[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pine-info
Subject:    re: smth authentication
From:       Mark Crispin <MRC () CAC ! Washington ! EDU>
Date:       2002-03-19 18:45:40
[Download RAW message or body]

I have analyzed the SMTP authentication problem between Pine and Yahoo.

The problem is a bug in Yahoo's SMTP server.  In its implementation of the
PLAIN authentication mechanism, it sends a bogus "334 ok, go on" response
to the AUTH PLAIN command:

S:	220 smtp016.mail.yahoo.com ESMTP
C:	ehlo tomobiki-cho.cac.washington.edu
S:	250-smtp016.mail.yahoo.com
S:	250-AUTH=LOGIN PLAIN
S:	250-PIPELINING
S:	250 8BITMIME
C:	auth plain
S:	334 ok, go on			<== this is bogus!!!

The correct response is "334 ".  What follows after the 334 and a space is
a server challenge, represented in BASE64 according to the SASL
specification (RFC 2222) and the SMTP service specification for
authentication (RFC 2554).  Pine is unable to interpret "ok, go on" as any
sort of valid SASL challenge, and aborts the authentication.

The "security problem" warning is a separate issue.  It is merely a
diagnostic, and is neither the cause nor a symptom of your inability to
authenticate.  RFC 2595, the specification for the PLAIN SASL mechanism,
requires that PLAIN may only be offered in an SSL or TLS-secured session.
Yahoo's SMTP server does not offer SSL/TLS security, therefore it should
not offer PLAIN.  Nor should it offer LOGIN, for that matter; however,
LOGIN is a non-standard SASL mechanism and thus is not under the same
restriction.

The important thing though is that that "security problem" message is just
a warning message, and isn't actually a cause of the problem.

Yahoo appears to be running a qmail-based SMTP server.  Someone should
report these bugs to the maintainers of qmail:
 1) bogus "ok, go on" in the 334 challenge.
 2) offering PLAIN without TLS support
It won't be me.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.

[prev in list] [next in list] [prev in thread] [next in thread]