ssmtp is broken

ssmtp is broken

Post by Jonathan d » Fri, 03 Dec 2004 13:42:37

MC> After "AUTH LOGIN", your client sent "Y2dhOTk5OQ==" as a SASL initial
MC> response. It should not have sent any initial response for the LOGIN
MC> mechanism. Instead, it should have sent just AUTH LOGIN, and gotten
MC> an initial challenge (for the user name) from the SMTP server ("334
MC> VXNlciBOYW1lAA=="). It then would send the response, get the
MC> challenge for the password, and then send the password.

The "LOGIN" SASL mechanism isn't strictly specified, of course. But
this mechanism is widely understood. A sensible client implementation
strategy would be to respond with the user name to every "Username:"
(VXNlciBOYW1lAA) challenge and respond with the password to every
"Password:" (UGFzc3dvcmQA) challenge, akin to the operation of a "login
chat script" for the "uucico" command. In contrast, "ssmtp" doesn't
even check what the challenges _are_. It blindly sends the username and
password, once each, in a fixed order.

To be honest, having seen "ssmtp", I'd recommend using something else
instead for the task that it purports to do, such as "mini-qmail" with
"qmail-smtpc" replacing "qmail-queue"
(<URL: ./qmail/smtpc.html>), or an ordinary MTS
configured to send everything to a mailhub
(<URL: #null-client>,
<URL: ./postconf.5.html#relayhost>),
or "serialmail" (<URL: ;),
or "nullmailer" (<URL: ./nullmailer/>).

ssmtp is broken

Post by Mark Crisp » Fri, 03 Dec 2004 14:32:31

Not necessarily. You don't seem to understand it fully.

Such a "sensible" client would be broken, because the correct user name
challenge (as defined by me when I created the LOGIN SASL mechanism) is
"User Name" and the password challenge is "Password".

Since Microsoft picked the wrong challenges in their implementation, I
agreed that clients should accept other challenges rather than try to get
Microsoft to fix their code. But that does not mean that implementations
should require the broken Microsoft challenges; rather, they should be
promiscuous on the challenge.

As such, ssmtp's behavior in this respect is correct.

-- Mark --
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.