What kind of mail-send authentication: Win-Outlook ?

My dial-up ISP suddenly requires mail-send authentication,
which he expects all Win-Outlook users to set up.

Since I nearly had a nervous breakdown trying to use Outsp00k,
I want to rather patch my mailer [under the Oberon OS].

RFC 2554 & RFC 2595 relate to SMTP Authentication, but
there are apparently several other types.

If I can just know what authentication type Win-Outlook uses,
I'll copy that.

Thanks for any info.


== Chris Glur.

> My dial-up ISP suddenly requires mail-send authentication,

Thank god. I can't believe you were operating with an ISP that did not
require it before.

As for this whole Win bashing kick you're on, this has nothing to do with
Windows. Period.

-Frank

The authentication mechanism is "LOGIN". It appears to be basically the
same as "PLAIN", but the realm seems to be important. If you're using a
CNAME to which to deliver mail, Outlook isn't very happy, or so I'm
guessing.

Firefox/PLAIN works and Outlook/LOGIN does not work in my case. I've
anothre request here for some assistance.



(E-Mail Removed) wrote:
> My dial-up ISP suddenly requires mail-send authentication,
> which he expects all Win-Outlook users to set up.
>
> Since I nearly had a nervous breakdown trying to use Outsp00k,
> I want to rather patch my mailer [under the Oberon OS].
>
> RFC 2554 & RFC 2595 relate to SMTP Authentication, but
> there are apparently several other types.
>
> If I can just know what authentication type Win-Outlook uses,
> I'll copy that.
>
> Thanks for any info.
>
>
> == Chris Glur.
>

On Wed, 15 Mar 2006, Dale J. Chatham wrote:
> The authentication mechanism is "LOGIN". It appears to be basically the same
> as "PLAIN", but the realm seems to be important. If you're using a CNAME to
> which to deliver mail, Outlook isn't very happy, or so I'm guessing.

There is no such thing as a "realm" in the LOGIN SASL authentication
mechanism.

The differences between LOGIN and PLAIN are summarized as:

LOGIN has separate, mandatory, challenges for userid (authorization only)
and password which are sent in separate responses. PLAIN has an optional
challenge; and the authentication userid, authorization userid, and
password are sent in a single response.

As implied above, there is no way to send a separate authentication userid
from the authorization userid in the LOGIN mechanism.

I invented the LOGIN mechanism. The LOGIN mechanism is completely
obsolete and should not be used, except when faced with broken POP3 and
SMTP servers (such as Yahoo's authenticated SMTP server) which do not
implement the PLAIN mechanism correctly.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Mark Crispin wrote:
> On Wed, 15 Mar 2006, Dale J. Chatham wrote:
>
>> The authentication mechanism is "LOGIN". It appears to be basically
>> the same as "PLAIN", but the realm seems to be important. If you're
>> using a CNAME to which to deliver mail, Outlook isn't very happy, or
>> so I'm guessing.
>
>
> There is no such thing as a "realm" in the LOGIN SASL authentication
> mechanism.

I find it odd, since sendmail.org clearly says there are:

http://www.sendmail.org/~ca/email/authrealms.html

Realms and PLAIN/LOGIN
As it can see from the list of possible pwcheck_methods, some of them
support realms for PLAIN/LOGIN while others don't. This requires either
a patch for lib/checkpw.c (applies to 1.5.15, at least integrated since
1.5.20) or the client to add @HOST.DOMAIN to the authid.



>
> The differences between LOGIN and PLAIN are summarized as:
>
> LOGIN has separate, mandatory, challenges for userid (authorization
> only) and password which are sent in separate responses. PLAIN has an
> optional challenge; and the authentication userid, authorization userid,
> and password are sent in a single response.
>
> As implied above, there is no way to send a separate authentication
> userid from the authorization userid in the LOGIN mechanism.
>
> I invented the LOGIN mechanism. The LOGIN mechanism is completely
> obsolete and should not be used, except when faced with broken POP3 and
> SMTP servers (such as Yahoo's authenticated SMTP server) which do not
> implement the PLAIN mechanism correctly.

You may have invented it, but Microsoft has implemented it. *THAT* is
the point, and I've read in a number of places that it has problems with
realms, but I've never found the solution.

Here is what I see in the maillog:

Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: assigned id
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: ---
250-michael.stxcadware.com Hello elmo.chatham.org [68.187.34.66] (may be
forged), pleased to meet you
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: ---
250-ENHANCEDSTATUSCODES
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250-PIPELINING
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250-8BITMIME
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250-SIZE
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250-DSN
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250-ETRN
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250-AUTH
DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250-DELIVERBY
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 250 HELP
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: <-- AUTH LOGIN
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 334 jumble1
Mar 14 21:31:14 michael sendmail[23074]: k2F3USDT023074: --- 334 jumble2
Mar 14 21:31:17 michael sendmail[23074]: k2F3USDT023074: --- 535 5.7.0
authentication failed
Mar 14 21:31:17 michael sendmail[23074]: k2F3USDT023074: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication failure:
checkpass failed
Mar 14 21:31:17 michael sendmail[23074]: k2F3USDT023074: disconnect level 1

Note that it works fine in pine, mozilla, thunderbird, ... Not outlook.


>
> -- Mark --
>
> http://panda.com/mrc
> Democracy is two wolves and a sheep deciding what to eat for lunch.
> Liberty is a well-armed sheep contesting the vote.

On Thu, 16 Mar 2006, Dale J. Chatham wrote:
>> There is no such thing as a "realm" in the LOGIN SASL authentication
>> mechanism.
>
> I find it odd, since sendmail.org clearly says there are:
> http://www.sendmail.org/~ca/email/authrealms.html
> Realms and PLAIN/LOGIN
> As it can see from the list of possible pwcheck_methods, some of them support
> realms for PLAIN/LOGIN while others don't. This requires either a patch for
> lib/checkpw.c (applies to 1.5.15, at least integrated since 1.5.20) or the
> client to add @HOST.DOMAIN to the authid.

What you missed is that "realm" has as much meaning in the PLAIN and LOGIN
authentication mechanisms as "blurdybloop".

A "@HOST.DOMAIN" in an authorization or authentication identity has
absolutely no semantic meaning to either PLAIN or LOGIN. The "@"
character is just an ordinary character as far as these SASL mechanisms
are concerned.

Now, it may be that some server interprets "@" in an authorization or
authentication id as meaning "delimiter for something that I call a
`realm' that has additional meaning to me." But that doesn't mean that
either LOGIN or PLAIN define such an interpretation.

A server could just as well treat "@" in an authorization or
authentication id as meaning "launch nuclear missiles", "donate $1000 to
the Fund For Homeless Banshees", etc. Or it could be an ordinary
character in the userid just like "a".

> You may have invented it, but Microsoft has implemented it.

Microsoft, being a human enterprise, is not perfect; nor do they define
Internet standards. You may have encountered a bug in their software.

> Note that it works fine in pine, mozilla, thunderbird, ... Not outlook.

Many people consider "breaking Outlook" to be a feature, not a bug. :-)

Levity aside, since Outlook is commercial software, for which Microsoft
was paid a license fee, perhaps it would be better to pose the question to
Microsoft. Microsoft does eventually fix bugs, but sometimes it is
necessary to nag them a bit.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.