Re: [exim] AUTH advertised incorrectly - and STARTTLS comman…

Pàgina inicial
Aquest missatge és part del següent fil:
Ml'arbre de fils complet ordenat per data
M\Peter Bowyer en <-
MM 
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
A: Edward Harvey
CC: exim-users
Assumpte: Re: [exim] AUTH advertised incorrectly - and STARTTLS command used when not advertised
On 2010-08-12 at 09:20 -0400, Edward Harvey wrote:
> So here's what I learned: No, it's not bad for AUTH PLAIN to be displayed
> at this point. I was wrong in my understanding of how this flow would go.
> I mistakenly thought that TLS didn't begin until the STARTTLS command was
> given. But upon closer inspection, I telnet'd to the mail server, and saw
> in the logs that TLS had already begun before I even typed a single
> character. So naturally, when I run my first EHLO, the advertisement of
> AUTH PLAIN was present.

tls_on_connect_ports should only list the ports where you want immediate
SSL rather than STARTTLS. For compatibility with Outlook that will be
port 465 in most corporate setups.

> However, if I typed in AUTH PLAIN, and tried to submit a username/password
> unencrypted in plain text, the server was expecting something base64
> (which obviously I didn't type) and if I typed in AUTH LOGIN (after I
> enabled auth login) then the server sent me some encrypted characters.

AUTH PLAIN is three NUL-separated sections, which for the SMTP profile
is wrapped in Base 64. In practice the first will be empty, so it's
base64(<NUL>usercode<NUL>password).

> So the conclusion is: The server starts TLS in its own brain, before the
> client even requests it. However, the client cannot encrypt/decrypt any
> of that, until the client does the STARTTLS. And while TLS is running,

If the client is not expecting to be speaking TLS but the server is,
then you'll have a mismatch.

> only some specific fields are encrypted. Username/password, and even the
> username/password prompt are all encrypted. But not the "rcpt" and "from"
> and "data" commands and so forth.

Uhm, I think you have yourself thoroughly confused. SSL/TLS provide
stream protection and are agnostic when it comes to the protected
content.

> AUTH PLAIN is not sufficient to support Outlook. I managed to solve all
> of the above, by enabling AUTH LOGIN as well as AUTH PLAIN. Now
> everything works fine.

Outlook, unlike your testing with Telnet, will be using SSL to port 465,
and yes it requires AUTH LOGIN, which is just base64-wrapping of
Usercode/Password interactive login, rather than AUTH PLAIN. I believe
it also can support NTLM, which Exim supports with the SPA
authenticator. Pass-thru with this will not work though; if you can get
access to the mail password via LDAP then you could still support it.

-Phil

Aquest missatge es va enviar a les següents llistes de correu:
Exim-users
Informació sobre la llista de correu | Missatges propers		<-Re: [exim] AUTH advertised incorrectly - and STARTTLS command used when not advertisedRe: [exim] SMTP connection lost->
Tahini and Hummus and Cumin Development Archives administrat per cumin AdminsLurker (versió 2.3)