SMTP AUTH LOGIN and SMTP AUTH PLAIN

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
MattiasClaesson
New user
New user
Posts: 3
Joined: 2004-10-13 15:51

SMTP AUTH LOGIN and SMTP AUTH PLAIN

Post by MattiasClaesson » 2004-10-13 16:16

Version= hMailServer 3.2.3 2004-10-11 16

Issue 1
When unchecking the "allow authentication in plain text" check box in the hmailadmin. The following correct message is sent from the server:
"SENT: 250-hmailserver[nl]250 AUTH LOGIN"

But when checking the "allow authentication in plain text" checkbox in the hmainadmin. The following incorrect message is sent from the server:
"SENT: 250-hmailserver[nl]250 AUTH LOGIN PLAIN"
The correct message in this case should be:
"SENT: 250-hmailserver[nl]250 AUTH PLAIN"

Check RFC2554 for the complete details.

Issue 2
One email client I use does seem to enforce the use of "250-AUTH XXXX" instead of "250 AUTH XXXX". What is the correct use in your opinion? Atleast according RFC2554 I would suggest that "250 AUTH XXXX" is correct.
Microsoft Outlook does seem to handle both options.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-10-13 18:22

Issue 1:
The correct message in this case should be:
"SENT: 250-hmailserver[nl]250 AUTH PLAIN"
On what part in RFC 2554 do you base this? I've checked some other servers and qmail, sendmail and they use the same syntax as hMailServer.
Issue 2:
One email client I use does seem to enforce the use of "250-AUTH XXXX" instead of "250 AUTH XXXX". What is the correct use in your opinion?
As far as I know, the "-" should be used when the message from the server to the client continues on the next line. Regardless of what the comamnd is. Sample from the SMTP RFC:

Code: Select all

            S: EXPN Example-People
            R: 250-Jon Postel <Postel@USC-ISIF.ARPA>
            R: 250-Fred Fonebone <Fonebone@USC-ISIQ.ARPA>
            R: 250-Sam Q. Smith <SQSmith@USC-ISIQ.ARPA>
            R: 250-Quincy Smith <@USC-ISIF.ARPA:Q-Smith@ISI-VAXA.ARPA>
            R: 250-<joe@foo-unix.ARPA>
            R: 250 <xyz@bar-unix.ARPA>

MattiasClaesson
New user
New user
Posts: 3
Joined: 2004-10-13 15:51

Post by MattiasClaesson » 2004-10-13 21:09

Maybe I jumped the gun a bit on Issue 1:
Here is the example from RFC 2554 I talked about.

Code: Select all

         S: 220 smtp.example.com ESMTP server ready
         C: EHLO jgm.example.com
         S: 250-smtp.example.com
         S: 250 AUTH CRAM-MD5 DIGEST-MD5
         C: AUTH FOOBAR
         S: 504 Unrecognized authentication type.
         C: AUTH CRAM-MD5
         S: 334
         PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=
         C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
         S: 235 Authentication successful.
Unfortunatley it went missing in my previous post. Sorry about that.

I looked at the code a bit more carefully and I think I understand your point now.
The server send ALL auth_type it support to the client (separated by a SPACE), after the AUTH command, right?

The code I based my assumption on was the following:

Code: Select all

auth_command    = "AUTH" SPACE auth_type [SPACE (base64 / "=")]
                     *(CRLF [base64]) CRLF
Maybe I was wrong about how to enterpret this line.

Issue2:
Thank you for that explanation.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-10-14 17:17

The server send ALL auth_type it support to the client (separated by a SPACE), after the AUTH command, right?
Right.
I agree that you seem to be right according to the auth_command specification (that the server should only issue one authentication type after it). But if you check the example from the SMTP RFC (250 AUTH CRAM-MD5 DIGEST-MD5), it uses the same syntax as hMailServer... I don't have very much faith in the SMTP RFC. Some relevant things are poorly or not documented at all..

MattiasClaesson
New user
New user
Posts: 3
Joined: 2004-10-13 15:51

Post by MattiasClaesson » 2004-10-16 11:02

I just read the spec one more time. I think the description of the auth_command is for the client to server message. Before that in the spec the server to client AUTH message is described in general words. I think it is unfortunate that the rfc does not describe the server to client, and client to server messages in the same syntax.

Another question:
A smtp mail client support PLAIN, LOGIN and CRAM-MD5.
The client should prefere to use CRAM-MD5 if the server support it.
If CRAM-MD5 is not supported by the server, the client should look for LOGIN in the AUTH message from the server.
And as a last resort the PLAIN auth should be used.
Is this correct in your opinion?

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-10-16 11:10

Yes, that sounds correct to me. (Next version of hMailServer will support cram-md5)

Post Reply