I am trying to perform SMTP diagnostics using curl and am getting this error: "curl: (94) An authentication function returned an error". Googling this error doesn't return much other than the generic error list and descriptions.
I am using the curl client that comes with Git on Windows 10, and have tried running this from both Gitbash and the normal Command Line. The mail server is a corporate server at the overseas headquarters and we don't have easy access to the configuration or logs. It does require SSL/TLS for the connection.
I am able to successfully send an email using the Powershell script attached further below.
The curl error:
$ curl -v smtp://mymailserver.com:587 --mail-from [email protected] --mail-rcpt [email protected] --user '[email protected]:mypassword'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying <obfuscarted-ip-address>:587...
* Connected to mymailserver.com (<obfuscarted-ip-address>) port 587 (#0)
< 220 <mymailserver.com> Microsoft ESMTP MAIL Service ready at Tue, 8 Mar 2022 08:12:55 0100
> EHLO <mycomputername>
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< 250-<mymailserver.com> Hello [<obfuscarted-ip-address>]
< 250-SIZE 20971520
< 250-PIPELINING
< 250-DSN
< 250-ENHANCEDSTATUSCODES
< 250-STARTTLS
< 250-AUTH GSSAPI NTLM
< 250-8BITMIME
< 250-BINARYMIME
< 250 CHUNKING
> AUTH GSSAPI
< 334 GSSAPI supported
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
* Closing connection 0
curl: (94) An authentication function returned an error
Attempting with --ssl:
$ curl -v --ssl smtp://mymailserver:587 --mail-from [email protected] --mail-rcpt [email protected] --user '[email protected]:password'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying <ip>...
* Connected to mymailserver (<ip>) port 587 (#0)
< 220 mymailserver Microsoft ESMTP MAIL Service ready at Sat, 12 Mar 2022 01:14:23 0100
> EHLO <pc>
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< 250-mymailserver Hello [<ip>]
< 250-SIZE 20971520
< 250-PIPELINING
< 250-DSN
< 250-ENHANCEDSTATUSCODES
< 250-STARTTLS
< 250-AUTH GSSAPI NTLM
< 250-8BITMIME
< 250-BINARYMIME
< 250 CHUNKING
> STARTTLS
< 220 2.0.0 SMTP server ready
* CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
* CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [85 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2933 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [365 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [102 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* Server certificate:
* subject: C=<obfuscated>; ST=<obfuscated>; L=<obfuscated>; O=<obfuscated>; CN=<obfuscated>
* start date: May 16 06:40:30 2021 GMT
* expire date: Jun 17 06:40:30 2022 GMT
* subjectAltName: host "<obfuscated>" matched cert's "<obfuscated>"
* issuer: C=<obfuscated>; O=<obfuscated>; CN=<obfuscated>
* SSL certificate verify ok.
} [5 bytes data]
> EHLO <obfuscated>
{ [5 bytes data]
< 250-mymailserver Hello [<ip>]
< 250-SIZE 20971520
< 250-PIPELINING
< 250-DSN
< 250-ENHANCEDSTATUSCODES
< 250-AUTH GSSAPI NTLM LOGIN
< 250-8BITMIME
< 250-BINARYMIME
< 250 CHUNKING
} [5 bytes data]
> AUTH GSSAPI
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0{ [5 bytes data]
< 334 GSSAPI supported
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (94) An authentication function returned an error
Attempting with smtps instead of smtp:
$ curl -v smtps://mymailserver.com:587 --mail-from [email protected] --mail-rcpt [email protected] --user '[email protected]:password'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying <ip>:587...
* Connected to mymailserver.com (<ip>) port 587 (#0)
* CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
* CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Curl version:
$ curl --version
curl 7.80.0 (x86_64-w64-mingw32) libcurl/7.80.0 OpenSSL/1.1.1l (Schannel) zlib/1.2.11 brotli/1.0.9 zstd/1.5.0 libidn2/2.3.1 libssh2/1.10.0 nghttp2/1.45.1
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP zstd
Unlike the curl command above, this powershell script does work:
$Username = "[email protected]";
$Password = "mypassword";
function Send-ToEmail([string]$email, [string]$attachmentpath){
$message = new-object Net.Mail.MailMessage;
$message.From = "[email protected]";
$message.To.Add($email);
$message.Subject = "test";
$message.Body = "body";
$smtp = new-object Net.Mail.SmtpClient("mymailserver.com", "587");
$smtp.EnableSSL = $true;
$smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password);
$smtp.send($message);
write-host "Mail Sent" ;
}
Send-ToEmail -email "[email protected]";
CodePudding user response:
I'm not familiar with the SMTP feature of curl, but I know quite a bit about SMTP. curl apparently failed to authenticate. I haven't found a documentation about which authentication mechanisms it supports, but GSSAPI doesn't seem to be one of them (at least not with the options that you specified). (I know nothing about GSSAPI either.)
My guess about what went wrong is that you're not using TLS with curl (STARTTLS is still listed as one of the supported extensions). What I take from this documentation is that you should either specify --ssl or --ssl-reqd, or change smtp to smtps (smtps://mymailserver.com), which switches from Explicit TLS to Implicit TLS. The list of supported authentication mechanisms often changes once TLS is enabled and will likely include PLAIN afterwards.
CodePudding user response:
Thanks to Kaspar Etter for getting me thinking on the right track for solving this problem. Also this post for suggesting the "-T -" flags: https://bugzilla.redhat.com/show_bug.cgi?id=1502108.
The key was to ask it to autheticate with NTLM instead of GSSAPI. The clue is when the server replies with supported authentication methods:
< 250-AUTH GSSAPI NTLM LOGIN
By adding the --ntlm option, curl will use NTLM instead of GSSAPI. Also thanks to this post for mentioning GSSAPI not being supported: https://github.com/nextcloud/user_external/issues/153
Also adding the --ssl flag as Kaspar Etter suggested was a key step.
After fixing the GSSAPI error, I was having an issue with curl sending a VRFY command, which can be fixed with the strange "-T -" option.
So the final working command is:
$ curl -v --ssl smtp://mymailserver.com:587 --mail-from [email protected] --mail-rcpt [email protected] --user '[email protected]:password' --upload-file c:\\temp\\email.txt --ntlm -T -