[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Bug: external auth via certificate only doesn't work



Hi Thomas!

On Sat, 22 Dec 2012 11:22:10 +0000, Thomas Weißschuh wrote:
> while trying to set up certificate only authentication msmtp always
> died with the following error message:
> 
> msmtp: the server does not support authentication
> 
> This is because my server (postfix) doesn't announce authentication
> methods after completing the STARTTLS handshake.
> 
> If I read the docs correctly external auth is not meant to be used
> together with another, interal auth method.
> 
> The following patch removes the auth check if external auth is used:
> [...]

This seems strange to me, because the code in question has not been
changed for many years and there were no complaints.

Before touching this, I need to be absolutely sure that this is indeed
a bug in msmtp and the change does not break things for anyone.

Msmtp resends EHLO after STARTTLS, and in response to that the server
must announce its authentication methods. It is my understanding
that msmtp still needs to be able to send AUTH EXTERNAL to the server,
and therefore it needs AUTH EXTERNAL to be supported by the server
after STARTTLS. Otherwise, how can the client tell the server which
identity to authenticate, and how can it find out if authentication
succeeded? (Note that the client cannot assume that the server uses TLS
certificate credentials for EXTERNAL authentication.)

See also RFC 4422 Appendix A and the SMTP example given in RFC 4954.

Martin