Mailing List Archive

On Thu, 6 Jun 2002, Marc Langer wrote:

> Someone wrote (last year, I think) this was a bug in old Outlook
> versions, and Philip refused to add a hack to Exim, announcing both
> "AUTH LOGIN" und "AUTH=LOGIN". Instead he wanted Microsoft to deliver
> patches...

Well, I wanted them to implement the standard. Heck, it's a small enough
change... Might even be just a single byte...

> Today I read an interesting article in a German newsgroup, showing
> that Netscape/Mozilla also depends on AUTH=LOGIN and it was best common
> practice before standardized by RFC 2222 and 2554: Netscape used it
> since the mid of the 90th, and the author auf RFC 2222 and 2554
> was a Netscape employee.

The date of RFC 2222 is October 1997, almost 5 years ago; 2554 is newer,
March 1999, but even that is now 3 years old. RFCs get discussed for a
long time before they are published, so people would have known about
the standard even longer.

> Joern Weber <listen@joernweber.de> knows a lot about the SMTP AUTH
> history, I think, and he wrote, to be downward compatible, AUTH=LOGIN
> should also be announced in the EHLO greeting.

I have seen no documentation stating this.

<GRUMBLE>
Too much of the Internet works on hearsay and things that "people just
know". If you arrive from outside, however much your read the standards,
you are unable to implement software that actually interworks. This is,
IMHO, Very Bad.
</GRUMBLE>

<RANT>
Anyway, how can you do this compatibly? Any client that is following the
standard may well *complain* about a broken server if you do that. How
do you advertise several mechanisms? Do you say

250-AUTH=LOGIN PLAIN CRAM-MD5

or do you have to do

250-AUTH=LOGIN
250-AUTH LOGIN PLAIN CRAM-MD5

? Has anybody documented that? Will a picky client complain at that
because AUTH is mentioned twice? (RFC 2821 doesn't seem to say anything
about multiple appearances of EHLO keywords.) The point is that one
needs a *detailed* specification of this kind of thing.
</RANT>

> Philip, it would be great if you changed your mind and include this
> hack in Exim 4.x.

I sympathise, but I don't think I'm going to change my mind. Microsoft
are making a lot of money out of OutLook. They should fix it.

> As some Outlook and Netscape still need it, that

I tested Exim with Netscape; it didn't seem to need a hack.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

On Fri, Jun 07, 2002 at 10:02:31 +0100, Philip Hazel wrote:
> Anyway, how can you do this compatibly? Any client that is following the
> standard may well *complain* about a broken server if you do that. How
> do you advertise several mechanisms? Do you say
>
> 250-AUTH=LOGIN PLAIN CRAM-MD5
>
> or do you have to do
>
> 250-AUTH=LOGIN
> 250-AUTH LOGIN PLAIN CRAM-MD5

The latter is correct, and working with Netscape, Mozilla and Outlook.

> I sympathise, but I don't think I'm going to change my mind. Microsoft
> are making a lot of money out of OutLook. They should fix it.

They have fixed it in newer versions. But too much support is needed
to get our customers updating their clients... Therefore I applied
the patch.

> > As some Outlook and Netscape still need it, that
>
> I tested Exim with Netscape; it didn't seem to need a hack.

Netscape 4.75 (not Exim, but Hamster):

| 2002.06.08 09:16:21 {780} < 220 SMTP-Server Classic Hamster Version 1.3 (Build
1.3.23.170) on laborratte.joernweber.de is ready.
| 2002.06.08 09:16:21 {780} > EHLO joernweber.de
| 2002.06.08 09:16:21 {780} < 250-laborratte.joernweber.de
| 2002.06.08 09:16:21 {780} < 250-8BITMIME
| 2002.06.08 09:16:21 {780} < 250-AUTH CRAM-SHA1 CRAM-MD5 LOGIN
| 2002.06.08 09:16:21 {780} < 250 HELP
| 2002.06.08 09:16:21 {780} > MAIL FROM:<email@joernweber.de>
| 2002.06.08 09:16:21 {780} < 250 OK
| 2002.06.08 09:16:21 {780} > RCPT TO:<admin@laborratte.joernweber.de>
| 2002.06.08 09:16:21 {780} < 550 Permission denied for relaying

With patch:

| 2002.06.08 09:34:33 {21c} < 220 SMTP-Server Classic Hamster Version 1.3 (Build
1.3.23.170) on laborratte.joernweber.de is ready.
| 2002.06.08 09:34:33 {21c} > EHLO joernweber.de
| 2002.06.08 09:34:33 {21c} < 250-laborratte.joernweber.de
| 2002.06.08 09:34:33 {21c} < 250-8BITMIME

| 2002.06.08 09:34:33 {21c} < 250-AUTH=LOGIN

| 2002.06.08 09:34:33 {21c} < 250-AUTH CRAM-SHA1 CRAM-MD5 LOGIN
| 2002.06.08 09:34:33 {21c} < 250 HELP
| 2002.06.08 09:34:33 {21c} > AUTH LOGIN Sm9lcm4tV2ViZXI=
| 2002.06.08 09:34:33 {21c} > [...]
| 2002.06.08 09:34:33 {21c} < 334 UGFzc3dvcmQ6
| 2002.06.08 09:34:33 {21c} > [...]
| 2002.06.08 09:34:33 {21c} < 235 Authentication successful.

Indeed this is not documented anywhere, but as you can see not only
Outlook has problems.

Marc

On Sat, 8 Jun 2002, Marc Langer wrote:

> They have fixed it in newer versions. But too much support is needed
> to get our customers updating their clients... Therefore I applied
> the patch.

That's the benefit of Open Source software. :-)

> > I tested Exim with Netscape; it didn't seem to need a hack.
>
> Netscape 4.75 (not Exim, but Hamster):

I think my tests were with 4.77.


--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

On Mon, Jun 10, 2002 at 10:02:11 +0100, Philip Hazel wrote:
> > They have fixed it in newer versions. But too much support is needed
> > to get our customers updating their clients... Therefore I applied
> > the patch.
>
> That's the benefit of Open Source software. :-)

Yes, thank you for that. And not many commercial products are supported
as well as you do it :-)

Marc

On Mon, Jun 10, 2002 at 10:02:11 +0100, Philip Hazel wrote:
> > > I tested Exim with Netscape; it didn't seem to need a hack.
> >
> > Netscape 4.75 (not Exim, but Hamster):
>
> I think my tests were with 4.77.

okay, Netscape also supports AUTH PLAIN, so it recognizes

250-AUTH PLAIN LOGIN

and uses the PLAIN authenticator.

Marc