On 1/6/20 2:37 AM, Tom Hans wrote:
Hello there,
I have a tricky issue and cannot find any solution for it.
The issue looks like the following:
I have a postfix server which relays all emails to another mail server.
The postfix server have to use AUTH PLAIN for authorization, TLS is
enforfec for security.
Therefore I configured postfix with cyrus sasl.
I can see that my configuration is working and cyrus generates the
correct base64 string for authorization and postfix uses this too by
sending the following line:
AUTH PLAIN AG5zc0RTaFRYL2krc25jdjA=
The receiving server response with: 500 syntax error
Because of this I tested the communication manually using openssl and
I was able to find the main issue, the receiving server needs to have
the following dialog: (C: Postix, S: receiving instance):
C: AUTH PLAIN
S: 334
C: AG5zc0RTaFRYL2krc25jdjA=
First off, the receiving SMTP server is buggy if it doesn't support the
initial response after the SASL mechanism name, per RFC 4954.
Is it possible to use this longer syntax by doing some changes in cyrus?
It is up to the client application (Postfix) to tell determine whether
the protocol (SMTP) and/or the SASL mechanism (PLAIN) supports an
initial client response and call sasl_client_start() with the
appropriate clientout parameter. For this buggy SMTP server, Postfix
should either use a NULL value for clientout, or NOT send the generated
value with the AUTH command and wait for an empty server challenge.
The bottom line is that Cyrus SASL knows nothing about the application
protocol and simply does what the application asks it to do.
--
Ken Murchison
Cyrus Development Team
Fastmail US LLC