On Thu, 6 Jun 2002, Marc Langer wrote:
> Someone wrote (last year, I think) this was a bug in old Outlook
> versions, and Philip refused to add a hack to Exim, announcing both
> "AUTH LOGIN" und "AUTH=LOGIN". Instead he wanted Microsoft to deliver
> patches...
Well, I wanted them to implement the standard. Heck, it's a small enough
change... Might even be just a single byte...
> Today I read an interesting article in a German newsgroup, showing
> that Netscape/Mozilla also depends on AUTH=LOGIN and it was best common
> practice before standardized by RFC 2222 and 2554: Netscape used it
> since the mid of the 90th, and the author auf RFC 2222 and 2554
> was a Netscape employee.
The date of RFC 2222 is October 1997, almost 5 years ago; 2554 is newer,
March 1999, but even that is now 3 years old. RFCs get discussed for a
long time before they are published, so people would have known about
the standard even longer.
> Joern Weber <listen@???> knows a lot about the SMTP AUTH
> history, I think, and he wrote, to be downward compatible, AUTH=LOGIN
> should also be announced in the EHLO greeting.
I have seen no documentation stating this.
<GRUMBLE>
Too much of the Internet works on hearsay and things that "people just
know". If you arrive from outside, however much your read the standards,
you are unable to implement software that actually interworks. This is,
IMHO, Very Bad.
</GRUMBLE>
<RANT>
Anyway, how can you do this compatibly? Any client that is following the
standard may well *complain* about a broken server if you do that. How
do you advertise several mechanisms? Do you say
250-AUTH=LOGIN PLAIN CRAM-MD5
or do you have to do
250-AUTH=LOGIN
250-AUTH LOGIN PLAIN CRAM-MD5
? Has anybody documented that? Will a picky client complain at that
because AUTH is mentioned twice? (RFC 2821 doesn't seem to say anything
about multiple appearances of EHLO keywords.) The point is that one
needs a *detailed* specification of this kind of thing.
</RANT>
> Philip, it would be great if you changed your mind and include this
> hack in Exim 4.x.
I sympathise, but I don't think I'm going to change my mind. Microsoft
are making a lot of money out of OutLook. They should fix it.
> As some Outlook and Netscape still need it, that
I tested Exim with Netscape; it didn't seem to need a hack.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.