A BUGNOTE has been added to this bug.
======================================================================
http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000237
======================================================================
Reported By: jnorell
Assigned To:
======================================================================
Project: DBMail
Bug ID: 237
Category: POP3 daemon
Reproducibility: always
Severity: minor
Priority: normal
Status: new
======================================================================
Date Submitted: 03-Aug-05 16:52 CEST
Last Modified: 16-Aug-05 00:38 CEST
======================================================================
Summary: pop3 AUTH should return -ERR
Description:
I ran across exactly the same issue mentioned in
http://twister.fastxs.net/pipermail/dbmail-dev/2004-May/003852.html
recently, while setting up an openwebmail installation,
so I did a bit of looking into it.
>From rfc 1734:
If the requested
authentication mechanism is not supported, the server
should reject the AUTH command by sending a negative
response.
dbmail-pop3d doesn't support any AUTH mechanisms, so any requested
should return some -ERR (which 2.0.x and 2.1.x do, but not 1.2.x).
Nowhere does it allow an "AUTH" command without naming a mechanism,
so doing so should also return an -ERR. So in pop3.c, this section:
case POP3_AUTH:
{
if (session->state != POP3_AUTHORIZATION_STATE)
return pop3_error(session, stream,
"-ERR wrong command
mode, sir\r\n");
/* if we get anything but the naked "auth"
command,
* we return an error */
if (value != NULL)
return pop3_error(session, stream,
"-ERR unknown
authorization mechanism\r\n");
fprintf((FILE *) stream,
"+OK List of supported mechanisms\r\n"
"X-NONE-SO-USE-APOP\r\n.\r\n");
return 1;
}
should change to something more like:
case POP3_AUTH:
{
if (session->state != POP3_AUTHORIZATION_STATE)
return pop3_error(session, stream,
"-ERR wrong command
mode, sir\r\n");
fprintf((FILE *) stream,
"-ERR AUTH command not supported.\r\n");
return 1;
}
1.2.x source is almost that already, just need to change the
+OK message to the above -ERR message. That should fix
openwebmail and probably some others.
======================================================================
----------------------------------------------------------------------
ilja - 15-Aug-05 13:24 CEST
----------------------------------------------------------------------
The RFC does indeed state that a bare AUTH command without any parameters
isn't valid and should return a -ERR response. However, from looking
around for some info, I've found that MS Outlook does use AUTH to get a
list of authentication mechanisms that the server supports.
What is the problem with keeping the code as it is?
Ilja
----------------------------------------------------------------------
jnorell - 16-Aug-05 00:38 CEST
----------------------------------------------------------------------
The problem is dbmail's non-compliant behavior breaks some
clients (not suprising). It's unusable for openwebmail
(which I would argue is almost as much openwebmail's fault
for it's method of processing POP3 responses), and the
same issue came up in the past with netscape (where a
colleague just patched his source locally and didn't file
a bug .. was in 2.0 series).
dbmail returnning -ERR there is the right thing to do,
which itsself is enough to fix it in my opinion, and
should not cause a problem with Outlook's non-compliant
behavior.
Bug History
Date Modified Username Field Change
======================================================================
03-Aug-05 16:52jnorell New Bug
15-Aug-05 13:24ilja Bugnote Added: 0000824
16-Aug-05 00:38jnorell Bugnote Added: 0000825
======================================================================
