Opened 3 years ago

Closed 8 months ago

Last modified 8 months ago

#1938 closed defect (fixed)

mail proxy connect issue with Outlook

Reported by: 9yw@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.16.x
Keywords: mail outlook 0x800CCC0F Cc:
uname -a: Linux c2-monitor 2.6.32-042stab094.7 #1 SMP Wed Oct 22 12:43:21 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Description

When I use Outlook2016 (with wrong password) to connect a "mail proxy" type SSL port(465/993/995), always get 0x800CCC0F error.But it's ok when using "stream proxy".
After some research,I got a "I don't know how but it works" solution:

Edit mail/ngx_mail_handler.c:
1.copy void ngx_mail_close_connection to "ngx_mail_close_connection_keep"
https://user-images.githubusercontent.com/25059561/75753262-607b6100-5d65-11ea-92ed-ba37bee238eb.png
2.remove "ngx_close_connection(c);" from void ngx_close_connection(c);
3.edit void ngx_mail_send change line 674 to ngx_mail_close_connection_keep(c);

        if (s->quit) {
            ngx_mail_close_connection_keep(c);
            return;
        }

Add "void ngx_mail_close_connection_keep(ngx_connection_t *c);" to mail/ngx_mail.h

=============
I don't know how it works, also don't know dos it has side effects,so I hope the connect issue can be fixed official.

Change History (2)

comment:1 by Maxim Dounin, 8 months ago

Resolution: fixed
Status: newclosed

In theory, command pipelining during authentication might result in connection being closed with RST, and the response to authentication removed from the client's socket buffer due to RST. In HTTP, lingering_close is used to close connections without triggering RST when additional data can be sent by the client: this ensures that the client will be able to see the response. This is not what expected to happen with mail protocols though, as command pipelining is not expected to be used at all unless explicitly allowed by the server, and not expected to be used during authentication.

I did some testing with Microsoft's email clients I was able to obtain, notably:

  • Windows 10 Mail, Version 16005.14326.20544.0
  • Outlook for Mac, Version 16.56 (21121100)
  • Outlook for Windows, Version 2112 Build 16.0.14729.20224

When tested with nginx 1.21.5, all tested clients seem to work fine, including with various artificial delays introduced. Authentication errors are properly recognized as such, and not as 0x800CCC0F error, and suggest to re-enter credentials. As expected, no tested clients are using command pipelining during authentication, and lingering close in mail shouldn't be needed (or at least unrelated to the issue observed).

The next best guess is that the particular issue reported in the ticket is a bug/misbehaviour of Outlook which drops the response to authentication when SSL connection is closed. This can be affected by SSL shutdown fixes is 09fb2135a589 (nginx 1.19.2; with the fixes, mail proxy now uses bidirectional SSL shutdown instead of only sending close notify alert without waiting for client's one).

Further testing with mail proxy switched back to unidirectional SSL shutdown suggests this is indeed the case: while Windows 10 Mail and Outlook for Mac work correctly regardless of the SSL shutdown behaviour, Outlook for Windows behaves differently. With bidirectional shutdown it asks for credentials again and again, but with unidirectional shutdown it only asks for credentials occasionally, and in most cases just fails with the error 0x800CCC0E. This seems to be the issue identical to the one with Outlook 2016.

Overall, this seems to be an issue in Outlook, which does not tolerate SSL connections being closed by the server before Outlook handles the response to the authentication command. It is worked around in nginx 1.19.2, as bidirectional SSL shutdown ensures that the connection is only closed after the response is received.

Closing this as fixed. Thanks for bringing attention to this Outlook behaviour.

comment:2 by Maxim Dounin, 8 months ago

Also, just a side note. In most cases it is a good idea to allow users to re-enter login and password on the same connection at least a couple of times instead of closing the connection right after the first error. This can be done by returning an auth response with the Auth-Wait header (usually till Auth-Login-Attempt reaches some limit), see authentication protocol description. With this approach handling of connection closing in different email clients becomes mostly irrelevant.

Note: See TracTickets for help on using tickets.