> From: Edward Harvey [
mailto:eharvey@lyricsemiconductors.com]
> Sent: Wednesday, August 11, 2010 2:29 PM
>
> Here's the symptom:
> My client connects, and EHLO's.
> The response includes "STARTTLS" which is good.
> The response includes "AUTH PLAIN" which is bad.
So here's what I learned: No, it's not bad for AUTH PLAIN to be displayed
at this point. I was wrong in my understanding of how this flow would go.
I mistakenly thought that TLS didn't begin until the STARTTLS command was
given. But upon closer inspection, I telnet'd to the mail server, and saw
in the logs that TLS had already begun before I even typed a single
character. So naturally, when I run my first EHLO, the advertisement of
AUTH PLAIN was present.
However, if I typed in AUTH PLAIN, and tried to submit a username/password
unencrypted in plain text, the server was expecting something base64
(which obviously I didn't type) and if I typed in AUTH LOGIN (after I
enabled auth login) then the server sent me some encrypted characters.
So the conclusion is: The server starts TLS in its own brain, before the
client even requests it. However, the client cannot encrypt/decrypt any
of that, until the client does the STARTTLS. And while TLS is running,
only some specific fields are encrypted. Username/password, and even the
username/password prompt are all encrypted. But not the "rcpt" and "from"
and "data" commands and so forth.
And finally:
AUTH PLAIN is not sufficient to support Outlook. I managed to solve all
of the above, by enabling AUTH LOGIN as well as AUTH PLAIN. Now
everything works fine.