SMTP Authentication from IIS Relay causes the user name ignore and pa…

[ErtugrulKra]

…ss trough password all parameters. Fixed with a method.

[zabszk]

Hi,

Can you tell how to reproduce the issue?

[ErtugrulKra]

Hi,

I was created an SMTP server for tracing the mails from IIS SMTP Server. I saw that, when IIS SMTP send's mail trough that server, the user name which I set on IIS was ignored, and password placed all parameters, such as authenticatedEntity, authorizationEntity and ofc password.

I saw that IIS sends LOGIN AUTH "base64CodedUserName" with capture value "2" and It was ignored because it's not contains "PLAIN" or something else.
so, I debug it with IIS and placed a method that's makes decode base64 user name. When "LOGIN" command executed in AuthenticatedCommands class That's handles TempUserName with "LOGIN AUTH base64UserName". So after that SMTP waits password and It's came after Capture Data = 2 and If I set TempUserName before, I ignored that username, and just take Password. If did not set before It's works old behaviour.

I tested that on IIS and other relay and MailKit SMTP Client. All works.

btw. Thank for library. I try to give much more contribution on this package I think.

[zabszk]

It's very interesting that IIS uses AUTH LOGIN. It's an obsolete method (that shouldn't be used) and as far as I'm aware it doesn't define passing username as an argument. However if IIS does it this way, it will be implemented in this library of course.

SmtpClient is just a test app that you used to reproduce the issue with IIS, right?

[ErtugrulKra]

I’m sorry, I should not commit the tester app, If you give me some time I can revert sample app changes :)

[zabszk]

I'm trying to understand how it works. So IIS sends username as argument, it's saved as TempUsername, but then we still set CaptureData to 2, so IIS needs to send something before password anyway?

The code works and correct password is received?

[ErtugrulKra]

I mean, IIS sends username with AUTH LOGIN that means, It’s must capture with command not with data, after that IIS sends password with another package so, when I set capture data set 2, process data method can capture password from that second pack. T

[zabszk]

So if password is present as an argument of "AUTH LOGIN" shouldn't the library go to captureData = 3 (capturing the password)?

Are you sure the code in PR works with IIS (both user password and email content is properly captured)? If it does then it's even more weird how IIS handles that.

[zabszk]

I recently closed a similar issue and PR (#12 and #13), because as far as I know "AUTH LOGIN" doesn't allow that. However if I'm wrong or IIS just ignores the standard and passes username as argument, then it will get implemented.

The implementation in #13 is how I imagine it works - when argument is present we set TempUsername and skip directly to stage 3 (capturing password). That's why I'm asking if you are sure your implementation works.

[ErtugrulKra]

Actually, I want to be ensured this behaviour, I'll write some unit test that's mock the IIS and standart MailKit SMTP Client. I'll recommit with that tests and behaviours so we can ensure about It. I know the AUTH LOGIN obsolete but also Python Mail Client works like this.

I recently try the System.Net.Mail.SmtpClient that's also not works both version of library, because that client set username and password as NetworkCredential and It's not handled by IAuthFilter and also not placed in ParsedMessage.

[zabszk]

Can you send me simple apps using Python Mail Client and System.Net.Mail.SmtpClient? It will be really helpful.

I assume in both cases it will be an easy fix, because entire authentication is quite simple.

[ErtugrulKra]

Hi,

I try to make some changes and also add Tested SMTP Clients in Readme file. And Improved IAuthFilter, thats can checks now username and password as user and password