Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with SASL use of Initial-Response parameter #208

Open
rlebeau opened this issue Apr 18, 2018 · 2 comments
Open

Issue with SASL use of Initial-Response parameter #208

rlebeau opened this issue Apr 18, 2018 · 2 comments
Assignees
@rlebeau
Labels
Element: SASL Issues related to SASL handling, TIdSASL and descendants, etc Element: SMTP Issues related to TIdSMTP and TIdSMTPServer Status: Review Needed Issue needs further review to decide next status Type: Bug Issue is a bug in existing code

Comments

@rlebeau
Copy link
Member

rlebeau commented Apr 18, 2018

TIdDICT, TIdIMAP4, TIdPOP3 and TIdSMTP implement SASL authentication.

It is currently unknown how the following issue affects TIdDICT, if at all.

TIdIMAP4 uses SASL's Initial-Response only if the server advertises the IMAP SASL-IR capability. No issue there.

POP3 and SMTP are affected by the same issue. POP3 and SMTP servers have no way to advertise their support for Initial-Response. TIdPOP3 gets around this by simply disabling use of Initial-Response altogether. But TIdSMTP currently enables Initial-Response unconditionally, which causes a problem.

When TIdSMTP.AuthType is set to satSASL (the issue does not affect satDefault), and TIdSASLLogin is enabled in the TIdSMTP.SASLMechanisms collection, TIdSMTP sends an AUTH LOGIN command where the username is passed in Initial-Response, like this:

AUTH LOGIN usernameInBase64

Not all SMTP servers support Initial-Response, though. If such a server replies with a username prompt instead of a password prompt, eg:

334 VXNlcm5hbWU6 ("Username:" in base64)

TIdSMTP then sends the password instead of the username, and then the server replies with a password prompt (if not a failure due to an unknown username):

334 UGFzc3dvcmQ6 ("Password:" in base64)

TIdSMTP then sends the password again, and authentication usually fails.

Many 3rd party SMTP clients do not use Initial-Response, mainly because there is currently no defined way for an SMTP server to advertise its support for Initial-Response. However, Initial-Response is formally defined as part of RFCs 2554 and 4954, "SMTP Service Extension for Authentication", and many SMTP servers do support Initial-Response.

Indy SASL components that currently implement Initial-Response, and thus are potentially affected by this issue, are:

TIdSASLAnonymous
TIdSASLExternal
TIdSASLLogin
TIdSASLNTLM
TIdSASLOTP
TIdSASLPlain
TIdSASLSKey
@rlebeau rlebeau added Type: Bug Issue is a bug in existing code Element: SMTP Issues related to TIdSMTP and TIdSMTPServer labels Apr 18, 2018
@rlebeau rlebeau self-assigned this Apr 18, 2018
rlebeau added a commit that referenced this issue Aug 26, 2022
@rlebeau
#208 Updating TIdSASLLogin to look at the server's challenges to deci…
c9cf49a 
…de when to send a username and when to send a password.
@GuillaumeCanon GuillaumeCanon mentioned this issue Aug 26, 2022
Closed
rlebeau added a commit that referenced this issue Aug 27, 2022
@rlebeau
#208, #430 Updating IdSASLLogin.pas to add missing reference to IdGlo…
5c20044 
…bal unit in the implementation 'uses' clause.
@rlebeau rlebeau added the Element: SASL Issues related to SASL handling, TIdSASL and descendants, etc label Aug 27, 2022
@rlebeau rlebeau added the Status: Review Needed Issue needs further review to decide next status label Apr 23, 2023
jaenicke added a commit to jaenicke/IndyBugfix that referenced this issue Apr 11, 2024
@jaenicke
Fix for IndySockets#208 - if Initial-Response is not supported, answe…
f9ee8a4 
…r the request for the username correctly and continue. In addition I added a property CanAttemptIR to TIdSMTP, so one can switch off the try with IR in case the server cannot handle this.
@jaenicke
Copy link

I added pull request #530 to handle this bug.

@jaenicke jaenicke mentioned this issue Apr 11, 2024
Open
@jaenicke
Copy link

jaenicke commented Apr 11, 2024
edited
Loading

I did not check anything else, because I do not have a server to test for anything else that SMTP. So I only tested with SMTP. That's why I only checked for a specific response instead of trying to integrate it in the following code, which should be possible too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rlebeau rlebeau

Labels
Element: SASL Issues related to SASL handling, TIdSASL and descendants, etc Element: SMTP Issues related to TIdSMTP and TIdSMTPServer Status: Review Needed Issue needs further review to decide next status Type: Bug Issue is a bug in existing code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaenicke @rlebeau