[Exim] SMTP AUTH PLAIN - error in documentation and config f…

Top Page
Delete this message
Reply to this message
Author: CaLViN
Date:  
To: exim-users
Subject: [Exim] SMTP AUTH PLAIN - error in documentation and config files
Hi all,

I think there are some errors in the documentations and in the
standard config files of exim (both version 3 and 4). Please correct
me if I am wrong here or have overlooked some RFCs...

First, the RFC referenced in the documentation is RFC 2595. This RFC
talks about "Using TLS with IMAP, POP3 and ACAP" The correct RFC
should be 2554 "SMTP Service Extension for Authentication".

In addition to that, the recommended configuration (and the
configuration contained in the config files) for the AUTH PLAIN
section is not compliant with this RFC. This causes some problems with
mail clients like TheBat! and Eudora.

This is the recommended config:

fixed_plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if and {{eq{$2}{ph10}}{eq{$3}{secret}}}{yes}{no}}
server_set_id = $2

The documentation (Part 36) even says: "Because no prompt strings are
set, if no data is given with the AUTH command, authentication fails."
RFC 2554 clearly states that transmitting the authentication data with
the AUTH PLAIN command is _optionally_, and if not provided the server
should issue a ready respone (334) to prompt for that data. Since this
is not happening, some mail clients (those that don't send the
optional parameter) can't authenticate against exim using AUTH PLAIN.
This is what exim does with the default config:

> AUTH PLAIN

< 535 Incorrect authentication data

Instead, it should do this:

> AUTH PLAIN

< 334
> base64string

< 235 Authentication succeeded

By changing the config to this (inserted the server_prompts line):

fixed_plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if and {{eq{$2}{ph10}}{eq{$3}{secret}}}{yes}{no}}
server_set_id = $2

exim will behave RFC conform. Please change this in the documentation
and in the default config files when possible.

Thanks,

CaLViN