[exim] Exim4 sends STMP MAIL after failed AUTH

Top Page
Delete this message
Reply to this message
Author: James Phillips
Date:  
To: exim-users
Subject: [exim] Exim4 sends STMP MAIL after failed AUTH
Hello,

While troubleshooting my mail configuration, I found what I beleive to be bugs
at the link, session and application layers. Relevant to this list is the
application layer. I am trying to use Exim4 in STMP client mode.

After receiving "535 authentication failed (#5.7.1)" from the server, my
computer reponds with: "MAIL FROM: <nephill#X#icrossroads.com> SIZE=1633\r\n"

(Because Email addresses are supposed to be kept confidential, I will replace
'@' with #X#)

From my notes:
Exim4 (my computer) Asks for "AUTH CRAM-MD5", which ultimately fails (code
535)
. Seemingly disregarding the result, Exim goes ahead with:
MAIL FROM:<nephill#X#icrossroads.com> SIZE=1636\r\n
RCPT TO:<ljphillips#X#myrealbox.com>\r\n
DATA\r\n
(As an asside, wireshark was not able to parse this properly)
STMP server responds with
250 OK\r\n
My computer, for some unknown reason send out an empty TCP packet
acknowleding
a future TCP packet. Wiresharks' SEQ/ACK analysis says it is a response to the
previous packet, but my interpretation is borne out by what happens next:
Exim4 sends: QUIT\r\n
My computer sends another empty TCP packet (FIN, ACK)
STMP send the previously acknowledged packet:
221 pteradon.tera-byte.com\r\n
My computer now bails by sending another TCP (RST) packet.
STMP server acknowledges The RST with a TCP (FIN, ACK)
My computer resends the (RST) packet.

The packets (Frames) appear to be out of order (time-wise)!
Screenshot: http://www.icrossroads.com/~nephill/wireshard_email.png
Frame 76 appears to acknowledge frame 79

10 seconds later, my computer tries again with the CRAM-MD5.
This time, after the authentication failure, it sends:
MAIL FROM:<> SIZE=2665\r\n

Then proceeds to send the failure message to the STMP server.
---
I later determined that the out-of order Frames were localized to my setup on
the one computer (could be a driver conflict or something (Did not happen
with a live CD on the same hardware))

I was able to reproduce the problem on a second computer with the same
software, but different hardware.
The packets/frames in question have been saved to a file:
http://www.icrossroads.com/~nephill/test_exim4_stmp.libpcap
(I used wireshark, but gather any libpcap based packet sniffer may be able to
read it.) (I deliberately used the wrong password for the capture in case one
of you can crack CRAM-MD5)

Software:
Debian Etch system (x86, 32bit)
exim4        4.63-17
exim4-config 4.63-17 (debian specific)
mutt         1.5.13-1.1e
wireshark    0.99.4-5.et


I am using the Maildir Option, incase that affects things.

Regards,

James Phillips