Watch, Follow, &
Connect with Us

Please visit our new home
community.embarcadero.com.


Welcome, Guest
Guest Settings
Help

Thread: Disabling single line authentication for AUTH LOGIN TIdSmtp


This question is answered.


Permlink Replies: 4 - Last Post: Apr 18, 2018 10:22 AM Last Post By: Remy Lebeau (Te... Threads: [ Previous | Next ]
John May

Posts: 81
Registered: 6/25/10
Disabling single line authentication for AUTH LOGIN TIdSmtp  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 17, 2018 2:57 AM
TIdSmtp has a problem.

When AUTH LOGIN is sent with it, it looks like this:

AUTH LOGIN base64stringhere

then server replies with

334 username(base64encoded)

Indy sends password

server replies

334 password

Indy sends password

I tried with a few other email clients and they all send:

AUTH LOGIN (CRLF here)
334 username
username
334 password
password

So - is there a way to disable Indy authentication which sends username immediately after AUTH LOGIN?

I know that this works on SOME servers. But it doesn't work on all of them. Older versions of Indy worked just fine regarding this before this was introduced.
On the other hand AUTH LOGIN with CRLF works on ALL servers, older and newer.

Is there a way to disable this?
Remy Lebeau (Te...


Posts: 9,448
Registered: 12/23/01
Re: Disabling single line authentication for AUTH LOGIN TIdSmtp [Edit]
Correct
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 17, 2018 11:53 AM   in response to: John May in response to: John May
John May wrote:

When AUTH LOGIN is sent with it, it looks like this:

AUTH LOGIN base64stringhere

That base64 string is known as an "Initial Response", which was
formally introduced in SMTP in RFC 2554/4954 (the same RFC that defines
the AUTH command for SMTP). It allows the client to save a roundtrip
by sending the username immediately instead of waiting for the server
to prompt for the username.

Note: TIdSMTP only sends an Initial Response in the AUTH command when
The TIdSMTP.AuthType property is set to satSASL and not satDefault.

then server replies with

334 username(base64encoded)

That is a prompt for a username. Which means the server did not accept
the username in the Initial Response and is prompting for the username.
Which means the server does not fully implement RFC 4954.

Indy does not currently handle the case where an SMTP server ignores
the Initial Response. I will fix that.

I tried with a few other email clients and they all send:

AUTH LOGIN (CRLF here)
334 username
username
334 password
password

Those other clients are not utilizing the Initial Response feature of
SASL.

So - is there a way to disable Indy authentication which sends
username immediately after AUTH LOGIN?

You can either:

- set the TIdSMTP.AuthType property to satDefault, but then you can't
use other SASL mechanisms besindes LOGIN.

- alter th source code for TIdSMTP.Authenticate() to pass
ACanAttemptIR=False when calling SASLMechanisms.LoginSASL(), and then
recompile Indy.

--
Remy Lebeau (TeamB)
Remy Lebeau (Te...


Posts: 9,448
Registered: 12/23/01
Re: Disabling single line authentication for AUTH LOGIN TIdSmtp [Edit]
Helpful
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 17, 2018 7:48 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
Indy does not currently handle the case where an SMTP server ignores
the Initial Response. I will fix that.

I added this to Indy's issue tracker so I won't forget about it:

Issue with SASL use of Initial-Response parameter
https://github.com/IndySockets/Indy/issues/208

--
Remy Lebeau (TeamB)
John May

Posts: 81
Registered: 6/25/10
Re: Disabling single line authentication for AUTH LOGIN TIdSmtp  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 18, 2018 5:38 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Thank you for looking into the issue and letting me know about the workaround (satDefault).

Yes, examining if response string contains "username" or "password" would be good enough for TIdSmtp to know which one to send.
Remy Lebeau (Te...


Posts: 9,448
Registered: 12/23/01
Re: Disabling single line authentication for AUTH LOGIN TIdSmtp [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 18, 2018 10:22 AM   in response to: John May in response to: John May
John May wrote:

Yes, examining if response string contains "username" or "password"
would be good enough for TIdSmtp to know which one to send.

For AUTH LOGIN, yes. But the issue is much broader and affects most of
Indy's other SASL mechanisms as well.

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02