Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.12.1

Bug #12206 Missing third step of DIGEST-MD5 results in authentication failure
Submitted: 2007-10-09 00:20 UTC
From: petern Assigned: jon
Status: Closed Package: Net_SMTP (version 1.2.10)
PHP Version: 4.3.10 OS: Debian 3.1
Roadmaps: 1.2.11    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 3 + 42 = ?

 
 [2007-10-09 00:20 UTC] petern (Peter Nelson)
Description: ------------ /* We don't use the protocol's third step because SMTP doesn't * allow subsequent authentication, so we just silently ignore * it. */ if (PEAR::isError($error = $this->_put(' '))) { return $error; } This causes problems for servers that expect DIGEST-MD5 authentication to be completed fully. As the relevant RFC 2831 does not state either way whether partial authentication is allowed or if all three steps must be completed, one would (well, I would) assume that all steps should be performed. Actual result: -------------- < 220 localhost ESMTP Postfix > EHLO localhost < 250-localhost < 250-PIPELINING < 250-SIZE 50000000 < 250-ETRN < 250-STARTTLS < 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 < 250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5 < 250-ENHANCEDSTATUSCODES < 250-8BITMIME < 250 DSN > AUTH DIGEST-MD5 < 334 bm9u....3M= > dXNl....Ng== < 334 cnNw....MA== > < 535 5.7.0 Error: authentication failed: another step is needed in authentication > RSET < 250 2.0.0 Ok > QUIT < 221 2.0.0 Bye

Comments

 [2007-12-10 00:08 UTC] jon (Jon Parise)
Can you suggest a patch that would implement the third step?
 [2008-01-08 22:46 UTC] djbloc (Dj Bloc)
Have a related problem using the Fasthosts SMTP servers in the UK. Regardless of using either: $params["auth"] = TRUE; or $params["auth"] = 'DIGEST-MD5'; Output report from $params["debug"] = "True"; =================================== DEBUG: Recv: 250-smtp-out-68.livemail.co.uk DEBUG: Recv: 250-PIPELINING DEBUG: Recv: 250-SIZE 31457280 DEBUG: Recv: 250-VRFY DEBUG: Recv: 250-ETRN DEBUG: Recv: 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN DEBUG: Recv: 250 8BITMIME DEBUG: Send: AUTH DIGEST-MD5 DEBUG: Recv: 334 bm9uY2U9Ik.....xhb9bWQ1LXNlc3M= DEBUG: Send: dXNlcm5hbWU9.......hidWY9NjU1MzY= DEBUG: Recv: 334 cnNwY........aDlhM2I5MzcyZg== DEBUG: Send: DEBUG: Recv: 501 Error: malformed authentication response DEBUG: Send: RSET DEBUG: Recv: 250 Ok Note: Using $params["auth"] = 'CRAM-MD5'; works as expected.
 [2008-02-11 03:05 UTC] jon (Jon Parise)
I just committed a small change to CVS which may fix the problems detailed here. In short, we were responding to the 334 response using a ' ' (space) instead of '' (empty string). I don't have convenient access to an SMTP server which performs DIGEST-MD5 authentication right now so I would be grateful to anyone who could verify that my change fixes this issue.
 [2008-02-15 05:51 UTC] jon (Jon Parise)
Thank you for your bug report. This issue has been fixed in the latest released version of the package, which you can download at http://pear.php.net/get/Net_SMTP