Hi,
In RFC 2554 - SMTP service extension for authentication, in AUTH command
mentioned that "the client should send EHELO command after successful SASL
negotioation which results in the negotiation of a security layer."
Questions:
1. client should give EHLO if it wants extended SMTP service then server
gives"250 - ..." as a reply after that client will give one auth
mechanisam a and conversatioin goes depending on authentication method.
why client needs to give EHLO as first command after SASL negotiation?
Two reasons:
(1) Because the available options may have changed as a result of entering
an authenticated state. A server may restrict access to some facilities
to users that have authenticated, and implement this by only displaying
the options when they are available.
(2) Because SASL negotiation can result in an integrity layer being
introduced. If someone is tampering with the connection they could have
removed something from the list prior to integrity checking but cannot
do so after it is in place, so getting the list of options again avoids
certain kinds of attacks.
2. If it supposed to give EHLO after successful SASL negotiation,
How server differentiate whether that command is before SASL negotiatioin
or after negotiation?
Because the server retains state and knows whether SASL negotiation has
occurred and whether or not it has been successful.
3. In authentication protocol exchange server chalenge, known as ready
response is a 334 reply with the text part containing Base64 encoded
string, Client answer consitsts Base64 encoded string.
what this string?
The response to the challenge.
How client validate that string?
How the string is validated is specific to the SASL mechanism being used
and to the implementation of that mechanism.
4. when exactly CRAM or some other auth mechanisam should start?
I believe CRAM starts with the client AUTH command, which includes the
client nonce.
Ned