> With this in mind is it possible without having to patch qpsmtpd to
> influence the order that auth methods are presented in from "250 AUTH
> PLAIN LOGIN CRAM-MD5" such that LOGIN is the first available option?
> Apparently in turnpike you can't specify the method you use and it
> always picks the first one in the list.
>
> I appreciate this is a rather odd request and a much better option would
> be to not use turnpike, but can anyone help with fixing this at the
> server end without resorting to altering the core qpsmtpd code? Altering
> plugins is fine.
It looks like you would need to modify Qpsmtpd/SMTP.pm, at least with the
way things are set up now; it creates the AUTH line outside of
$txn->notes('capabilities'), and uses a hash so the sorting is random.
This diff would probably work but is untested:
--- dc-smtpd/lib/Qpsmtpd/SMTP.pm (revision 13227)
+++ dc-smtpd/lib/Qpsmtpd/SMTP.pm (working copy)
@@ -243,7 +243,8 @@
# Check if we should only offer AUTH after TLS is completed
my $tls_before_auth = ($self->config('tls_before_auth') ?
($self->config('tls_before_auth'))[0] &&
$self->transaction->notes('tls_enabled') : 0);
if ( %auth_mechanisms && !$tls_before_auth) {
- push @capabilities, 'AUTH '.join(" ",keys(%auth_mechanisms));
+ push @capabilities, 'AUTH '.join(" ",grep { exists
$auth_mechanisms{$_} }
+ qw( PLAIN LOGIN CRAM-MD5 ));
$self->{_commands}->{'auth'} = "";
}
Seems like if at all possible it would be better to have the auth plugin
figure this stuff out and then add to $txn->notes('capabilities') like
everything else does. Then you could just do it in an extra plugin, like:
sub hook_ehlo {
my ( $self, $txn ) = @_;
my $auth = grep { /^AUTH / } @{ $txn->notes('capabilities') }
or return DECLINED;
my %methods = map { $_ => undef } split / /, $auth;
$auth = join( ' ', grep { exists $a{$_} }
qw( AUTH PLAIN LOGIN CRAM-MD5 ) );
$txn->notes( capabilities => [ ( grep { { ! /^AUTH / }
@{ $txn->notes('capabilities') } ),
$auth ] );
}
even though it amounts to more work, it would be nice to be able to use
plugins for such things and not patch SMTP.pm according to one's desires.
And most things you'd want to hack the AUTH line for would be simpler.
Indeed, if you aren't worried about dealing with unpredictable states of
the AUTH line, the plugin would probably be reduced to about two lines.
-Jared
