ietf-smtp
[Top] [All Lists]

Re: Need clarification in SMTP RFC 2554

2001-06-26 07:44:18

Hi,

In RFC 2554 - SMTP service extension for authentication, in AUTH command
mentioned that "the client should send EHELO command after successful SASL
negotioation which results in the negotiation of a security layer."

Questions:
1. client should give EHLO if it wants extended SMTP service then server
    gives"250 - ..." as a reply after that client will give one auth
    mechanisam a and conversatioin goes depending on authentication method.
    why client needs to give EHLO as first command after SASL negotiation?

Two reasons:

(1) Because the available options may have changed as a result of entering
    an authenticated state. A server may restrict access to some facilities
    to users that have authenticated, and implement this by only displaying
    the options when they are available.

(2) Because SASL negotiation can result in an integrity layer being
    introduced. If someone is tampering with the connection they could have
    removed something from the list prior to integrity checking but cannot
    do so after it is in place, so getting the list of options again avoids
    certain kinds of attacks.

2. If it supposed to give EHLO after successful SASL negotiation,
   How server differentiate whether that command is before SASL negotiatioin
   or after negotiation?

Because the server retains state and knows whether SASL negotiation has
occurred and whether or not it has been successful.

3. In authentication protocol exchange server chalenge, known as ready
   response is a 334 reply with the text part containing Base64 encoded
   string, Client answer consitsts Base64 encoded string.
   what this string?

The response to the challenge.

    How client validate that string?

How the string is validated is specific to the SASL mechanism being used
and to the implementation of that mechanism.

4. when exactly CRAM or some other auth mechanisam should start?

I believe CRAM starts with the client AUTH command, which includes the
client nonce.

                                Ned

<Prev in Thread] Current Thread [Next in Thread>