Auteur: Phil Pennock Date: À: Edward Harvey CC: exim-users Sujet: Re: [exim] AUTH advertised incorrectly - and STARTTLS command used
when not advertised
On 2010-08-12 at 09:20 -0400, Edward Harvey wrote: > So here's what I learned: No, it's not bad for AUTH PLAIN to be displayed
> at this point. I was wrong in my understanding of how this flow would go.
> I mistakenly thought that TLS didn't begin until the STARTTLS command was
> given. But upon closer inspection, I telnet'd to the mail server, and saw
> in the logs that TLS had already begun before I even typed a single
> character. So naturally, when I run my first EHLO, the advertisement of
> AUTH PLAIN was present.
tls_on_connect_ports should only list the ports where you want immediate
SSL rather than STARTTLS. For compatibility with Outlook that will be
port 465 in most corporate setups.
> However, if I typed in AUTH PLAIN, and tried to submit a username/password
> unencrypted in plain text, the server was expecting something base64
> (which obviously I didn't type) and if I typed in AUTH LOGIN (after I
> enabled auth login) then the server sent me some encrypted characters.
AUTH PLAIN is three NUL-separated sections, which for the SMTP profile
is wrapped in Base 64. In practice the first will be empty, so it's
base64(<NUL>usercode<NUL>password).
> So the conclusion is: The server starts TLS in its own brain, before the
> client even requests it. However, the client cannot encrypt/decrypt any
> of that, until the client does the STARTTLS. And while TLS is running,
If the client is not expecting to be speaking TLS but the server is,
then you'll have a mismatch.
> only some specific fields are encrypted. Username/password, and even the
> username/password prompt are all encrypted. But not the "rcpt" and "from"
> and "data" commands and so forth.
Uhm, I think you have yourself thoroughly confused. SSL/TLS provide
stream protection and are agnostic when it comes to the protected
content.
> AUTH PLAIN is not sufficient to support Outlook. I managed to solve all
> of the above, by enabling AUTH LOGIN as well as AUTH PLAIN. Now
> everything works fine.
Outlook, unlike your testing with Telnet, will be using SSL to port 465,
and yes it requires AUTH LOGIN, which is just base64-wrapping of
Usercode/Password interactive login, rather than AUTH PLAIN. I believe
it also can support NTLM, which Exim supports with the SPA
authenticator. Pass-thru with this will not work though; if you can get
access to the mail password via LDAP then you could still support it.