Re: [Exim] AUTH PLAIN

Top Page
Delete this message
Reply to this message
Author: Mike Richardson
Date:  
To: Philip Hazel
CC: exim-users
Subject: Re: [Exim] AUTH PLAIN
> > C: a003 AUTHENTICATE "PLAIN" (21+)
> > C: <null>tim<null>something
> > S: a003 OK
>
> So it does. Though it's {21+} not (21+). The actual lines are


Sorry, yes... I wasn't able to C&P between machines and read it wrong..

> C: a003 AUTHENTICATE "PLAIN" {21+}
> C: <NUL>tim<NUL>tanstaaftanstaaf
>
> My guess is that the {21+} means "21 data characters follow". Otherwise,
> if the input comes on multiple lines like this, the server won't know
> when it ends.
>
> But of course, *that isn't SMTP*.


True. The RFC mixes SMTP/IMAP/POP and it was difficult to separate out the
relevant bits.

> I don't believe this is relevant to SMTP, which is a lock-step protocol.
> After the client has sent an AUTH command, it must wait for a response.
> You can't send additional data just like that. That's the way SMTP works
> for *all* commands. Therefore, I and other implementors of PLAIN have
> taken the "obvious" interpretation for SMTP, which is that the data
> follows immediately on the same line as "AUTH PLAIN".


Can you give examples of 'other implementors'? It might help me convince
Steltor that they are wrong...

> The RFC to read is 2554 "SMTP Service Extension for Authentication", but
> unfortunately, it doesn't show a PLAIN example. What it does say is


Might be an idea to put that RFC reference in the Exim docs near the
reference to RFC2595 in the authenticators section. I wasn't too sure
where to look for this stuff. Not much on google either...

> this:
>          The optional initial-response argument to the AUTH command is
>          used to save a round trip when using authentication mechanisms
>          that are defined to send no data in the initial challenge.
>          When the initial-response argument is used with such a
>          mechanism, the initial empty challenge is not sent to the
>          client and the server uses the data in the initial-response
>          argument as if it were sent in response to the empty challenge.

>
> after having defined the syntax of AUTH as
>
> AUTH mechanism [initial-response]
>
> I rest my case.


I hope that'll be enough to convince them. I take it that you don't mind
if I forward your reply to them? Given that they charge 10 quid plus per
user licence I'd be nice if the software worked properly with our (and
other MTAs). Btw, do you have any comment about relative security
implications of using PLAIN over LOGIN? (I know that SSL should be used
in either case, thats the next step to test :-)

Thanks

Mike
-- 
-----Plain text only please - attachments stripped on arrival.------
Copyright 2001       Mike Richardson, Room G98, Manchester Computing
University of Manchester, M13 9PL     doctor@???    Int: 56009
Left through main doors.         Right then left at end of corridor.
First door on left.   URL http://kira.mcc.ac.uk/  Ext: 0161 275 6009 
--------------------------------------------------------------------
"If I want your opinion, I'll beat it out of you!" - Chuck Norris
"If anything happens to my daughter I have a 45 and shovel" Clueless