search

jetmore / swaks

Swaks - Swiss Army Knife for SMTP
http://jetmore.org/john/code/swaks/
GNU General Public License v2.0
847 stars 86 forks source link

Add support for the optional <initial-reponse> argument to the AUTH LOGIN command #94

Closed usonianhorizon closed 4 months ago

usonianhorizon commented 4 months ago

According to RFC-4954 (and RFC-2554 before that), the AUTH LOGIN command has an optional <initial-response> argument:

AUTH mechanism [initial-response]

      Arguments:
...
          initial-response: An optional initial client response.
...
          The optional initial response argument to the AUTH command is
          used to save a round-trip when using authentication mechanisms
          that support an initial client response.

When supplied, the SMTP server need not reply with a 334 VXNlcm5hbWU6 but proceed directly with a request for password 334 UGFzc3dvcmQ6

I'd like to request an option be added to SWAKS to use this form of AUTH LOGIN when interacting with SMTP servers.

I have used the recipes at SMTP 101: Manual SMTP Sessions Section 3: TLS to create an expect script to test this version of AUTH LOGIN:

#!/usr/bin/env expect

spawn openssl s_client -connect <smtp_server-fqdn>:587 -crlf -quiet -starttls smtp

expect "250 HELP\r"
send "EHLO <client-name>\r"
expect "250 HELP\r"
send "AUTH LOGIN <base64enc-username>\r"
expect "334 UGFzc3dvcmQ6\r"
send "<base64enc-passwd>\r"
expect "235 2.0.0 Authentication succeeded\r"

which is run after initiating the communications and issuing the STARTTLS command in order to get the SMTP server switch to TLS:

$ telnet <smtp_server-fqdn> 587
Trying <smtp_server-IP>...
Connected to <smtp_server-fqdn>.
Escape character is '^]'.
220 <smtp_server-fqdn> ESMTP OpenSMTPD
EHLO <client-name>
250-<smtp_server-fqdn> Hello <client-name> [<client-IP>]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH LOGIN PLAIN
250-CHUNKING
250-STARTTLS
250 HELP
STARTTLS
220 TLS go ahead
jetmore commented 4 months ago

@usonianhorizon try this version: https://raw.githubusercontent.com/jetmore/swaks/94-support-login-initial-response/swaks

You would use it the same as you have been, except you specify the auth type LOGIN-INITIAL (--auth LOGIN-INITIAL). Let me know if this works as expected and I'll merge it for the next release

usonianhorizon commented 4 months ago

This version worked like a charm!

Transcript enclosed.

swaks-initial-response.log

Regards.

jetmore commented 4 months ago

Great, I'll merge it and it will be in the next release. In the mean time you can keep using that dev version