On Sun, 5 Dec 1999, Mark Morley wrote:
> I have that all working, but there is one problem that I can see. It
> seems that some email clients see AUTH in the ESMTP options list and
> try to authenticate regardless of whether it's required or not.
> It seems to me it would make more sense
> to only do authentication of the server demands it.
The only way the server can demand it is to refuse to accept a message
without it, by giving a 530 response to a MAIL command, or in the case
of relaying by refusing to relay. I can quite see that for a client to
try to test whether it needs to authenticate or not by doing experiments
is going to be very messy.
> For example, if the client's IP is listed in host_accept_relay then
> don't present the AUTH option after EHLO at all. I think that would
> do it and shouldn't break anything.
The check of host_accept_relay currently happens only when the host
actually tries to relay, that is, when it sends a RCPT command for a
non-local domain. However, it could do a check at EHLO time, I suppose,
when deciding whether to advertise AUTH or not. However, the check would
have to be
if in host_accept_relay and not in auth_hosts
then don't advertise AUTH. However, I'm not really happy about this.
Authenticating allows the passing of an "authenticated sender", which
might be something that can usefully happen optionally, i.e. even if the
client doesn't *have* to authenticate, it might want to try, so the
server should advertise the availability of AUTH.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
