Opened 2 years ago

Last modified 2 years ago

#5803 enhancement new

Allow fallback from CRAM-MD5 in t.m.smtp

Reported by: philmayers Owned by:
Priority: normal Milestone:
Component: mail Keywords: smtp authentication md5
Cc: Branch:
Author: Launchpad Bug:

Description

As documented in this Thunderbird ticket:

https://bugzilla.mozilla.org/show_bug.cgi?id=311657

...some SMTP servers present CRAM-MD5 in the EHLO banner, but cannot successfully complete a CRAM-MD5 authentication for some/all users (perhaps because the relevant secrets are absent server-side).

Twisted will currently fail with these servers; it always tries CRAM-MD5 first, and does not fall back. See:

http://twistedmatrix.com/pipermail/twisted-python/2012-July/025876.html

There are obviously security considerations here - it might be a man-in-the-middle attack.

More generally, there is no way to influence the set and behaviour of auth methods used by the Twisted SMTP code; the ESMTPSender class uses a private method, _registerAuthenticators, to initialise the list from init

Change History (1)

comment:1 Changed 2 years ago by philmayers

  • Component changed from core to mail
  • Keywords smtp authentication md5 added
Note: See TracTickets for help on using tickets.