Incidentally, I should point out that this bug only happens when you
have a non-zero amount of authentication mechanisms enabled (but not
the right ones), ie, if you comment out all calls to register_hook,
you'll wind up with something like this:
[EMAIL PROTECTED]:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 mail.host.com ESMTP qpsmtpd 0.32 ready; send us your mail, but
not your spam.
ehlo localhost
250-mail.host.com Hi [127.0.0.1] [127.0.0.1]
250-PIPELINING
250-8BITMIME
250 STARTTLS
auth login
500 Unrecognized command
Which is expected behavior (arguably that should be a 502 instead of
a 500, but I haven't looked at the code to see how much bother it
would be to change this).
http://www.ietf.org/rfc/rfc0821.txt
500 Syntax error, command unrecognized
[This may include errors such as command line too long]
501 Syntax error in parameters or arguments
502 Command not implemented
Cheers,
B
On Sep 20, 2006, at 6:22 AM, Brian Szymanski wrote:
Summary:
qpsmtpd tries to get authentication information for methods which
it has no registered hooks. From section 4 of the smtp auth RFC
(http://www.faqs.org/rfcs/rfc2554.html): "If the requested
authentication mechanism is not supported, the server rejects the
AUTH command with a 504 reply." ... This behavior is worsened by
SMTP clients that do not read the "250 AUTH" string they get on
ehlo and proceed to try their favorite login mechanism anyway (the
version of Versamail my boss has exhibits this behavior, of
course ;) ). So, this isn't just being a patch to make sure qpsmtpd
adheres to the RFC - in the latter case this behavior can lead to
misleading/wrong error messages for end users ("login failure"
instead of "authentication method not supported").
How to reproduce:
Comment out calls to register_hook for your least favorite
authentication method in any active authentication plugin(s)'s
register sub, then try to authenticate with it. You will see
something like the below:
220 my.host.com ESMTP qpsmtpd 0.32 ready; send us your mail, but
not your spam.
ehlo localhost
250-my.host.com Hi localhost [127.0.0.1]
250-PIPELINING
250-8BITMIME
250 AUTH CRAM-MD5
auth plain dXNlcgB1c2VyAHBhc3M=
535 Authentication failed for user -
220 my.host.com ESMTP qpsmtpd 0.32 ready; send us your mail, but
not your spam.
ehlo localhost
250-my.host.com Hi localhost [127.0.0.1]
250-PIPELINING
250-8BITMIME
250 AUTH PLAIN LOGIN
auth cram-md5
334 PDFiMTE1LjQ1MTBmYzk5QGNocm9uaWNsZS5hbGxhZnJpY2EuY29tPg==
220 my.host.com ESMTP qpsmtpd 0.32 ready; send us your mail, but
not your spam.
ehlo localhost
250-my.host.com Hi localhost [127.0.0.1]
250-PIPELINING
250-8BITMIME
250 AUTH CRAM-MD5
auth login
334 VXNlcm5hbWU6
The fix:
In ehlo(), when we determine the available auth mechanisms, save
this bit of information in $self->{_auth_mechanisms}. Then, in auth
(), instead of calling Qsmtpd::Auth::SASL, respond 504 and return
DENY if the authentication method requested is not in $self->
{_auth_mechanisms}.
Patch:
See attachment.
Regards,
Brian Szymanski
[EMAIL PROTECTED]
<catch-unimplemented-auth-mechanism.patch>
---
Brian Szymanski
[EMAIL PROTECTED]
cell: 202.747.4019
work: 202.546.0777 ext. 114
skype: xbrianskix
aim: xbrianskix
