Sasl client SMTP AUTH PLAIN syntax

Ken Murchison murch at fastmail.com
Mon Jan 6 07:24:17 EST 2020


On 1/6/20 2:37 AM, Tom Hans wrote:
> Hello there,
>
> I have a tricky issue and cannot find any solution for it.
> The issue looks like the following:
> I have a postfix server which relays all emails to another mail server.
> The postfix server have to use AUTH PLAIN for authorization, TLS is 
> enforfec for security.
> Therefore I configured postfix with cyrus sasl.
>
> I can see that my configuration is working and cyrus generates the 
> correct base64 string for authorization and postfix uses this too by 
> sending the following line:
>
> AUTH PLAIN AG5zc0RTaFRYL2krc25jdjA=
>
> The receiving server response with: 500 syntax error
> Because of this I tested the communication manually using openssl and 
> I was able to find the main issue, the receiving server needs to have 
> the following dialog: (C: Postix, S: receiving instance):
> C: AUTH PLAIN
> S: 334
> C: AG5zc0RTaFRYL2krc25jdjA=


First off, the receiving SMTP server is buggy if it doesn't support the 
initial response after the SASL mechanism name, per RFC 4954.


>
> Is it possible to use this longer syntax by doing some changes in cyrus?


It is up to the client application (Postfix) to tell determine whether 
the protocol (SMTP) and/or the SASL mechanism (PLAIN) supports an 
initial client response and call sasl_client_start() with the 
appropriate clientout parameter.  For this buggy SMTP server, Postfix 
should either use a NULL value for clientout, or NOT send the generated 
value with the AUTH command and wait for an empty server challenge.

The bottom line is that Cyrus SASL knows nothing about the application 
protocol and simply does what the application asks it to do.


-- 

Ken Murchison
Cyrus Development Team
Fastmail US LLC



More information about the Cyrus-sasl mailing list