[Dbmail-dev] [DBMail 0000237]: pop3 AUTH should return -ERR

[bugtrack]

The following bug has been SUBMITTED.
======================================================================
http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000237
======================================================================
Reported By:                jnorell
Assigned To:                
======================================================================
Project:                    DBMail
Bug ID:                     237
Category:                   POP3 daemon
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     new
======================================================================
Date Submitted:             03-Aug-05 16:52 CEST
Last Modified:              03-Aug-05 16:52 CEST
======================================================================
Summary:                    pop3 AUTH should return -ERR
Description: 
I ran across exactly the same issue mentioned in
http://twister.fastxs.net/pipermail/dbmail-dev/2004-May/003852.html
recently, while setting up an openwebmail installation,
so I did a bit of looking into it.

>From rfc 1734:

             If the requested 
             authentication mechanism is not supported, the server
             should reject the AUTH command by sending a negative
             response.

dbmail-pop3d doesn't support any AUTH mechanisms, so any requested
should return some -ERR (which 2.0.x and 2.1.x do, but not 1.2.x).
Nowhere does it allow an "AUTH" command without naming a mechanism,
so doing so should also return an -ERR.  So in pop3.c, this section:

        case POP3_AUTH:
                {
                        if (session->state != POP3_AUTHORIZATION_STATE)
                                return pop3_error(session, stream,
                                                  "-ERR wrong command
mode, sir\r\n");
                        /* if we get anything but the naked "auth"
command,
                         * we return an error */
                        if (value != NULL) 
                                return pop3_error(session, stream,
                                                  "-ERR unknown
authorization mechanism\r\n");
                        
                        fprintf((FILE *) stream,
                                "+OK List of supported mechanisms\r\n"
                                "X-NONE-SO-USE-APOP\r\n.\r\n");
                        return 1;
                }

should change to something more like:

        case POP3_AUTH:
                {
                        if (session->state != POP3_AUTHORIZATION_STATE)
                                return pop3_error(session, stream,
                                                  "-ERR wrong command
mode, sir\r\n");
                        fprintf((FILE *) stream,
                                "-ERR AUTH command not supported.\r\n");
                        return 1;
                }


1.2.x source is almost that already, just need to change the
+OK message to the above -ERR message.  That should fix
openwebmail and probably some others.
======================================================================

Bug History
Date Modified  Username       Field                    Change              
======================================================================
03-Aug-05 16:52jnorell        New Bug                                      
======================================================================