search

IndySockets / Indy

Indy - Internet Direct
https://www.indyproject.org
462 stars 155 forks source link

Issue with SASL use of Initial-Response parameter #208

Open rlebeau opened 6 years ago

rlebeau commented 6 years ago

TIdDICT, TIdIMAP4, TIdPOP3 and TIdSMTP implement SASL authentication.

It is currently unknown how the following issue affects TIdDICT, if at all.

TIdIMAP4 uses SASL's Initial-Response only if the server advertises the IMAP SASL-IR capability. No issue there.

POP3 and SMTP are affected by the same issue. POP3 and SMTP servers have no way to advertise their support for Initial-Response. TIdPOP3 gets around this by simply disabling use of Initial-Response altogether. But TIdSMTP currently enables Initial-Response unconditionally, which causes a problem.

When TIdSMTP.AuthType is set to satSASL (the issue does not affect satDefault), and TIdSASLLogin is enabled in the TIdSMTP.SASLMechanisms collection, TIdSMTP sends an AUTH LOGIN command where the username is passed in Initial-Response, like this:

AUTH LOGIN usernameInBase64

Not all SMTP servers support Initial-Response, though. If such a server replies with a username prompt instead of a password prompt, eg:

334 VXNlcm5hbWU6 ("Username:" in base64)

TIdSMTP then sends the password instead of the username, and then the server replies with a password prompt (if not a failure due to an unknown username):

334 UGFzc3dvcmQ6 ("Password:" in base64)

TIdSMTP then sends the password again, and authentication usually fails.

Many 3rd party SMTP clients do not use Initial-Response, mainly because there is currently no defined way for an SMTP server to advertise its support for Initial-Response. However, Initial-Response is formally defined as part of RFCs 2554 and 4954, "SMTP Service Extension for Authentication", and many SMTP servers do support Initial-Response.

Indy SASL components that currently implement Initial-Response, and thus are potentially affected by this issue, are:

TIdSASLAnonymous
TIdSASLExternal
TIdSASLLogin
TIdSASLNTLM
TIdSASLOTP
TIdSASLPlain
TIdSASLSKey
jaenicke commented 7 months ago

I added pull request #530 to handle this bug.

jaenicke commented 7 months ago

I did not check anything else, because I do not have a server to test for anything else that SMTP. So I only tested with SMTP. That's why I only checked for a specific response instead of trying to integrate it in the following code, which should be possible too.