AUTH method LOGIN for smtplib

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

BPO	572031
Nosy	@loewis, @warsaw
Files	smtp_auth_login.dif smtp_auth_login2.dif: Updated patch to better cope with old-style auth advertisement smtp_auth_login3.dif: Corrected patch auth_login_py22backport.dif

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = 'https://github.com/warsaw' closed_at = created_at = labels = ['library'] title = 'AUTH method LOGIN for smtplib' updated_at = user = 'https://bugs.python.org/ghaering' ``` bugs.python.org fields: ```python activity = actor = 'ghaering' assignee = 'barry' closed = True closed_date = None closer = None components = ['Library (Lib)'] creation = creator = 'ghaering' dependencies = [] files = ['4361', '4362', '4363', '4364'] hgrepos = [] issue_num = 572031 keywords = ['patch'] message_count = 16.0 messages = ['40365', '40366', '40367', '40368', '40369', '40370', '40371', '40372', '40373', '40374', '40375', '40376', '40377', '40378', '40379', '40380'] nosy_count = 4.0 nosy_names = ['loewis', 'barry', 'ghaering', 'jasonrm'] pr_nums = [] priority = 'normal' resolution = 'accepted' stage = None status = 'closed' superseder = None type = None url = 'https://bugs.python.org/issue572031' versions = ['Python 2.3'] ```

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

Unfortunately, my original SMTP auth patch doesn't work so well in real life. There are two methods to advertise the available auth methods for SMTP servers:

old-style: AUTH=method1 method2 ... RFC style: AUTH method1 method2

Microsoft's MUAs are b0rken in that they only understand the old-style method. That's why most SMTP servers are configured to advertise their authentication methods in old-style _and_ new style. There are also some especially broken SMTP servers like old M$ Exchange servers that only show their auth methods via the old style.

Also the (sadly but true) very widely used M$ Exchange server only supports the LOGIN auth method (I have to use that thing at work, that's why I came up with this patch). Exchange also supports some other proprietary auth methods (NTLM, ...), but we needn't care about these.

My argument is that the Python SMTP AUTH support will get a lot more useful to people if we also support

1) the old-style AUTH= advertisement 2) the LOGIN auth method, which, although not standardized via RFCs and originally invented by Netscape, is still in wide use, and for some servers the only method to use them, so we should support it

Please note that in the current implementation, if a server uses the old-style AUTH= method, our SMTP auth support simply breaks because of the esmtp_features parsing.

I'm randomly assigning this patch to Barry, because AFAIK he knows a lot about email handling. Assign around as you please :-)

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

Logged In: YES user_id=163326

This also includes a slightly modified version of patch bpo-552605.

Even better would IMO be to add an additional parameter to base64.encode* and the corresponding binascii functions that avoids the insertion of newline characters.

[7ad5497c-9e14-4842-bc9b-09f77a99b855]

Logged In: YES user_id=85984

A comment on the old-style advertisement.

You say that Microsoft's MUAs only understand the old-style method. I haven't found this to be the case.

tmda-ofmipd is an outgoing SMTP proxy that supports SMTP authentication, and I only use the RFC style advertisement. This works perfectly well with MS clients like Outlook 2000, and Outlook Express 5. Below is an example of what the advertisement looks like.

BTW, no disagreement about supporting the old-style advertisement in smtplib, as I think it's prudent, just making a point.

# telnet aguirre 8025 Trying 172.18.3.5... Connected to aguirre.la.mastaler.com. Escape character is '^]'. 220 aguirre.la.mastaler.com ESMTP tmda-ofmipd EHLO aguirre.la.mastaler.com 250-aguirre.la.mastaler.com 250 AUTH LOGIN CRAM-MD5 PLAIN QUIT 221 Bye Connection closed by foreign host.

[61337411-43fc-4a9c-b8d5-4060aede66d0]

Logged In: YES user_id=21627

I cannot understand why the behaviour of MS MUAs is relevant here at all; smtplib only talks to MTAs (or MSAs).

If MTAs advertise the AUTH extension in the new syntax in addition to the old syntax, why is it not good to just ignore the old advertisement? Can you point to a specific software package (ideally even a specific host) which fails to interact with the current smtplib correctly?

[warsaw]

Logged In: YES user_id=12800

Martin, (some? most?) MUAs post messages by talking directly to their outgoing SMTPd, so that's probably why Gerhard mentions it.

On the issue of base64 issue, see the comment in bug bpo-552605, which I just took assignment of. I'll deal with both these bug reports soon.

[61337411-43fc-4a9c-b8d5-4060aede66d0]

Logged In: YES user_id=21627

I still cannot see why support for the old-style AUTH lines is necessary. If all SMTPds announce their supported mechanisms with both syntaxes, why is it then necessary to even look at the old syntax?

I'm all for adding support for the LOGIN method.

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

Logged In: YES user_id=163326

Martin, the reason why we need to take into account both old and RFC-style auth advertisement is that there are some smtp servers, which advertise different auth mechanisms in the old vs. RFC-style line. In particular, the MS Exchange server that I have to use at work and I think that this is even the default configuration of Exchange 2000. In my case, it advertises its LOGIN method only in the AUTH= line.

I'll shortly upload a patch that takes this into account.

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

Logged In: YES user_id=163326

Updated patch. Changes to the previous patch:

• Use email.base64MIME.encode to get rid of the added newlines.
• Merge old and RFC-style auth methods in self.smtp_features instead of parsing old-style auth lines seperately.
• Removed example line for changing auth method priorities (we won't list all permutations of auth methods ;-)
• Removed superfluous logging call of chosen auth method.
• Moved comment about SMTP features syntax into the right place again.

[61337411-43fc-4a9c-b8d5-4060aede66d0]

Logged In: YES user_id=21627

That existing SMTP servers announce LOGIN only in the old-style header is a good reason to support those as well; I hence recommend that this patch is applied.

Microsoft is, strictly speaking, conforming to the RFC by *not* reporting LOGIN in the AUTH header: only registered SASL mechanism can be announced there, and LOGIN is not registered; see

http://www.iana.org/assignments/sasl-mechanisms

[61337411-43fc-4a9c-b8d5-4060aede66d0]

Logged In: YES user_id=21627

In

http://sourceforge.net/tracker/?func=detail&atid=105470&aid=581165&group_id=5470

pierslauder reports success with this patch; see his detailed report for remaining problems.

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

Logged In: YES user_id=163326

Uh-oh. I made a stupid error in the code, sending the username twice. One more lesson I learnt: never use username == password for testing :-/

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

Logged In: YES user_id=163326

Here's a backport for Python 2.2. I did the diff against Python 2.2.1 and hope it still applies to the maintenance line.

Arguments for backporting:

• missing handling of old-style advertisement is a bug because it makes SMTP auth unusable for a wide range of servers
• backporting support for AUTH LOGIN is safe

[61337411-43fc-4a9c-b8d5-4060aede66d0]

Logged In: YES user_id=21627

There is another such patch as bpo-613708.

It would be good to make progress on this patch. Barry, what is stopping this from being integrated?

[warsaw]

Logged In: YES user_id=12800

I've simply not had time to devote to this patch. If you feel so inclined, please take it from me, otherwise I will try to find some time for it soon.

[61337411-43fc-4a9c-b8d5-4060aede66d0]

Logged In: YES user_id=21627

Committed for 2.2 as 1.46.4.5

It appears that Piers Lauder already committed version 2 of the patch as 1.59; I've committed the missing change as 1.63. Please review both committs for correctness.

[8a54bb72-6b25-473e-a449-295c9db8c6ab]

Logged In: YES user_id=163326

They both seem to be ok.