[ZendTo] Authentication Error - The username or password was incorrect

Marlon Deerr MDeerr at hshlawyers.com
Tue Jul 21 20:55:11 BST 2020


Hey Jules,

Here is a portion of what was displayed after my attempt to re-send the dropoff. It failed (obviously), but I’m not sure why it is.

2020-07-21 16:51:21 CLIENT -> SERVER: STARTTLS
2020-07-21 16:51:21 SERVER -> CLIENT: 220 2.0.0 SMTP server ready
SMTP Error: Could not connect to SMTP host.
2020-07-21 16:51:21 CLIENT -> SERVER: QUIT
2020-07-21 16:51:21 SERVER -> CLIENT:
2020-07-21 16:51:21 SMTP ERROR: QUIT command failed:
SMTP connect() failed. Sta


What I have done to troubleshoot


1.       Tried setting the SMTP port within preferences to 25, 465 & 587 – failed on each re-send

2.       Opened a PowerShell prompt opened a telnet session to our mail server (on port 25) – success

3.       Sent a simple email from myself to myself – success (my Outlook client received it right away)

4.       Sent another simple test email but this time from another email address to myself - success

This tells me that technically I can connect to the server and send emails. Not sure why ZendTo is failing to connect.

From: Jules [mailto:Jules at Zend.To]
Sent: Tuesday, July 21, 2020 7:41 AM
To: Marlon Deerr <MDeerr at hshlawyers.com>
Subject: Re: [ZendTo] Authentication Error - The username or password was incorrect


On 21/07/2020 12:32, Marlon Deerr wrote:
You did the trick Jules. Removing “ldaps://” from hostname of the authLDAPSServers1 value worked. I thought that it was supposed to be there so I never even thought to remove that.
Yay! You need to add the ldaps:// when you are encrypting all the traffic to your AD server. Which you're not. In which case it just wants the hostname and nothing else.



Now I just need to work on getting SMTP working. I was working on one problem at a time.
There's a slightly curious but effective way of debugging this setup...
Send yourself (or a test account) a drop-off.
Through your ZendTo Outbox, view the drop-off.
Edit preferences.php to set
  'SMTPdebug'    => true,
(it's normally set to false, it will be near the bottom of the SMTP settings in preferences.php).
Click on the "Resend Dropoff" button on the web page.
You will see the entire SMTP conversation happen on the web page output.
It often only stays there for a few seconds, so you might want to be ready with whatever keys you need to take a screenshot!

Fix the problems and get the "Resend Dropoff" debug output looking right. You should see some "OK" type messages.

Then reset
  'SMTPdebug'    => false,
before trying anything else, such as creating a new drop-off.
Having that 'SMTPdebug' set to true will break the new drop-off process.

It's usually fairly straightforward to fix. Feel free to send me a screenshot or two if you can't see what's wrong (I've had 30 years experience running enterprise email systems, so what's easy/obvious to me may well not be to you. Sorry about that!).

Cheers,
Jules.





Thanks so much for your assistance.



Marlon Deerr, Technology Manager
416-572-8795 (direct) | MDeerr at hshlawyers.com<mailto:MDeerr at hshlawyers.com>
[cid:image002.jpg at 01D65F60.66955490]<https://www.hshlawyers.com>
[cid:image004.jpg at 01D65F60.66955490]<https://www.linkedin.com/company/howie-sacks-&-henry-llp---personal-injury-law/> [cid:image006.jpg at 01D65F60.66955490] <https://twitter.com/hshlawyers>  [cid:image008.jpg at 01D65F60.66955490] <https://www.facebook.com/HSHPersonalInjuryLawyers/>  [cid:image010.jpg at 01D65F60.66955490] <https://www.youtube.com/user/hshlawyers>

3500 - 20 Queen St. W., Toronto, ON M5H 3R3
Fax: 416-361-0083 | Toll Free: 877-474-5997 | www.hshlawyers.com<https://www.hshlawyers.com>



This Howie Sacks & Henry e-mail is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited.



From: Jules [mailto:Jules at Zend.To]
Sent: Tuesday, July 21, 2020 4:02 AM
To: Marlon Deerr <MDeerr at hshlawyers.com><mailto:MDeerr at hshlawyers.com>
Subject: Re: [ZendTo] Authentication Error - The username or password was incorrect

Marlon,

Try changing this setting to the one below:
  'authLDAPServers1'          => array('hsh-dc.hsh.local'),
What I've done is remove the "ldaps://"<ldaps://> from the hostname of the authLDAPServers1 value.

If that doesn't fix it, can you send me the exact ldapsearch command you used that worked?

Cheers,
Jules.


On 20/07/2020 20:52, Marlon Deerr wrote:
Hello Jules,

Thank you for following up on this issue I’m experiencing. To answer your question, yes, I meant to refer to my AD server not DNS.  As for the ldapsearch utility, yes I am able to successfully show my details when I insert the correct values in the command.  Also, as requested, I have copy/pasted the LDAP section of my preferences.php file for you to take a look at.

Hopefully, you see something I’m missing.





Marlon Deerr, Technology Manager
416-572-8795 (direct) | MDeerr at hshlawyers.com<mailto:MDeerr at hshlawyers.com>
[cid:image011.jpg at 01D65F60.66955490]<https://www.hshlawyers.com>
[cid:image012.jpg at 01D65F60.66955490]<https://www.linkedin.com/company/howie-sacks-&-henry-llp---personal-injury-law/> [cid:image013.jpg at 01D65F60.66955490] <https://twitter.com/hshlawyers>  [cid:image014.jpg at 01D65F60.66955490] <https://www.facebook.com/HSHPersonalInjuryLawyers/>  [cid:image015.jpg at 01D65F60.66955490] <https://www.youtube.com/user/hshlawyers>

3500 - 20 Queen St. W., Toronto, ON M5H 3R3
Fax: 416-361-0083 | Toll Free: 877-474-5997 | www.hshlawyers.com<https://www.hshlawyers.com>



This Howie Sacks & Henry e-mail is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited.



From: Jules [mailto:Jules at Zend.To]
Sent: Saturday, July 18, 2020 8:03 AM
To: Marlon Deerr <MDeerr at hshlawyers.com><mailto:MDeerr at hshlawyers.com>
Subject: Re: [ZendTo] Authentication Error - The username or password was incorrect

Marlon,
On 17/07/2020 22:54, Marlon Deerr wrote:
Jules,

No, I didn’t type in < and > characters. I only did that to not show real usernames on my end.  So to be clear, no I did not type in those characters as part of the username when using the /opt/zendto/bin/adduser command. As for certificates, I’m not sure as our DNS server
I assume you mean your AD server, not your DNS server. DNS should have no impact on this at all.




is actually managed by our MSP. With that said, when I do run the openssl command, I get the below output.
That looks like they're not running any encryption on your AD traffic. Okay, but Microsoft are going to mandate encryption on AD traffic very soon. But in the mean time, you should be okay using it unencrypted.

On zend.to/activedirectory, read section 2 and there is an ldapsearch command. Replacing the necessary bits of that, can you get it to show you your details?

If you can send me your AD settings from preferences.php (all the LDAP settings whose names end in 1, 2 or 3), I can take a look and suggest an ldapsearch command that should work if your settings are correct.





As for the log file at /var/log/zendto/zendto.log, if it says Warning: authorization failed for username, does that mean it wasn’t able to read from our AD Server. Not sure how to interpret that because before I ran the upgrade command after applying the latest patch, it seemed as though it was able to read from AD. Now I’m not sure what’s going on.
It probably did manage to connect to your AD server, but couldn't get any further.






Output for openssl s_client -connect your-ad-server.company.com:636

From this output, it looks like you're running AD unencrypted.

Cheers,
Jules.




CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)




Marlon Deerr, Technology Manager
416-572-8795 (direct) | MDeerr at hshlawyers.com<mailto:MDeerr at hshlawyers.com>
[cid:image011.jpg at 01D65F60.66955490]<https://www.hshlawyers.com>
[cid:image012.jpg at 01D65F60.66955490]<https://www.linkedin.com/company/howie-sacks-&-henry-llp---personal-injury-law/> [cid:image013.jpg at 01D65F60.66955490] <https://twitter.com/hshlawyers>  [cid:image014.jpg at 01D65F60.66955490] <https://www.facebook.com/HSHPersonalInjuryLawyers/>  [cid:image015.jpg at 01D65F60.66955490] <https://www.youtube.com/user/hshlawyers>

3500 - 20 Queen St. W., Toronto, ON M5H 3R3
Fax: 416-361-0083 | Toll Free: 877-474-5997 | www.hshlawyers.com<https://www.hshlawyers.com>



This Howie Sacks & Henry e-mail is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited.



From: Jules [mailto:Jules at Zend.To]
Sent: Wednesday, July 15, 2020 12:35 PM
To: Marlon Deerr <MDeerr at hshlawyers.com><mailto:MDeerr at hshlawyers.com>; ZendTo Users <zendto at zend.to><mailto:zendto at zend.to>
Subject: Re: [ZendTo] Authentication Error - The username or password was incorrect

Are you actually seeing the < and > characters?
You didn't actually type those into the /opt/zendto/bin/adduser command, did you?

Have a read of the AD troubleshooting steps on
    zend.to/activedirectory

Do you know if you're running with a locally-signed certificate on your AD servers?

Assuming you have the hostname and port number (636 usually) of your  AD server, try
openssl s_client -connect your-ad-server.company.com:636

That will show you the initial SSL/TLS handshake involving all the certificates.
You'll need to Ctrl-C it at the end, but what it prints out should be very useful so you can see exactly what is using which certs.

Hope that helps,
Jules.
On 15/07/2020 16:50, Marlon Deerr wrote:
OK, my user seems to be unlocked now but now I am getting the following errors below. I must be missing something else in my setup:

Warning: admin authorization failed for <username1>

And for other users I still get the following error:

Warning: authorization failed for <username2>


Note: I believe I added <username1> as an admin.



Marlon Deerr, Technology Manager
416-572-8795 (direct) | MDeerr at hshlawyers.com<mailto:MDeerr at hshlawyers.com>
[cid:image011.jpg at 01D65F60.66955490]<https://www.hshlawyers.com>
[cid:image012.jpg at 01D65F60.66955490]<https://www.linkedin.com/company/howie-sacks-&-henry-llp---personal-injury-law/> [cid:image013.jpg at 01D65F60.66955490] <https://twitter.com/hshlawyers>  [cid:image014.jpg at 01D65F60.66955490] <https://www.facebook.com/HSHPersonalInjuryLawyers/>  [cid:image015.jpg at 01D65F60.66955490] <https://www.youtube.com/user/hshlawyers>

3500 - 20 Queen St. W., Toronto, ON M5H 3R3
Fax: 416-361-0083 | Toll Free: 877-474-5997 | www.hshlawyers.com<https://www.hshlawyers.com>



This Howie Sacks & Henry e-mail is privileged, confidential and subject to copyright. Any unauthorized use or disclosure is prohibited.



From: Jules [mailto:Jules at Zend.To]
Sent: Wednesday, July 15, 2020 7:09 AM
To: ZendTo Users <zendto at zend.to><mailto:zendto at zend.to>
Cc: Marlon Deerr <MDeerr at hshlawyers.com><mailto:MDeerr at hshlawyers.com>
Subject: Re: [ZendTo] Authentication Error - The username or password was incorrect

Marlon,

The crucial bit in the log is the "locked-out user" bit.

ZendTo has a security feature in it to stop it being used as a method of brute-force attacking your accounts from outside.
If the same user has several failed logins in a row, that user is locked out for the next 24 hours by default.

If you can login as an admin user, one of the extra admin red buttons shows you the locked out users and lets you reset them.

Alternatively, you can unlock all locked users from the command line with
    /opt/zendto/bin/unlockuser -a

Cheers,
Jules.
On 14/07/2020 18:45, Marlon Deerr via ZendTo wrote:
Ok, so I think I finally (or almost finally) got my AD authentication settings correct.  I have installed the ldapsearch utility to confirm that I’m able to successful search the OU where my users reside, however when I attempt to log in with a valid user, ZendTo keeps erroring with:

Authentication Error
The username or password was incorrect

I checked the /var/log/zendto/zendto.log and it says the following:

“….Warning: authorization attempt for locked-out user <username1>
Then when I try logging in as another user, I see the following in the log

“…Warning: authorization failed for <username2>



I know that I have both username/password correct so I must be missing something. Anyone know what setting I may have applied incorrectly?









_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto







Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'When a man points a finger at someone else, he should remember

 that four of his fingers are pointing at himself.' - Louis Nizer



www.Zend.To<http://www.Zend.To>

Twitter: @JulesFM






Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'There is silent poetry in the stillness of morning;

 in the calm, the cries & sighs of life sound like gentle music.'

 - @Astro_Wheels



www.Zend.To<http://www.Zend.To>

Twitter: @JulesFM





Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



The current UK shipping forecast:

South Utsire, Forties: Southwesterly veering westerly 3 or 4. Mainly moderate.

Rain at first. Moderate or poor, becoming good.



www.Zend.To<http://www.Zend.To>

Twitter: @JulesFM




Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'Every morning when I wake,

 Dear Lord, a little prayer I make,

 O please do keep Thy lovely eye

 On all poor creatures born to die



 And every evening at sun-down

 I ask a blessing on the town,

 For whether we last the night or no

 I'm sure is always touch-and-go.



 We are not wholly bad or good

 Who live our lives under Milk Wood,

 And Thou, I know, wilt be the first

 To see our best side, not our worst.



 O let us see another day!

 Bless us all this night, I pray,

 And to the sun we all will bow

 And say, good-bye - but just for now!'

    - Dylan Thomas



www.Zend.To<http://www.Zend.To>

Twitter: @JulesFM



Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



'All programs have a desire to be useful' - Tron, 1982



www.Zend.To<http://www.Zend.To>

Twitter: @JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 12435 bytes
Desc: image002.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0010.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 777 bytes
Desc: image004.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0011.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 768 bytes
Desc: image006.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0012.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.jpg
Type: image/jpeg
Size: 756 bytes
Desc: image008.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0013.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image010.jpg
Type: image/jpeg
Size: 752 bytes
Desc: image010.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0014.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image011.jpg
Type: image/jpeg
Size: 12435 bytes
Desc: image011.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0015.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image012.jpg
Type: image/jpeg
Size: 777 bytes
Desc: image012.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0016.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image013.jpg
Type: image/jpeg
Size: 768 bytes
Desc: image013.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0017.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image014.jpg
Type: image/jpeg
Size: 756 bytes
Desc: image014.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0018.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image015.jpg
Type: image/jpeg
Size: 752 bytes
Desc: image015.jpg
URL: <http://jul.es/pipermail/zendto/attachments/20200721/4de0bfc2/attachment-0019.jpg>


More information about the ZendTo mailing list