Hello Davide
For security reasons, we would force all of our customers to use AUTH during
outgoing smtp transactions to enable relay on our xmail server. Actually any
Outlook/OutlookExpress/Thunderbird/... client works fine using AUTH method.
On customers sites using servers we use the client ip as the 'auth' to relay
or not. Doing so is a problem as any computer beside this ip (generally
natted) have 'relay' allowed !
It is BAD :( so we want to force auth on any client so only the 'good' auth
sebders will be allowed (and optionnaly resolve the variable ip problem on
client side, in case of unmanaged change ...).
Seems there is a problem then the client side is an Exchange server 2003
configured to 'auth' when connecting to the smarthost/gateway (our xmail
server). Configuration is ok in both cases, BUT Exchange smtp 'client' AND
xmail smtp server reports 'AUTH FAIL'.
Searching the web and reading the rfc, xmail seems to have a problem with
the 'optional initial client parameter' as part of the 'AUTH LOGIN' command.
In fact, Exchange use this 'optional parameter' to give the login name to
use when doing AUTH LOGIN (values and parameters in braces are 'base64' not
show here. C = exchange client, S = xmail server). The resulting transcript
of the dialog between the exchange 'client' and xmail 'server' is :
C1 : AUTH LOGIN {the_user_email}
S2 : 334 {Username:}
C3 : {the_user_password}
S4 : 334 {Password:}
C5 : {the_user_password}
S6 : 503 Authentication failed
As you see Exchange put the login directly as part of the AUTH LOGIN
command, as permited by RFC.
As per RFC (if correctly read ;-) ) the correct complete sequence when the
smtp client add the 'optional initial client parameter' should be :
C1 : AUTH LOGIN {the_user_email}
S4 : 334 {Password:}
C5 : {the_user_password}
S6 : 235 Hey :) I'M HAPPY :)
Exchange-Xmail session explanation : the Exchange server, using the 'initial
client parameter' assumes that the S2 "334" response from xmail is in fact
the S4 response because the server side must go to the S4 response assuming
the S2/C3 sequence is implied by the provision of the C3 response in the C1
Command. Outch ! Ouf :)
Part of the RFC 2554 explaining this 'optional arg usage' in the auth
command :
" The optional initial-response argument to the AUTH command is used to save
a round trip when using authentication mechanisms that are defined to send
no data in the initial challenge. When the initial-response argument is used
with such a mechanism, the initial empty challenge is not sent to the client
and the server uses the data in the initial-response argument as if it were
sent in response to the empty challenge. "
Davide, could you help ?
Am I right or not ? xmail bug or exchange bug ?
Francis
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]
