a HELO connection.
Coding Gorilla almost 13 years

@jrdioko Updated with additional info on Exim
AbdelKh almost 13 years

Thanks for the clarification. As mentioned in a comment above the client is on a dynamic IP so ACL's won't work. My only other thought that I read somewhere is to make exim reject HELO commands to try to force the client to send EHLO instead.
Coding Gorilla almost 13 years

What about basing the ACL on the HELO host name? I'm guessing your application won't send the EHLO (although definitely try), it's probably a poorly written SMTP implementation, which I often find in older software.
AbdelKh almost 13 years

Ah, didn't realize that was possible, that sounds like it could work, I'll look into it.
Coding Gorilla almost 13 years

It's not the best solution, since if someone figured it out, it's obviously very easy to spoof; but if you don't mind the risk it should get you by.
AbdelKh almost 13 years

True, but that's a risk of unencrypted authentication in general.
AbdelKh almost 13 years

It actually looks like there is a solution in current versions of exim. See the description of allow_auth_unadvertised here.
AbdelKh almost 13 years

That worked like a charm. Could you post a quick update to your answer, for people that don't read through all these comments?
satya almost 9 years

I know this but i want to use prototype.
Marco Demaio over 4 years

It works like a charm!
David Spector over 4 years

Yes, making a mailserver accept insecure connections works like a charm, but it will allow lots more access by malicious users and increases the chances of getting your mailserver compromised. I've edited my answer to favor using secure connections. I apologize for my ignorance in advocating insecure access, but detailed mailserver security is not a well-documented topic and I was just trying to help in the only way I could at the time.