Version= hMailServer 3.2.3 2004-10-11 16
Issue 1
When unchecking the "allow authentication in plain text" check box in the hmailadmin. The following correct message is sent from the server:
"SENT: 250-hmailserver[nl]250 AUTH LOGIN"
But when checking the "allow authentication in plain text" checkbox in the hmainadmin. The following incorrect message is sent from the server:
"SENT: 250-hmailserver[nl]250 AUTH LOGIN PLAIN"
The correct message in this case should be:
"SENT: 250-hmailserver[nl]250 AUTH PLAIN"
Check RFC2554 for the complete details.
Issue 2
One email client I use does seem to enforce the use of "250-AUTH XXXX" instead of "250 AUTH XXXX". What is the correct use in your opinion? Atleast according RFC2554 I would suggest that "250 AUTH XXXX" is correct.
Microsoft Outlook does seem to handle both options.
SMTP AUTH LOGIN and SMTP AUTH PLAIN
On what part in RFC 2554 do you base this? I've checked some other servers and qmail, sendmail and they use the same syntax as hMailServer.Issue 1:
The correct message in this case should be:
"SENT: 250-hmailserver[nl]250 AUTH PLAIN"
As far as I know, the "-" should be used when the message from the server to the client continues on the next line. Regardless of what the comamnd is. Sample from the SMTP RFC:Issue 2:
One email client I use does seem to enforce the use of "250-AUTH XXXX" instead of "250 AUTH XXXX". What is the correct use in your opinion?
Code: Select all
S: EXPN Example-People
R: 250-Jon Postel <Postel@USC-ISIF.ARPA>
R: 250-Fred Fonebone <Fonebone@USC-ISIQ.ARPA>
R: 250-Sam Q. Smith <SQSmith@USC-ISIQ.ARPA>
R: 250-Quincy Smith <@USC-ISIF.ARPA:Q-Smith@ISI-VAXA.ARPA>
R: 250-<joe@foo-unix.ARPA>
R: 250 <xyz@bar-unix.ARPA>
-
- New user
- Posts: 3
- Joined: 2004-10-13 15:51
Maybe I jumped the gun a bit on Issue 1:
Here is the example from RFC 2554 I talked about.
Unfortunatley it went missing in my previous post. Sorry about that.
I looked at the code a bit more carefully and I think I understand your point now.
The server send ALL auth_type it support to the client (separated by a SPACE), after the AUTH command, right?
The code I based my assumption on was the following:
Maybe I was wrong about how to enterpret this line.
Issue2:
Thank you for that explanation.
Here is the example from RFC 2554 I talked about.
Code: Select all
S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com
S: 250-smtp.example.com
S: 250 AUTH CRAM-MD5 DIGEST-MD5
C: AUTH FOOBAR
S: 504 Unrecognized authentication type.
C: AUTH CRAM-MD5
S: 334
PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=
C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
S: 235 Authentication successful.
I looked at the code a bit more carefully and I think I understand your point now.
The server send ALL auth_type it support to the client (separated by a SPACE), after the AUTH command, right?
The code I based my assumption on was the following:
Code: Select all
auth_command = "AUTH" SPACE auth_type [SPACE (base64 / "=")]
*(CRLF [base64]) CRLF
Issue2:
Thank you for that explanation.
Right.The server send ALL auth_type it support to the client (separated by a SPACE), after the AUTH command, right?
I agree that you seem to be right according to the auth_command specification (that the server should only issue one authentication type after it). But if you check the example from the SMTP RFC (250 AUTH CRAM-MD5 DIGEST-MD5), it uses the same syntax as hMailServer... I don't have very much faith in the SMTP RFC. Some relevant things are poorly or not documented at all..
-
- New user
- Posts: 3
- Joined: 2004-10-13 15:51
I just read the spec one more time. I think the description of the auth_command is for the client to server message. Before that in the spec the server to client AUTH message is described in general words. I think it is unfortunate that the rfc does not describe the server to client, and client to server messages in the same syntax.
Another question:
A smtp mail client support PLAIN, LOGIN and CRAM-MD5.
The client should prefere to use CRAM-MD5 if the server support it.
If CRAM-MD5 is not supported by the server, the client should look for LOGIN in the AUTH message from the server.
And as a last resort the PLAIN auth should be used.
Is this correct in your opinion?
Another question:
A smtp mail client support PLAIN, LOGIN and CRAM-MD5.
The client should prefere to use CRAM-MD5 if the server support it.
If CRAM-MD5 is not supported by the server, the client should look for LOGIN in the AUTH message from the server.
And as a last resort the PLAIN auth should be used.
Is this correct in your opinion?