On Wed, 21 Apr 2004, Fred Viles wrote:
> Chad isn't talking about the EHLO response, he's talking about the
> optional AUTH=addr-spec parameter the sending server can (and I guess
> exim does) include on the MAIL FROM: command when sending to a server
> with which it has authenticated. See Section 5 of RFC 2554.
>
> It's an interesting question. The parameter is described as
> optional, but the language includes some MUSTs that require a relay
> server to pass along AUTH=<> in some cases.
My reading is that, although the parameter need not be supplied by the
client (it's optional), if supplied, it has to be recognized by the
server.
My belief is that a server that advertises support for authentication
must support both the AUTH command and the AUTH= parameter on MAIL. Does
the RFC support this view? Hmm... let's see ... I find these paragraphs
in RFC 2554:
If an AUTH=<> parameter was supplied, either explicitly or due to
the requirement in the previous paragraph, then the server MUST
supply the AUTH=<> parameter when relaying the message to any
server which it has authenticated to using the AUTH extension.
which implies that the server MUST support "AUTH=".
It is conforming for an implementation to be hard-coded to treat
all clients as being insufficiently trusted. In that case, the
implementation does nothing more than parse and discard
syntactically valid AUTH parameters to the MAIL FROM command and
supply AUTH=<> parameters to any servers to which it
authenticates using the AUTH extension.
Likewise.
> In any case, FWIW I certainly wouldn't call the lack of an exim
> option to suppress AUTH= on MAIL FROM a bug.
Absolutely!
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
