Canon imageRunner iR2270, imageRunner iR4570, imageRunner iR2870, imageRunner iR3570 Service Manual

SERVICE

MANUAL

imageRUNNER iR2270/2870/ 3570/4570

Universal Send Kit-B1

DU7-1134-000

SEPT. 2004 REV. 0

Application

This manual has been issued by Canon Inc. for qualified persons to learn technical theory, installation,

maintenance, and repair of products. This manual covers all localities where the products are sold. For

this reason, there may be information in this manual that does not apply to your locality.

Corrections

This manual may contain technical inaccuracies or typographical errors due to improvements or changes

in products. When changes occur in applicable products or in the contents of this manual, Canon will

release technical information as the need arises. In the event of major changes in the contents of this

manual over a long or short period, Canon will issue a new edition of this manual.

The following paragraph does not apply to any countries where such provisions are inconsistent with

local law.

Trademarks

The product names and company names used in this manual are the registered trademarks of the

individual companies.

copied, reproduced or translated into another language, in whole or in part, without the written consent

of Canon Inc.

Printed in Japan

Caution

Use of this manual should be strictly supervised to avoid disclosure of confidential information.

Introduction

Symbols Used

This documentation uses the following symbols to indicate special information:

Symbol Description

Indicates an item of a non-specific nature, possibly classified as Note,

Caution, or Warning.

Indicates an item requiring care to avoid electric shocks.

Indicates an item requiring care to avoid combustion (fire).

Indicates an item prohibiting disassembly to avoid electric shocks or

problems.

Indicates an item requiring disconnection of the power plug from the electric

outlet.

Memo

REF.

Indicates an item intended to provide notes assisting the understanding of the

topic in question.

Indicates an item of reference assisting the understanding of the topic in

question.

Provides a description of a service mode.

Provides a description of the nature of an error indication.

Introduction

The following rules apply throughout this Service Manual:

1. Each chapter contains sections explaining the purpose of specific functions and the

relationship between electrical and mechanical systems with reference to the timing of

operation.

　In the diagrams, represents the path of mechanical drive; where a signal name

accompanies the symbol, the arrow indicates the direction of the electric

signal.

　The expression "turn on the power" means flipping on the power switch, closing the front

door, and closing the delivery unit door, which results in supplying the machine with

power.

2. In the digital circuits, '1'is used to indicate that the voltage level of a given signal is

"High", while '0' is used to indicate "Low".(The voltage value, however, differs from

circuit to circuit.) In addition, the asterisk (*) as in "DRMD*" indicates that the DRMD

signal goes on when '0'.

　In practically all cases, the internal mechanisms of a microprocessor cannot be checked

in the field. Therefore, the operations of the microprocessors used in the machines are

not discussed: they are explained in terms of from sensors to the input of the DC

controller PCB and from the output of the DC controller PCB to the loads.

The descriptions in this Service Manual are subject to change without notice for product

improvement or other purposes, and major changes will be communicated in the form of

Service Information bulletins.

All service persons are expected to have a good understanding of the contents of this

Service Manual and all relevant Service Information bulletins and be able to identify and

isolate faults in the machine."

Contents

Chapter 1　Specifications

1.1 Product composition .................................................................................................. 1-1

1.1.1 Product configuration.......................................................................................... 1-1

1.2 Specifications............................................................................................................. 1-3

1.2.1 Specifications ...................................................................................................... 1-3

Chapter 2　Functions

2.1 Changed Function ...................................................................................................... 2-1

2.1.1 Changes from iR 2220i/iR2820i/3320i............................................................... 2-1

2.2 New Function............................................................................................................. 2-6

2.2.1 Authentication at TX........................................................................................... 2-6

2.2.2 Encrypted transmission ..................................................................................... 2-11

2.2.3 Authentication at RX ........................................................................................ 2-12

2.2.4 Encrypted reception .......................................................................................... 2-17

2.2.5 MAC Address Block Function.......................................................................... 2-20

2.2.6 URL Transmission ............................................................................................ 2-20

2.2.7 Setting for communicate SSL ........................................................................... 2-20

Chapter 3　Installation

3.1 Installation procedure ................................................................................................ 3-1

3.1.1 Overview of the Installation Procedure .............................................................. 3-1

Chapter 4　Maintenance

4.1 Notes when service .................................................................................................... 4-1

4.1.1 Points to Note ..................................................................................................... 4-1

4.2 Troubleshooting......................................................................................................... 4-2

4.2.1 Troubleshooting .................................................................................................. 4-2

4.3 Related Error code ..................................................................................................... 4-7

4.3.1 E-mail Transmission errors ................................................................................. 4-7

Contents

4.3.2 I-Fax Transmission errors ................................................................................. 4-11

4.3.3 I-Fax Reception errors....................................................................................... 4-16

4.3.4 SMB Reception errors ....................................................................................... 4-20

4.3.5 FTP Transmission errors ................................................................................... 4-23

4.3.6 NCP Transmission errors .................................................................................. 4-26

4.3.7 Box Transmission errors ................................................................................... 4-29

4.4 Related Service Mode .............................................................................................. 4-30

4.4.1 Related Service Modes List .............................................................................. 4-30

4.4.2 Invalidating the License for Transfer to a Different Device (Category 2)........ 4-31

Chapter 1

Specifications

Contents

1.1 Product composition...................................................................................1-1

1.1.1 Product configuration..........................................................................1-1

1.2 Specifications .............................................................................................1-3

1.2.1 Specifications ...................................................................................... 1-3

1.1 Product composition

Chapter 1

1.1.1 Product configuration

This kit consists of:

- License access number certificate sheet

- Sending and Facsimile Guide

- License Key notice

Memo:

Using this kit, you can get a license key from the License Management System (LMS)

and register it in an iR/imageRUNNER to activate the specific feature included in the

System Software.

Note:What's LMS?

A license server system to activate software options of iRs/imageRUNNERs, provided by

Canon Inc. Collectively manages options in the form of licenses and protects copy rights

of optional products. The options are activated with license keys being different from

conventional activation measures that use dongles and PCs. Whereas the details of its

management differ among countries and regions, it is designed assuming the users access it

and activate licenses by themselves respectively. Per optional product, the license access

number certificate sheet is supplied. Per license access number, a user can get a license key

and activate the feature on an iR/imageRUNNER. To get a license key, a user accesses the

Web server of the LMS.

URL for LMS:

http://www.canon.com/lms/ir/

0008-4667

When a user enters the license access number and the serial number for an iR/

imageRUNNER in the LMS, 24-digit figure of a license key is generated. The license key

includes the information of serial number for the iR/imageRUNNER so that the key cannot

be used for iRs/imageRUNNERs. Once the option is activated, the option information is

saved as the backup in the iR/imageRUNNER. Parts replacement will not deactivate the

feature.

1-1

Chapter 1

The staff in each regional headquarters can access the administrator's pages of the LMS.

They can view the license number issued for each iR/imageRUNNER and can reissue the

license. The procedures are the same as the license management system for MEAP except

for the point the license key is used instead of the license file.

Transfer of a License

An optional function that has been enabled by the LMS may be used on a different device

by transferring its license, as when the original iR device needs to be replaced, say at the

end of its lease arrangement. Specifically, individual licenses registered for optional

functions must first be invalidated in user mode before transfer may take place. Doing so

will invalidate the optional functions on the source iR device and, at the same time, proof

of invalidation will be generated within the device in the form of an invalidation license key.

The user may then communicate the indicated invalidation license key, the serial number of

the original iR device, and the serial number of the new iR device to the Sales Company,

which in turn may issue a new license key for the new iR device. The user now may register

the new license key to the new iR device in user mode, thereby enabling the optional

function on the new iR device. For details of transferring a license in service mode, see the

descriptions of service mode that come later.

1-2

1.2 Specifications

Chapter 1

1.2.1 Specifications

E-mail transmission

- Transmission protocol: SMTP, POP3

- Transmission authentication: SMTP AUTH, POP before SMTP

- Reception authentication: POP3, APOP, POP AUTH

- Encoded transmission: Corresponds to SSL communication in each protocol when SMTP

transmission and SMTP and POP reception. (The server side needs to correspond.)

- Key and certificate: Server certificate that the device has is used when SSL

communication.

- Supported formats: TIFF (monochrome), PDF (monochrome), PDF (OCR) = Searchable

PDF

However, encrypted PDF and searchable PDF are the options.

- PDF files can be split and sent page by page.

- Resolution: 100 X 100, 150 X 150, 200 X 100, 200 X 200, 200 X 400, 300 X 300, 400 X

400, 600 X 600 (dpi)

- Document size: A3 to A5

A3, B4, A4 (I-Fax Tx/Rx, A3/B4 transmission possible by setting other party's reception

conditions)

- Addresses available from LDAP server (e-mail address and FAX telephone number)

Max. number of searching: 2000; The number of broadcasting selection after searching: 64

- No E-mail reception function. Error mails can be printed out.

When broadcasting transmission, display/write all the addresses in the To: field and

separate every 100 addresses to send.

0008-4670

I-Fax Tx/ Rx function

- Transmission protocol: SMTP (Tx/ Rx), POP3 (Rx), I-Fax (Simple mode, Full mode)

- Transmission authentication: SMTP AUTH, POP before SMTP

- Reception authentication: POP3, APOP, POP AUTH

- Encoded transmission: Corresponds to SSL communication in each protocol when SMTP

transmission and SMTP and POP reception. (The server side needs to correspond. When the

server-less transmission, the encoded transmission is not executed. )

1-3

Chapter 1

- Key and certificate: Server certificate that the device has is used when SSL

communication.

- Supported formats: TIFF (monochrome: MH, MR MMR) , Not supported when sending/

receiving the color data.

- Resolution: 100 X 100, 150 X 150, 200 X 100, 200 X 200, 200 X 400, 300 X 300, 400 X

400, 600 X 600 (dpi)

- Document size: A3 to A5

- Reception sizes: A3, B4, A4

- Server-less transmission supported

- Addresses available from LDAP server (e-mail address and FAX telephone number)

Max. number of searching: 2000; The number of broadcasting selection after searching: 64

- When broadcasting transmission, display/write all the addresses in the To: field.

File transmission function

- Transmission protocol: SMB (NetBios over TCP/IP), FTP(TCP/IP), NCP(IPX)

- Supported formats: TIFF (monochrome), PDF (monochrome), PDF (OCR)

However, encrypted PDF and searchable PDF are the options.

- PDF files can be split and sent page by page.

- Resolution: 100 X 100, 150 X 150, 200 X 100, 200 X 200, 200 X 400, 300 X 300, 400 X

400, 600 X 600 (dpi)

- Document sizes: A3, B4, A4

- CanonFTP automatically distinguishes responses from the server and switches operation

accordingly.

E-mail/I-fax operation confirmed server applications

SMTP server

Sendmail 8.93 or later

Exchange Server 5.5+SP1 or later

Exchange 2000

Domino R4.6 or later

SMTP AUTH-enabled SMTP server

Sendmail 8.12.5 or later + Cyrus SASL API 1.5.28 combination

Exchange Server 5.5+SP1 or later

Exchange 2000

1-4

Chapter 1

POP server

Qpopper 2.53 or later

Exchange Server 5.5+SP1 or later

Domino R4.6 or later

Exchange 2000

Qpop v4.0.5

POP before SMTP

Sendmail 8.12.5 or later +DRAC 1.11 or later +Qpopper 2.53 or later combinations

POP authentication function-enabled server

Exchange 2000Server: NTLM authentication when the integration authentication

operation:

Qpop v4.0.5: STLS, APOP. However, OpenSSL and Popauth need to be installed.

POP authentication function of main PC mail clients

Outlook 2000:NTLM

Outlook Express 6:NTLM

Becky 2.05:APOP

WinBiff 2.42:APOP

Eudora 5.1:STLS, APOP, Kerberos

File transmission operation confirmed operating environments

SMB

Windows 98/ME

Windows NT 4.0 Workstation/Server SP6a

Windows 2000 Professional/Server SP1

Windows XP Home/Professional

Windows Server 2003

Sun Solaris (SPARC) 2.6 or later

RedHat Linux7.2

MacOS 10.2.x

MacOS 10.3.x

FTP

Windows NT 4.0 Server + IIS4.0

1-5

Chapter 1

Windows 2000 Professional/Server + IIS5.0

Windows XP Professional + IIS5.1

Windows Server 2003

Sun Solaris (SPARC) 2.6 or later

RedHat Linux7.2

Mac OS 10.x.x

NCP

NetWare 3.20

NetWare 4.1, 4.11, 4.2

NetWare 5 +SP1a

NetWare 5.1

1-6

Chapter 2

Functions

Contents

2.1 Changed Function ......................................................................................2-1

2.1.1 Changes from iR 2220i/iR2820i/3320i ...............................................2-1

2.2 New Function.............................................................................................2-6

2.2.1 Authentication at TX...........................................................................2-6

2.2.2 Encrypted transmission .....................................................................2-11

2.2.3 Authentication at RX.........................................................................2-12

2.2.4 Encrypted reception ..........................................................................2-17

2.2.5 MAC Address Block Function..........................................................2-20

2.2.6 URL Transmission ............................................................................2-20

2.2.7 Setting for communicate SSL ...........................................................2-20

2.1 Changed Function

Chapter 2

2.1.1 Changes from iR 2220i/iR2820i/3320i

Functions in this machine that have different specifications regarding SEND function from

iR iR2220i/2820i/3220i are shown below.

Memo:

Items with an asterisk (*) indicate that they are already supported in Color iR.

- PASV mode of FTP supported *

PASV mode of FTP which is different in the connection direction from the normal FTP is

supported.

- SMTP AUTH (SMTP authentication) support*

In response to requests from the field, SMTP AUTH is now supported. This function

enables E-Mail/ i-fax communication with SMTP servers that require user authentication.

For details, refer to the section on "Authentocation at TX" and "Encrypted transmission".

- POP before SMTP support*

POP before SMTP, which is a transmission authentication similar to SMTP AUTH, is now

supported. For details, refer to the section on "Authentocation at TX".

- APOP and POP AUTH support *

APOP and POP AUTH (authentication methods at RX) are supported. For details, refer to

“Authentication at RX” and “Encrypted reception”. This function is already supported in

iR C3220 or later.

0008-4674

- SSL TX/RX support*

With the condition that the server side supports, SSL communication when SMTP

transmission and SMTP and POP reception is supported. Not only the password but also the

whole receiving packets can be encrypted. For details, refer to "Encrypted transmission"

and “Encrypted reception”.

Memo:

Encryption when SMTP transmission and POP reception is already supported in iR

2-1

Chapter 2

C3220 or later. Encryption when SMTP reception is supported from this product.

- Auto copy ratio support (AMS:Auto Magnification Scan)

Different size document is sent by adjusting to the specified size. It is read with 300/600 dpi

fixed. This setting is enabled by selecting Auto for the Copy ratio setting in Scan settings.

- New addresses to be registered: Expanded from 16 to 64 addresses.

- New function in Restrict Access to Destinations added

Function of iRC series is used. Restriction can be set in the order of Additional Functions>

System Settings > Restrict Access to Destinations > Restrict New Addresses. If you enable

this setting, you cannot select other than Box when you send to the address other than the

registered addresses.

- The number of pages to be scanned: Changed from 500 to 999 pages.

- Send Counter Check button added on the counter screen

By assuming non-MEAP device, the Send Counter Check button is added on the counter

screen. The same contents as when selecting transmission in the MEAP counter is

displayed. Meaning of each counter is described below.

T-2-1

Name Explanation

Black and White Scan (Total 1) All SEND scanning including FAX and I-Fax

Black and White Scan 1 BOX Scan, E-mail, FTP, SMB, NCP, Send to BOX

Black and White Scan 2 E-mail, FTP, SMB, NCP

Black and White Scan 3 FTP, SMB, NCP

Black and White Scan 4 BOX Scan, FTP, SMB, NCP, Send to BOX

- Favorites Buttons added: Changed from 9 to 18 buttons.

2-2

Chapter 2

- The time specification is added by Period Specification of Forwarding settings, and the

setting over which it extends can be done easily at the date.

- URL Send

Instead of sending the image directly, this function enables to send only URL of the image

in the Box which can be referred from remote UI via E-mail. For details, refer to “URL

Send”.

- SMB Send and Browse functions expanded

Host Search Function is added.

Searching function by Active Directory is added.

Length of SMB path: Expanded from 128 to 256 bytes.

Windows Server2003 supported.

Samba2.2 and Samba3.0 supported.

- Management function of the key and certificate for SSL communication

- Automatic time setting function by SNTP server

- Delivery of the user mode, addresses and department ID information by the device

information delivery function

Functions in this machine that have different specifications from iR C3200 (System

Ver.8.04, or earlier) are as shown below.

Memo:

When iR C3200 was upgraded to System Ver.9.05, Send function related specifications

were added. Items marked with an asterisk (*) can be used with iR C3200 also, after

upgrading to System Ver.9.05.

- SMTP AUTH (SMTP authentication) support*

In response to requests from the field, SMTP AUTH is now supported. This function

enables E-Mail/ i-fax communication with SMTP servers that require user authentication.

For details, refer to the section on transmission authentication and encoded transmission.

- POP before SMTP support*

POP before SMTP, which is a transmission authentication similar to SMTP AUTH, is now

2-3

Chapter 2

supported. For details, refer to the section on transmission authentication.

- SinglePage-PDF creation function*

This function was added from iR 2220i/2820i/3320i and iR 5020i/6020i. A 'split by page'

button has been added and not only TIFF but also PDF documents can be split into single

pages. By combining 'split by page' and the file format (TIFF/ PDF), the user can select

either SinglePage or MultiPage

- Dedicated window for form job key *

This function was added from iR 2250i/2850i/3350i and iR 5020i/6020i.

This function shows the form job key area in enlarged display. Up to 9 form jobs can be

programmed.

- Compression rate setting

Transmission screen file format > can be specified from the data compression rate. There

are three levels, high, mid, low, and the default can be programmed in the user mode in the

transmission function standard setting. This item displayed the JPEG compression rate in

iR C3200

<Memo>

iR C3100 is different from iR C3200 in that, when using DF, the stream reading

construction enables performance during scanning. This means that, while the first page is

being read in, the second page can be fed in preparation. As a result of compressing the

scanned image, if the data volume per page allocated to the work area causes the area to

overflow, the following message appears and prompts the user to carry out recovery

procedures.

'Scanning has stopped because the scanned document data have exceeded the maximum

limit capable by this model. Scanning may be possible by using a high compression rate,

low resolution and by reducing image sharpness.'

In order to make the compression rate easy for the user to set, the data compression rate

setting has been added to the file format. If the error message continues to appear even after

the data compression rate has been increased, enter service mode and change

COPIER>OPTION>USER>SND-RATE. This often allows the compression rate to be set

higher. If DF is not being used, the recovery procedure is not generated, because the

compression rate is changed automatically and scanning repeated.

2-4

Chapter 2

- Saving the job history csv format*

This function was added from iR 2250i/2850i/3350i and iR 5020i/6020i.

Job histories can now be saved in csv format from Remote UI.

- Mixed length documents

- Long length document scanning note that transmission to box has been removed from the

universal send function)

- Completion stamp function (note that this does not apply to mixed length documents)

2-5

Chapter 2

2.2 New Function

2.2.1 Authentication at TX

When the mail server is set on the internet, you need to prevent from Third Party Mail Relay

that the third party uses the false name. Third Party Mail Relay means that the third party

sends large amount of spam mails using the mail server which other people are operating.

If you do not take any measures for this, resources like server and network lines are

exhausted and at the same time, you will get the claim from the user who received the spam

mail. As a measure, the authentication operation when SMTP transmission is prepared.

In case of the inner network (LAN), you can prevent from Third Party Mail Relay by

restricting the IP address and the domain name. In order to send from the outside domain

using the mail address or securely use the mail server set on the internet which the provider

prepares, the authentication is indispensable at the transmission. This machine uses two

authentication methods, POP Before SMTP and SMTP AUTH and they enable to send i-

FAX and e-mail to SMTP server which requests the sender's authentication.

POP before SMTP

With this method, before SMTP transmission is performed, the POP server is logged into.

SMTP transmission can only be continued once the POP server has confirmed the IP

address of the connected client as authorized within a specific period of time. After user

authentication is carried out at the POP server, the authenticated client IP address is relayed

to the SMTP server, where it is processed. The process requires a certain amount of time.

Taking this processing time into consideration, there is an idle period of 300msec, from

POP authentication to the start of SMTP transmission. If a POP before SMTP transmission

is generated during POP reception, POP authentication is made to wait until the reception

is finished and then POP authentication and SMTP transmission are performed. Errors

occurring while the POP server is connected are treated as transmission errors.

0008-4675

With regard to the actual programming, all that is necessary is for system administration

settings > network settings > E-Mail/ I-Fax settings > authentication/ encoding settings

> pre-transmission POP authentication to be set to ON.

Related new user error codes are #810 and #813. For details, refer to Troubleshooting.

SMTP AUTH

2-6

Chapter 2

In SMTP AUTH, user authentication is performed when the SMTP server is connected, so

that mail can only be received from registered users. This method was standardized in

March, 1999, as RFC2554. SMTP AUTH uses ESMTP protocol, which is an extension of

SMTP, and uses the SASL (Simple Authentication and Security Layer) authentication

mechanism, standardized as RFC2222, to authenticate the user by sending the user name

and password information in response to the server challenge data.

The SMTP server can have multiple authentication mechanisms and the most suitable

authentication mechanism is programmed in accordance with the security policy decided by

the SMTP server administrator. The client E-Mail client application selects the

authentication algorithm from among the available authentication mechanisms and

performs authentication upon transmission.

This model supports the following five types of authentication mechanism.

CRAM-MD5

Challenge-Response Authentication Mechanism, computed by using the key-protected

MD5 algorithm by HMAC-MD5 (RFC2104)

NTLM

Windows NT authentication method

User name must be set in the form 'username@NTdomainname'

E.g.:

Windows2000 or earlier: username\\CANON (domain name may be omitted, depending on

the environment)

Windows2000: username@canon.co.jp (domain name may be omitted, depending on the

environment)

GSSAPI

Authentication system using Kerberos Version 5 (RFC1510)

User name must be set in the form 'username@realmname'.

username@CANON.CO.JP

(In Exchange2000, realm name = domain name)

PLAIN

Assumes that user name and password are sent as plain text (BASE64 encoded) and the

2-7

Chapter 2

communication packet is encoded. (RFC2595) Allows secure authentication when used in

combination with the encoded transmission described later.

Sends the user name and password as plain text (BASE64 encoded). Actual transaction is

the same as with PLAIN. Similarly, allows secure authentication when used in combination

with encoded transmission.

Even if the unit is programmed for transmission with SMTP AUTH, if the mail server does

not support SMTP AUTH and the encoding system supported by the server does not match

that supported by this model, SMTP AUTH transmission will not be possible. In that case,

even if SMTP AUTH is programmed, transmission will be by normal SMTP and there will

be no transmission error generated. If an unauthenticated mail transmission is attempted to

a server that will not allow such transmission, subsequent SMTP protocols will generate an

error in the mail server. Unauthenticated mail can be transmitted to a server that will accept

such transmission. These security policies are determined by the server so, even if SMTP

AUTH is not programmed, it is impossible to tell whether transmission is possible without

checking with the customer's server administrator.

Examples of transmission protocol using SMTP AUTH are given below.

The EHLO response from the client tells whether SMTP AUTH is supported by the server

and the authentication algorithm being used at that time is described. In the event that there

are multiple authentication algorithms, multiple algorithm names are described. The client

selects one of the relayed authentication algorithms and then relays it on to the server.

Server challenge data come from the server and coded data made up from the server

challenge data, user name and password are returned in response for authentication. In

general, the authentication algorithm to be used can be selected on the server side and

PLAIN and LOGIN authentication and others which are undesirable from the perspective

of security can be blocked by the server setting. (Security policy is determined by the

server.)

Server:220 smtp.example.com ESMTP server ready

Client(iR):EHLO ifax.example.com

S: 250-smtp.example.com

2-8

Chapter 2

S: 250-DSN

S: 250-EXPN

S: 250 AUTH CRAM-MD5 DIGEST-MD5 : <- server declares authentication algorithm

C: AUTH CRAM-MD5 : <- client selects CRAM-MD5

S: 334 : <- server response (subsequently, authentication begins with CRAM-MD5.)

S: PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=

C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==

S: 235 Authentication successful.

Where the SMTP has multiple authentication mechanisms, selection is made in the order of

the priority list given below.

1) CRAM-MD5

2) NTLM

3) GSSAPI

4) STARTTLS operation PLAIN

5) STARTTLS operation LOGIN

6) STARTTLS non-operation LOGIN

7) STARTTLS non-operation PLAIN

Authentication methods can be disabled in service mode. When the service mode value is

set to '1', the encoding system can be disabled. (The default setting is all enabled.)

Ordinarily, the default setting is used, but if the server administrator wants to disable a

particular encoding system, the settings need to be changed by the service mode settings.

For the actual SMTP AUTH settings, system administrator settings > network settings > E-

Mail/ I-Fax settings > authentication/ encoding settings > SMTP authentication (SMTP

AUTH) should be set ON and the required user names and passwords for SMTP AUTH

need to be entered. If SSL permission, which is the encoded transmission setting, described

later, is ON, with PLAIN and LOGIN authentication, the authentication encoded by the

STARTTLS command can be used.

For reference, this section describes what happens to the Outlook Express settings when

2-9

Chapter 2

using an SMTP server that supports SMTP AUTH. Outlook Express PLAIN authentication

only.

1) From the Outlook Express tools menu, select Account. In the example, pop3.canon.com

is selected.

2) From Internet Account, select the desired account and click on Properties. In the

example, the pop3.canon.com sub-tab has been selected from the Properties window.

3) Put a check in the 'this server requires authentication' box against the transmission mail

server.

F-2-1

2-10

Chapter 2

4) Press the settings button that has been made active.

5) Programme the transmission mail server window's logon information. In the default, 'use

same settings as reception mail server' is selected. This setting uses the POP3

authentication account name and password entered against the reception mail server in the

previous window and performs SMTP AUTH operation.

F-2-2

If 'Logon with this account and password' is selected, the account and password to be used

with SMTP AUTH can be specified individually. In that case, if 'Logon with security-

protected password authentication' is selected, encoding is carried out by TSL(SSL), using

the STARTTTLS command.

The related new user error codes are #839 and #843. For details, refer to the section on

Troubleshooting.

2.2.2 Encrypted transmission

Transmission packet encryption (SSL)

When user mode - E-Mail/ I-Fax 'allow SSL' is set to ON, and the mail server supports the

SMTP protocol's STARTTLS command, SSL (TLS) is used for transmission packet

encryption. Not only the user name and password are encrypted, but also all of the mail

transmission data. Therefore, the transmission speed is slower.

0008-4676

2-11

Chapter 2

If 'allow SSL' is set to OFF, or the mail server does not support the SMTP protocol's

STARTTLS command, the transmission packet is not encrypted.

STARTTLS is an SMTP command that tells the server that encrypted transmission (SSL/

TLS) is about to start. The command is standardized in RFC2487. Following is an example

of the protocol flow during STARTTLS.

The EHLO response from the client declares that STARTTLS is supported from the server.

When the client generates the STARTTLS command, the operation is reprocessed from the

starts and negotiation is initiated and the packet data are encrypted.

S: 220 mail.imc.org SMTP service ready

C: EHLO mail.example.com

S: 250-mail.imc.org offers a warm hug of welcome

S: 250-8BITMIME

S: 250-STARTTLS : <- Shows that the server supports STARTTLS.

S: 250 DSN

C: STARTTLS : <- Declares to server that SSL/TLS are to be performed.

S: 220 Go ahead

-- All subsequent transmission packets will be encrypted.

C: <starts TLS negotiation>

C&S: <negotiate a TLS session>

C&S: <check result of negotiation>

C: EHLO mail.example.com

S: 250-mail.imc.org touches your hand gently for a moment

S: 250-8BITMIME

S: 250 DSN

Related new user errors are #841 and #842. For details, refer to the section on

Troubleshooting.

2.2.3 Authentication at RX

The username and the password flow by the plaintext in the reception form by past POP3.

And POP3 logs in POP server at a short cycle. Therefore, the password is easily stolen in

2-12

0008-5787

Chapter 2

POP3.

Enable the password to encrypt and to be attested by using APOP and POP AUTH. APOP

is defined by RFC1939, and executed with UNIX system POP server, and POP AUTH is

defined by RFC2449, and executed with the MS Exchange server.In addition, if POP server

supports the SSL(TLS) encryption by the STLS instruction, not only the password but also

the entire reception packet can be encrypted.

"POP authentication " exists in Aditional Function >Network Settings >E-mail/I FAX

>Authent/Encryption , and it is possible to select it from Standard / APOP / POP AUTH .

APOP and POP AUTH are executed respectively when APOP and POP AUTH are selected,

and when Standard is specified, the authentication by the username and the password is

executed.

Default: It is Standard.

APOP

APOP authentication procedures are as follows.

(1) As a greeting message when connecting to POP server, the server returns the character

strings consisting of the time stamp and the host name to the client. The client links these

character strings with the password character strings, and creates the message digest by

MD5 from the linked character strings.

(2) With the APOP command, the client returns the message digest created with the user

name to the server.

(3) Message digest is created in the POP server with the same algorism. By comparing this

created digest and the digest from the client, if both digests are the same, the password is

considered as the correct one.

Greeting message when connecting to the server includes the time stamp, so analyzing is

difficult since the created message digest changes every time.

Different from the POP AUTH described later, there is no protocol to check whether or not

the server is supporting APOP from the client, so the user have to decide whether or not

APOP is used and set User mode.

If the server does not support APOP and the user uses APOP, an error occurs. When the

error occurs at the APOP authentication, "APOP Authentication Error" is displayed on the

status line for certain time.

Following items are the examples of communication.

S: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>

2-13

Chapter 2

C: APOP mrose c4c9334bac560ecc979e58001b3e22fb

S: +OK maildrop has 1 message (369 octets)

C: :

When the server connection, the password "tanstaaf" character strings of the user mrose is

linked after "<1896.697170952@dbc.mtview.ca.us>" message. Character strings of

"<1896.697170952@dbc.mtview.ca.us>tanstaaf" is hashed by MD5, then it becomes

"c4c9334bac560ecc979e58001b3e22fb".

For actual settings, set as follows. System Settings > Network Settings > E-mail/I-Fax >

Authent./ Encryption > POP AUTH Method >APOP.

POP AUTH

POP AUTH uses the authentication mechanism of SASL(Simple Authentication and

Security Layer) provided in RFC2222 and conducts the user authentication by returning the

user name and password information as a response to the server challenge and its data from

the server. This is standardized as RFC1734 "POP3 AUTHentication command". By the

CAPA command extended in RFC2449 "POP3 Extension Mechanism", you can know the

capability which the server has, and SASL authentication algorism which the server

supports is included in one capability and returned by the SASL tag.

In the POP server, multiple authentication mechanisms can be possessed and the

authentication mechanism is set according to the security policy which the server

administrator decides. E-mail client application selects the authentication algorism from the

specified authentication algorism and performs the authentication at the transmission. This

device supports the following authentication algorism.

CRAM-MD5

Challenge-Response Authentication Mechanism calculated using MD5 algorism with the

key based on the HMAC-MD5 (RFC2104).

Note:

Currently, POP AUTH server in the field are mostly made by Microsoft and NTLM

authentication is used. CRAM-MD5 is installed, but there is no server which the

operations are checked, so the evaluation has not performed. For this reason, POP AUTH

operations with CRAM-MD5 are not supported.

NTLM

Authentication method of Windows NT

User name has to be set in the form of "User name@ NT domain name".

2-14

+ 78 hidden pages

Canon imageRunner iR2270, imageRunner iR4570, imageRunner iR2870, imageRunner iR3570 Service Manual

Specifications and Main Features

Frequently Asked Questions

User Manual