[Twisted-Python] SMTP authentication

Phil Mayers p.mayers at imperial.ac.uk
Tue Jul 24 08:07:26 MDT 2012


On 24/07/12 14:31, Itamar Turner-Trauring wrote:
>
>
> On Tue, Jul 24, 2012 at 6:54 AM, Phil Mayers <p.mayers at imperial.ac.uk
> <mailto:p.mayers at imperial.ac.uk>> wrote:
>
>     IIRC the Twisted SMTP stuff has support for handling auth errors and
>     trying other methods; it should "just work".
>
>
> The code is a bit convoluted, so I can't be sure without more time than
> I want to spend on it, but I wouldn't expect it to try more than one
> auth method. If you send your username and password with CRAM-MD5 and
> got an error, why would you expect it to work with some other
> authentication method? It's still the same credentials.

Normally I'd agree. Unfortunately, SMTP like many other SASL-like 
protocols presents the list of auth methods BEFORE the username is supplied.

The server may have different secret formats for different users; maybe 
older accounts, whose passwords haven't changed in a while, only have a 
unix-style crypt whereas newer ones have the MD5 secret as well.

I still think it's bad/buggy server behaviour to present an auth method 
unless it can DEFINITELY service it for all clients. But if I understand 
the issue correctly, that behaviour exists in the wild.




More information about the Twisted-Python mailing list