> From: Edward Harvey [mailto:[email protected]] > Sent: Wednesday, August 11, 2010 2:29 PM > > Here's the symptom: > My client connects, and EHLO's. > The response includes "STARTTLS" which is good. > The response includes "AUTH PLAIN" which is bad.
So here's what I learned: No, it's not bad for AUTH PLAIN to be displayed at this point. I was wrong in my understanding of how this flow would go. I mistakenly thought that TLS didn't begin until the STARTTLS command was given. But upon closer inspection, I telnet'd to the mail server, and saw in the logs that TLS had already begun before I even typed a single character. So naturally, when I run my first EHLO, the advertisement of AUTH PLAIN was present. However, if I typed in AUTH PLAIN, and tried to submit a username/password unencrypted in plain text, the server was expecting something base64 (which obviously I didn't type) and if I typed in AUTH LOGIN (after I enabled auth login) then the server sent me some encrypted characters. So the conclusion is: The server starts TLS in its own brain, before the client even requests it. However, the client cannot encrypt/decrypt any of that, until the client does the STARTTLS. And while TLS is running, only some specific fields are encrypted. Username/password, and even the username/password prompt are all encrypted. But not the "rcpt" and "from" and "data" commands and so forth. And finally: AUTH PLAIN is not sufficient to support Outlook. I managed to solve all of the above, by enabling AUTH LOGIN as well as AUTH PLAIN. Now everything works fine. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
