Re: [exim] Client Authentication

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Fred Viles
Date:  
À: exim-users
Sujet: Re: [exim] Client Authentication
On 2 Jun 2005 at 18:12, Matt Mashyna wrote about
    "[exim] Client Authentication":


| I'm working on a mail client and I'm having some trouble with PLAIN
| authentication and Exim. With other servers, like Postfix for
| example, the client says EHLO and gets a list of authentication
| schemes, among other useful info. With Postfix my client can send
| AUTH LOGIN PLAIN\n


Your client is broken. The AUTH command consists of the keyword
AUTH, followed by a keyword matching *one* of the advertised
authentication methods (LOGIN *or* PLAIN, in this case), optionally
followed by data depending on the authentication method.

| client sends the b64 user name, gets a request for a password, it
| sends the b64 password and then the authentication is either excepted
| or rejected.


If the server also prompted for the username, not just the password,
that's the standard AUTH LOGIN method. It sounds like Postfix just
ignored the invalid data at the end of your "AUTH LOGIN" command.

| When I try to do this with an Exim server it immediately says
| "Invalid base64 data"


Right, that's because the plaintext authenticator accepts AUTH PLAIN
syntax, where the credentials are supplied on the AUTH command so
there's no prompting. If anything follows the method name, it is
assumed to be the b64-encoded credentials.

|...
| Any help would be greatly appreciated.


Fix your client to either follow the LOGIN method:

- Send "AUTH LOGIN"
- Receive b64 encoded "User Name" prompt
- Send b64 encoded username
- Receive b64 encoded "Password" prompt
- Send b64 encoded password

OR the PLAIN method:

- Send "AUTH PLAIN auth-text"
where auth-text is the string "\0username\0password", without the
quotes but *with* the two NUL characters, b64 encoded.

AUTH PLAIN would be preferable, since unlike AUTH LOGIN it is an RFC
standard. Even more preferable would be implementing CRAM-MD5, so
you're not sending the credentials in plain text.

- Fred