Re: [go-nuts] net/smtp: Why does PlainAuth only work over SSL?
681 views
Skip to first unread message
Maxim Khitrov
Mar 31, 2013, 6:20:43 PM3/31/13
to snore...@gmail.com, golan...@googlegroups.com
On Sun, Mar 31, 2013 at 2:15 PM, <snore...@gmail.com> wrote:
> Hello,
>
> Can somebody tell me why net/smtp forces an SSL encrypted connection when
> using PlainAuth (error "unencrypted connection")?
>
> It's not task of an SMTP library to decide what's good for me, it should
> just let me use the protocol however I want. For debugging I need an
> unencrypted connection to a SMTP server that does not support CRAM-MD5 and I
> have to find a way around this now...
I suggest you file an issue for this.
RFC 4954 requires the client and server to only use PLAIN
authentication after establishing TLS. At the same time, it says
"Server sites SHOULD NOT use any configuration which permits a
plaintext password mechanism without such a protection mechanism
against password snooping."
I think the proper way to handle this in the client is to check
whether the PLAIN authentication mechanism was advertised. In other
words, replace the simple "!server.TLS" check at
src/pkg/net/smtp/auth.go:56 (go 1.0.3) with something that looks
through server.Auth entries. This way, the server decides what is
allowed. I do the same thing in my IMAP library, permitting the LOGIN
command only when LOGINDISABLED capability is not advertised.
- Max
> Hello,
>
> Can somebody tell me why net/smtp forces an SSL encrypted connection when
> using PlainAuth (error "unencrypted connection")?
>
> It's not task of an SMTP library to decide what's good for me, it should
> just let me use the protocol however I want. For debugging I need an
> unencrypted connection to a SMTP server that does not support CRAM-MD5 and I
> have to find a way around this now...
I suggest you file an issue for this.
RFC 4954 requires the client and server to only use PLAIN
authentication after establishing TLS. At the same time, it says
"Server sites SHOULD NOT use any configuration which permits a
plaintext password mechanism without such a protection mechanism
against password snooping."
I think the proper way to handle this in the client is to check
whether the PLAIN authentication mechanism was advertised. In other
words, replace the simple "!server.TLS" check at
src/pkg/net/smtp/auth.go:56 (go 1.0.3) with something that looks
through server.Auth entries. This way, the server decides what is
allowed. I do the same thing in my IMAP library, permitting the LOGIN
command only when LOGINDISABLED capability is not advertised.
- Max
Brad Fitzpatrick
Apr 2, 2013, 2:47:14 AM4/2/13
to Maxim Khitrov, snore...@gmail.com, golang-nuts
I agree. Please file a bug.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
snore...@gmail.com
Apr 2, 2013, 10:54:34 AM4/2/13
to golan...@googlegroups.com, Maxim Khitrov, snore...@gmail.com
Just created issue #5184 (https://code.google.com/p/go/issues/detail?id=5184).
Kevin Gillette
Apr 2, 2013, 12:12:33 PM4/2/13
to golan...@googlegroups.com
Indeed. I have some planned deployments based on Brad's go-smtpd that'll only listen on the lo device. If those packets get snooped, I would have already had much bigger problems than stolen passwords.
Brad Fitzpatrick
Apr 2, 2013, 3:25:13 PM4/2/13
to Kevin Gillette, golang-nuts
On Tue, Apr 2, 2013 at 9:12 AM, Kevin Gillette <extempor...@gmail.com> wrote:
Indeed. I have some planned deployments based on Brad's go-smtpd that'll only listen on the lo device. If those packets get snooped, I would have already had much bigger problems than stolen passwords.
Reply all
Reply to author
Forward
0 new messages