Sep 272007
 

I’ve been playing a lot with Office 2007 lately in my bid to get familiar with it for offering technical support, and as everything communication wise for me revolves around email I have been giving Outlook 2007 a pounding – especially since Outlook has a very poor track record when it comes to large IMAP mailboxes. In doing so, there are a number of issues I have encountered, however the biggest would be that any SMTP auth that uses MD5 will fail. It seems that Outlook 2007 is only successful when using LOGIN or PLAIN auth attempts when trying to send mail.

If you disable LOGIN and PLAIN authentication steps in your SMTP server, you will no longer be able to send mail – even though MD5 auth is available. In fact, to make things even more annoying, Outlook 2007 will attempt to use MD5 auth – and fail. I have used MD5 SMTP auth for years with various mail clients (mainly Mail on OSX) without any issues, so it took me a number of hours using ethereal to find out what was going on.

So what happens? Read on for my diagnosis and workaround for the issue.

When you connect to an SMTP server, most mail clients say EHLO (vs the older HELO) to introduce themselves and also get the SMTP servers capabilities. This connection usually looks a bit like this:

$ telnet localhost 25
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
Escape character is ‘^]’.
220 my.mail.server.com ESMTP Sendmail 8.13.8/8.13.8; Thu, 27 Sep 2007 09:22:53 +1000
EHLO localhost
250-localhost Hello localhost [127.0.0.1] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 my.mail.server.com closing connection
Connection closed by foreign host.

The AUTH line shows what SMTP authentication methods are available to the client. In sendmail, this is controlled by the following lines in sendmail.mc:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

By default, LOGIN and PLAIN authentication methods are disabled using the AUTH_OPTIONS line in sendmail.mc. This is where the problem beings – as MD5 auth does not work in Outlook 2007. Outlook will try to use MD5 auth, but fail with an “Authentication Failed” error. This is interesting, as other email clients do not have this issue. To allow Outlook to send mail, we need to enable PLAIN and LOGIN authenticaion. We do this by changing the following line in sendmail.mc from this:

define(`confAUTH_OPTIONS’, `A p’)dnl

to this:

define(`confAUTH_OPTIONS’, `A’)dnl

After rebuilding sendmail.cf (by running “make sendmail.cf”), you can restart sendmail to enable PLAIN and LOGIN authentication methods.

NOTE: I think it is a really bad idea to have to do this, as LOGIN and PLAIN authentication methods have NO SECURITY at all. When you send email using this, your authentication details are transmitted in plain text over the internet. This is very bad. Sadly, if you are forced to use SMTP auth and Outlook 2007, it seems that you must put up with this. Even worse is that there is no indication that Microsoft is aware of this problem at all, meaning that my efforts in getting this recognised as an issue by Microsoft will be fairly fruitless.

  12 Responses to “Outlook 2007 MD5 SMTP auth broken”

  1. Hey Steve,

    Whilst I’ve never tried MD5 auth under Outlook 2007, I remember an option in postfix that added an additional AUTH line to the EHLO response to work around bugs in older versions of Outlook. What it did was effectively supplement the
    250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
    with a
    250-AUTH=DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

    Not sure if this’ll help your problem or not.

  2. Hi Chris,

    I’m not sure if this should be encouraged as from what I see, it seems to be an Outlook 2007 bug. Other mail clients don’t suffer the same issues, so it might be one that Microsoft should fix.

  3. Hi Steve,

    thanks for pointing this out. I’m experionecing exactly the same issue after I upgraded to Outlook 2007.

    Did you find in the meantime something which can be done on the client side to avoid this problem?

    Thanks, Mario

  4. Can you disable MD5 AUTH in Outlook?
    I think after a recent security update, it looks like my Outlook 2007 client is now ALWAYS trying AUTH DIGEST-MD5 and failing and then trying AUTH LOGIN. I don’t think I changed any Outlook setting to cause this. What happened?

  5. PLAIN and LOGIN are quite popular, and easy to implement. If security is an issue, running over SSL is always an option.

  6. How is it possible to configure ms outlook 2007 to use only login or plain auth without md5. Anybody knows?

  7. In my case, it is RECEIVING mail that is having this problem — and only with IMAP accounts. Outlook 2007 is trying to use DIGEST-MD5 and failing. Outlook 2003 does not have this problem.

    I have the same question as Sergey: Is there a way to get Outlook 2007 to stop using DIGEST-MD5?

    Note that this thread is one year old; Outlook is in Service Pack 2; and this STILL hasn’t been addressed!

  8. I am having a problem where Thunderbird users are able to send mail using our Sendmail SMTP server after authentication but Outlook 2007 users keep receiving a prompt to enter the password again and again and then fail to send the mail. I have examined the mail logs and it indicates the error “[IP Address] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA” I google this error and there were many opinions but one indicated that this shows that outlook was connecting to the MTA but afterward would not give the MTA any further recognizable commands.

    Steve, I am using sendmail 8.14.3 and when i perform the EHLO command the 250-AUTH.. does not show PLAIN LOGIN, it only shows DIGEST-MD5 CRAM-MD5.Attempts to edit the sendmail.mc as indicated in your tutorial have not made a change. Is there any further work around on this issue?

  9. Hi Charles,

    Silly question, but after editing sendmail.mc, you ran make sendmail.cf, then restarted sendmail?

    From the sounds of things, something was missed while editing sendmail.mc…

  10. Hi,

    Outlook 2010 still seems to have problems with DIGEST-MD5 as Steve pointed out in 2007 for OL2007.

    With my IMAP connection I can not get the outlook 2010 to work (MD5 digest authentication fails – and I can asure you that password is 100% correct).

    Does anybody know how to avoid that MD5 is being used in OL2010 (I can not control mailserver). OL2003 uses plain for AUTH.

    Cheers
    Jeroen

  11. […] to set up an email account with MD5 authentication, fetching mail off a Mac server. Apparently, no recent version of Outlook knows how to do this. This is still SMTP, but its with MD5 challenge. No can do, says my Outlook client. And I guess […]

  12. I had the same problem and i found this website called http://www.outlooksetting.com , they had a whole range of troubleshooting articles. Really helpful stuff. Check it out!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)