Michael Holzt wrote:
AUTH LOGIN is not specified by any RFC. However it is used with two
parameters (also called responsed in the nomenclature of SMTP AUTH):
AUTH PLAIN is also wrongly implemented. AUTH PLAIN is specified in
RFC2595. It takes only one response, and the response has the syntax
"Authorization ID\0Authentication ID\0Password". So the first token
is _not_ a password hash as suggested by the qpsmtpd code but the
userid to login as.
I found this site which discusses all of these issues:
http://www.fehcom.de/qmail/smtpauth.html
(I wish I'd found this when I was working on auth in the first place).
I think your patch is correct with regard to AUTH LOGIN in that ESMTP
would normally allow the username (the first term) to be included with
the initial command (AUTH LOGIN), but I cannot find an authoritative
source for this. I seem to recall that AUTH LOGIN was originally
written for some [now obscure] MTA, which is why it isn't documented in
the RFC's, and hence everyone supports it in their own fashion.
I'm applying this (with a few tweaks because of a patch from Charlie
Brady to validate the AUTH input, which I've abstracted further).
NOTE: In the future, please send patches relative to the project root
dir (i.e. against lib/Qpsmtpd/Auth.pm in this case) since it is much
easier to apply then test without figuring out where I should be patching.
Thanks
John
