[Looking for Charlie's main web site?]

Solving CFMAIL failure, "530 5.7.3 Client was not authenticated"

I recently had a problem trying to use CFMAIL from my local development laptop pointing to my hosted server (for carehart.org). The mail would never deliver (ending up instead in CF's mail/Undelivr folder). Fortunately, I knew to look in CF's mail.log, and it would show it was failing with "530 5.7.3 Client was not authenticate".

What was so curious was that my local mail client (Outlook) was configured with the exact same servername, username, password, and port, and ran fine from the same laptop on which CF was running. Both were trying to send email via the remote mail server. Why would CFMAIL fail when Outlook would work, both connecting from the same machine to the same SMTP server with the same connection parms?

The short answer: looks like CFMAIL doesn't support Windows Integrated Authentication

I ultimately determined that the mail server (in my case IIS) was set for something other than plain text (basic) authentication. In my case, the properties for the SMTP server in IIS were set to use only "Integrated Windows Authentication". Changing it to also allow Basic Authentication made the problem go away.

Those using other mail servers may find they also offer something other than plain text (Basic) authentication. Hopefully this will still help those folks solve the problem on their systems, too.

So at a minimum, we can say that CFMAIL doesn't seem to support Integrated Windows Authentication. It may be that it doesn't support anything other than plain text (basic) authentication, but I can't confirm that. The docs don't clarify any restriction (they way they do for CFHTTP, which it says also does not support Integrated Windows Auth).

A google search for the error above, with respect to CFMAIL, also didn't find anyone else making this connection, so hopefully this will help. I will add a comment to the livedocs CFMAIL reference page as well.

Some Background:

FWIW, and how this came about, I recently moved to a new hosted, dedicated server (more in a later entry), running my CF, web server, mail server, etc.

While I had long told Outlook to use my network service provider (Comcast cable) SMTP server, even for mail I would send with a "from" address at carehart.org, I feared that some recipient servers might ding the email as spam for not coming from the mail server at carehart.org. So I changed Outlook to send email via my remote server (carehart.org), and that was all fine for some months.

One day recently I decided to change the CF Admin for my local laptop to also use that server (not that I needed to: I obviously don't send email to customers via CF running on my laptop, but I didn't see any reason not to try.) But that's when I got the error. As I said, part of what threw me was that I had been able to successfully send email from Outlook, on the same laptop as the CF trying to send the email, and Outlook was set to use all the same server settings. I could have switched back to my network provider's SMTP server, but I wanted to get to the bottom of this. And I'm glad I did, as this doesn't seem to have been a well-documented problem and solution.

Some other observations

Before solving this I had presented the problem to some fellow CF gurus, one of the first suggestions I got was from the inestimable Dave Watts, who proposed connecting to the SMTP server via telnet from my laptop. When I did that (after finding the commands needed to do that), it reported (in response to Auth Login) "504 5.7.4 Unrecognized authentication type". I had solved the problem by the time I got around to trying that, but it certainly could have been a key clue for me. I offer it here for others to consider. (Another reasonable suggestion, from Russ Michaels, was to look in the server's logs, but there was nothing much in the server's SMTPSVC log that pointed to a solution. It just showed the 530 code as one of the fields on the attempt login.) Thanks anyway, guys, really. We have such a great community.

Also, some may wonder if the CF Admin's "verify mail server config" option (on the Server Settings>Mail page) would have detected the problem. It did not. It would verify, even when the CFMAIL would fail. That tells me that it doesn't actually try to login, which seems a shortcoming.

Finally, going back to my being thrown by Outlook working where CFMAIL did not, I'll add for anyone curious that none of the Outlook account settings (under "more settings", its 4 tabs) showed it using Windows authentication or encryption (yes, I appreciate the risk of that). I guess Outlook uses Windows Auth by default. It was indeed the only authentication that was configured on the mail server. Again, as soon as I changed it to allow basic, the CFMAIL started working.

Hope all this helps someone.

Comments
Glad you got it working... for the sake of posterity I wanted to add a
couple things to this thread post-facto (because sometimes I use teh blogz
for a searchable kbase of fixes/conversations). Two quick things:

1) The telnet trick is a golden oldie... you can often tell what
options and/or authentication routines are installed by "handshaking"
with the SMTP server via telnet. There's actually a great deal of good
info here:

http://www.yuki-onna...

2) I've seen this same (or maybe just very very similar) error come
from a server using SMTP+SSL/TLS when the certificate was either self-signed
or expired... I have seen it in the past require adding a key to the
keystore so that the CF server could then talk to the SMTP server via
a certificate that it could digest.

I also helped someone write a CF Admin extension for managing certificates and the keystore at one point, and it's located here:

http://certman.riafo...

If I remember correctly it was pretty much this exact circumstance that prompted the creation of this RIAForge project.

Like I said, nothing substantive to add to your issue, but overall
info to stick in the thread for later. :)
# Posted By Jared Rypka-Hauer | 4/20/09 12:38 PM
Cool stuff, Jared. Thanks for sharing.
# Posted By Charlie Arehart | 4/20/09 1:09 PM
@Charlie:

I am facing same problem while integrating mail server with ColdFusion-10. This is a SSL enabled mail server.
I tried the followings:

- Enabled SSL in CF admin.
- Installed the SSL certificate in CF server as described in the first comment.

But still sending mail is not working. After going to the log message of the CFMAIL I got following error message:

javax.mail.MessagingException: Could not connect to SMTP host: email.mindfiresolutions.com, port: 587; nested exception is: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?


My questions are:

- How I will identify if the mail server is using Window integrated authentication?
- If it is using Integrated Window authentication then is there any way we can implement CFMAIL in CF10/CF9 without modifying anything to the mail server?
# Posted By Upendra Roul | 8/1/13 9:33 AM
@Upendra, sorry for the delay in replying.

As for your error, it's quite different from that I'm discussing here, so it may not be the same issue at all. Yours is basically "Unrecognized SSL message, plaintext connection?" So this is an issue of SSL, not Integrated Windows Authentication.

Also, the ? at the end of the message (which is really there, readers, not something Upendra added) gives you a clue as to the problem. I'm pretty sure it's saying you are trying to use https and and ssl port, but the client (in this case, CF) is finding the connection to be returning plaintext, not the binary encrypted data that an SSL connection should use. (OR it could be the reverse.)

This could be another place where some telnet sleuthing (as discussed above) may help you.

Or since you refer to port 587, are using gmail? Could it be that you are needing to enable TLS support? Support for that was added in CF8 (in cfmail and the admin). For more, besides the CF docs, see http://jamiekrug.com...

But if that's not the issue, I'll note that you could perhaps still be having a cert issue. Here's a common mistake: perhaps you didn't install the cert into the "right" cacerts. Some people read blog entries showing how to do imports of certs, and they have you place it in the cacerts within cf. That's fine, as long as you have not changed CF to use a different JVM. If so, then you need to instead import the cert into the cacerts within that JVM directory.

But now to your questions, in case somehow answering them may help...

First, how to tell if windows auth is required by a mail server, I'm afraid I don't know how to tell that. In my case above, I was just saying that because I was connecting to the mail server on my own server, I could see from the IIS SMTP server's properties that it was so.

As for your second question, I do believe that the issue (that you can't have CFMAIL communicate with an smtp server that uses integrated windows authentication) still remains in CF10. If anyone knows otherwise, feel free to speak up.

Hope some of that may help.
# Posted By Charlie Arehart | 8/21/13 2:18 PM
Copyright ©2018 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting