Charlie Brady wrote:
[...]or should use a SASL challenge string in the context of AUTH PLAIN.
RFC4954 was more clear:
The AUTH command initiates a [SASL] authentication exchange between the
client and the server.
[...]
A server challenge is sent as a 334 reply with the text part containing
the [BASE64] encoded string supplied by the SASL mechanism. This
challenge MUST NOT contain any text other than the BASE64 encoded challenge.
[...]
The optional initial response argument to the AUTH command is used to
save a round-trip when using authentication mechanisms that support an
initial client response. If the initial response argument is omitted
and the chosen mechanism requires an initial client response, the server
MUST proceed as defined in Section 5.1 of [SASL]. In SMTP, a server
challenge that contains no data is defined as a 334 reply with no text
part. Note that there is still a space following the reply code, so the
complete response line is "334 ".
Also I noticed that Auth.pm does not respond to a client "*" command
during AUTH PLAIN. * is supposed to cancel the AUTH exchange regardless
of the mechanism. Here's what I get:
AUTH PLAIN
334
*
504 Invalid authentificat
*
500 Unrecognized command
According to RFC2554:
"If the client wishes to cancel an authentication exchange, it issues a
line with a single "*". If the server receives such an answer, it MUST
reject the AUTH command by sending a 501 reply."
Like this (from a Postfix session):
AUTH PLAIN
334
*
501 5.7.0 Authentication aborted
I promise I'm not making this up. It's easy to just blame it on the
mail client since most mainstream clients are less strict about the
protocol, but I think the RFCs, examples, and logs of sessions with
other servers back me up on this....
-Rick
