curl-library
RE: CURL SMTP - Bypass Authentication
Date: Fri, 28 Mar 2014 18:35:29 +0000
On Wed, 26 Mar 2014, Steve Holme wrote:
> A) AUTH is sent by the server and no credentials supplied then
> curl sends the email
> B) AUTH is sent by the server and credentials supplied then curl
> authenticates user and sends the email
> C) AUTH not sent by the server and no credentials supplied then
> curl sends the email
> D) AUTH not sent by the server and credentials supplied then curl
> returns login denied and doesn't send the email
>
> Tom's bug report was that scenario D should work as per scenario C.
I still wasn't 100% convinced by this but what swung me to commit my fix was
if the user was to pass login credentials to curl, which was connecting to
an SMTP server (rather than an ESMTP server), so a server that doesn't
support login at all, it would just work.
As such commit fe260b75e7 now provides a consistent user experience between
a SMTP server that can't support authentication, as it doesn't support the
EHLO command, and an ESMTP server that doesn't respond with the AUTH
capability (like any public facing SMTP servers on port 25 should. Note, an
ESMTP server that is listening on port 25, is public facing with MX records
and supports authentication is leaving themselves open to user/password
cracking and being used for spam relay).
Tom: If you have time could you please test this fix, and I'll submit a test
case over the weekend with some others that I have pending.
Kind Regards
Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-28