A BUGNOTE has been added to this bug.
======================================================================
http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000237
======================================================================
Reported By: jnorell
Assigned To:
======================================================================
Project: DBMail
Bug ID: 237
Category: POP3 daemon
Reproducibility: always
Severity: minor
Priority: normal
Status: new
======================================================================
Date Submitted: 03-Aug-05 16:52 CEST
Last Modified: 16-Aug-05 16:43 CEST
======================================================================
Summary: pop3 AUTH should return -ERR
Description:
I ran across exactly the same issue mentioned in
http://twister.fastxs.net/pipermail/dbmail-dev/2004-May/003852.html
recently, while setting up an openwebmail installation,
so I did a bit of looking into it.
>From rfc 1734:
If the requested
authentication mechanism is not supported, the server
should reject the AUTH command by sending a negative
response.
dbmail-pop3d doesn't support any AUTH mechanisms, so any requested
should return some -ERR (which 2.0.x and 2.1.x do, but not 1.2.x).
Nowhere does it allow an "AUTH" command without naming a mechanism,
so doing so should also return an -ERR. So in pop3.c, this section:
case POP3_AUTH:
{
if (session->state != POP3_AUTHORIZATION_STATE)
return pop3_error(session, stream,
"-ERR wrong command
mode, sir\r\n");
/* if we get anything but the naked "auth"
command,
* we return an error */
if (value != NULL)
return pop3_error(session, stream,
"-ERR unknown
authorization mechanism\r\n");
fprintf((FILE *) stream,
"+OK List of supported mechanisms\r\n"
"X-NONE-SO-USE-APOP\r\n.\r\n");
return 1;
}
should change to something more like:
case POP3_AUTH:
{
if (session->state != POP3_AUTHORIZATION_STATE)
return pop3_error(session, stream,
"-ERR wrong command
mode, sir\r\n");
fprintf((FILE *) stream,
"-ERR AUTH command not supported.\r\n");
return 1;
}
1.2.x source is almost that already, just need to change the
+OK message to the above -ERR message. That should fix
openwebmail and probably some others.
======================================================================
----------------------------------------------------------------------
ilja - 15-Aug-05 13:24 CEST
----------------------------------------------------------------------
The RFC does indeed state that a bare AUTH command without any parameters
isn't valid and should return a -ERR response. However, from looking
around for some info, I've found that MS Outlook does use AUTH to get a
list of authentication mechanisms that the server supports.
What is the problem with keeping the code as it is?
Ilja
----------------------------------------------------------------------
jnorell - 16-Aug-05 00:38 CEST
----------------------------------------------------------------------
The problem is dbmail's non-compliant behavior breaks some
clients (not suprising). It's unusable for openwebmail
(which I would argue is almost as much openwebmail's fault
for it's method of processing POP3 responses), and the
same issue came up in the past with netscape (where a
colleague just patched his source locally and didn't file
a bug .. was in 2.0 series).
dbmail returnning -ERR there is the right thing to do,
which itsself is enough to fix it in my opinion, and
should not cause a problem with Outlook's non-compliant
behavior.
----------------------------------------------------------------------
ilja - 16-Aug-05 10:14 CEST
----------------------------------------------------------------------
Before changing this behaviour, we should test if it still works for
Outlook then. Although Outlook's behaviour isn't right according to the
RFC, we shouldn't break it. If it doesn't break Outlook, I see no reason
to keep the code as it is.
Anyway, I don't have Outlook here, can anybody test this?
----------------------------------------------------------------------
ilja - 16-Aug-05 10:54 CEST
----------------------------------------------------------------------
I've attached a file (pop3.diff) with the diff that should be applied to
change this behaviour
----------------------------------------------------------------------
jnorell - 16-Aug-05 16:43 CEST
----------------------------------------------------------------------
I patched our pop3 daemons about 2 weeks back, when I filed this bug, and
our userbase is probably 85+% Outlook Express, and I'd guess maybe 5-10%
Outlook, and I've heard no complaints. This is how ours reports:
$ telnet mail.kci.net 110
Trying 64.187.64.9...
Connected to mail1.kci.net.
Escape character is '^]'.
+OK DBMAIL pop3 server ready to rock
<[EMAIL PROTECTED]>
AUTH
-ERR AUTH not supported, use USER or APOP
quit
+OK see ya later
Connection closed by foreign host.
Bug History
Date Modified Username Field Change
======================================================================
03-Aug-05 16:52jnorell New Bug
15-Aug-05 13:24ilja Bugnote Added: 0000824
16-Aug-05 00:38jnorell Bugnote Added: 0000825
16-Aug-05 10:14ilja Bugnote Added: 0000826
16-Aug-05 10:53ilja File Added: pop3.diff
16-Aug-05 10:54ilja Bugnote Added: 0000827
16-Aug-05 16:43jnorell Bugnote Added: 0000829
======================================================================
