Hi postfix users, I'm trying to understand how postfix compiles the SASL AUTH mechanism list order, in its AUTH response to EHLO.
I have some MTAs which are configured identically, but which give different responses to EHLO, as follows: - Connected to: MTA1:25 220 MTA1 ESMTP EHLO smtp-auth-test 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250 8BITMIME AUTH PLAIN AMadeUpBase64String= 235 2.0.0 Authentication successful QUIT 221 2.0.0 Bye Connected to: MTA2:25 220 MTA2 ESMTP EHLO smtp-auth-test 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250 8BITMIME AUTH PLAIN AMadeUpBase64String= 235 2.0.0 Authentication successful QUIT 221 2.0.0 Bye I used "diff", to confirm that the output of "postconf -n" on both MTAs is identical. The mech_list setting in smtpd.conf reads "mech_list: PLAIN LOGIN" on all of the MTAs, but my example MTAs order the AUTH mechanisms differently in the EHLO response, like so (note that this appears random, across our MTA infrastructure - it's not just the odd one): - MTA1 lists "AUTH PLAIN LOGIN" MTA2 lists "AUTH LOGIN PLAIN" Obviously, this shouldn't be a problem, because as any decent email client would choose the mechanism which it supports from the provided list (much like my test script above (which prefers PLAIN to LOGIN)). However, there are some users who are using decrepit email client software, which just uses the first mechanism presented in the list and which also has a problem with AUTH PLAIN, as it splits the AUTH command onto multiple lines, essentially breaking the username/password string, like this: - Good Client (most modern email clients): - AUTH PLAIN AMadeUpBase64String= 235 2.0.0 Authentication successful Bad Client (most notably Turnpike): - AUTH PLAIN AMadeUpBas e64String= 535 5.7.0 Error: authentication failed: bad protocol / cancel I feel that I can safely tell our Turnpike-using customer that our MTA systems are not at fault, but I'd really like to understand how the list is ordered by postfix, so that I can answer their inevitable questions with some authority. Kind Regards, -- Chris Phillips
