Subject: patch for correct behavior with unimplemented auth mechanisms

Wed, 20 Sep 2006 03:22:35 -0700

Summary:
qpsmtpd tries to get authentication information for methods which it has no registered hooks. From section 4 of the smtp auth RFC (http://www.faqs.org/rfcs/rfc2554.html): "If the requested authentication mechanism is not supported, the server rejects the AUTH command with a 504 reply." ... This behavior is worsened by SMTP clients that do not read the "250 AUTH" string they get on ehlo and proceed to try their favorite login mechanism anyway (the version of Versamail my boss has exhibits this behavior, of course ;) ). So, this isn't just being a patch to make sure qpsmtpd adheres to the RFC - in the latter case this behavior can lead to misleading/wrong error messages for end users ("login failure" instead of "authentication method not supported"). 

How to reproduce:
Comment out calls to register_hook for your least favorite authentication method in any active authentication plugin(s)'s register sub, then try to authenticate with it. You will see something like the below:

220 my.host.com ESMTP qpsmtpd 0.32 ready; send us your mail, but not your spam.
ehlo localhost
250-my.host.com Hi localhost [127.0.0.1]
250-PIPELINING
250-8BITMIME
250 AUTH CRAM-MD5
auth plain dXNlcgB1c2VyAHBhc3M=
535 Authentication failed for user - 

220 my.host.com ESMTP qpsmtpd 0.32 ready; send us your mail, but not your spam.
ehlo localhost
250-my.host.com Hi localhost [127.0.0.1]
250-PIPELINING
250-8BITMIME
250 AUTH PLAIN LOGIN
auth cram-md5
334 PDFiMTE1LjQ1MTBmYzk5QGNocm9uaWNsZS5hbGxhZnJpY2EuY29tPg==

220 my.host.com ESMTP qpsmtpd 0.32 ready; send us your mail, but not your spam.
ehlo localhost
250-my.host.com Hi localhost [127.0.0.1]
250-PIPELINING
250-8BITMIME
250 AUTH CRAM-MD5
auth login
334 VXNlcm5hbWU6

The fix:
In ehlo(), when we determine the available auth mechanisms, save this bit of information in $self->{_auth_mechanisms}. Then, in auth(), instead of calling Qsmtpd::Auth::SASL, respond 504 and return DENY if the authentication method requested is not in $self->{_auth_mechanisms}.

Patch:
See attachment.

Regards,
Brian Szymanski

Attachment: catch-unimplemented-auth-mechanism.patch
Description: Binary data


Reply via email to