Re: [exim] AUTH advertised incorrectly - and STARTTLS comman…

Top Pagina
Delete this message
Reply to this message
Auteur: Edward Harvey
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] AUTH advertised incorrectly - and STARTTLS command used when not advertised
> From: Edward Harvey [mailto:eharvey@lyricsemiconductors.com]
> Sent: Wednesday, August 11, 2010 2:29 PM
>
> Here's the symptom:
> My client connects, and EHLO's.
> The response includes "STARTTLS" which is good.
> The response includes "AUTH PLAIN" which is bad.


So here's what I learned: No, it's not bad for AUTH PLAIN to be displayed
at this point. I was wrong in my understanding of how this flow would go.
I mistakenly thought that TLS didn't begin until the STARTTLS command was
given. But upon closer inspection, I telnet'd to the mail server, and saw
in the logs that TLS had already begun before I even typed a single
character. So naturally, when I run my first EHLO, the advertisement of
AUTH PLAIN was present.

However, if I typed in AUTH PLAIN, and tried to submit a username/password
unencrypted in plain text, the server was expecting something base64
(which obviously I didn't type) and if I typed in AUTH LOGIN (after I
enabled auth login) then the server sent me some encrypted characters.

So the conclusion is: The server starts TLS in its own brain, before the
client even requests it. However, the client cannot encrypt/decrypt any
of that, until the client does the STARTTLS. And while TLS is running,
only some specific fields are encrypted. Username/password, and even the
username/password prompt are all encrypted. But not the "rcpt" and "from"
and "data" commands and so forth.

And finally:

AUTH PLAIN is not sufficient to support Outlook. I managed to solve all
of the above, by enabling AUTH LOGIN as well as AUTH PLAIN. Now
everything works fine.