sending email with secure authorization

[jhall251]

I need to send a form email to a list of customers. Our mail server requires a logon before sending to addresses that are not in our domain. I have experimented with blat, WS2_32.DLL, cdo and mapi routines as found in FAQ here and on foxwiki.

The SMTP routines work fine within the domain but I dont see how to send a logon to allow sending to addresses outside the domain. Is there a way?

The MAPI routine will send to outside addresses via Outlook Express but displays a warning with each send that requires a user ok. Is there a way around that warning? Or a way to queue the messages so that the warning only has to be clicked once?

(Thanks to M Gagnon for the MAPI form in the FAQ)

Thanks as always for any help...

Joe Halloran

 

[Mike Gagnon]

Take a look at faq184-1768 and faq184-1769.

Mike Gagnon

If you want to get the best response to a question, please check out FAQ184-2483 first.

 

[wgcs]

The normal way is to only use an SMTP server that is on "your" side of the internet gateway: that is, one that authenticates you based on your ip address.

If you're a comcast customer, for example, the smtp server mail.comcast.net knows that you can use it, because it sees you are in the comcast subnet.

 

[wgcs]

Check here for the details on what it would take to get our winsock VFP SendMail functions to work with SMTP-Auth:

http://www.faqs.org/rfcs/rfc2554.html

http://www.technoids.org/saslmech.html

I'd love to do it, but
1) I don't have the time
2) I don't have an SMTP server that requires SMTP-Auth to test on.

( &quot;>>&quot; means uploaded from client, &quot;<<&quot; means received from server )

It seems, basically, that all you have to do is:
1) Parse the response from the EHLO command to determine what AUTH methods are available
>> EHLO smtp.servername.com
<< 250 AUTH CRAM-MD5 DIGEST-MD5
2) Implement either or both: CRAM-MD5 DIGEST-MD5 (which I think has been done and available on the fox wiki)
3) determine which of the AUTH methods the server says it likes you have; Tell the server which you're going to use:
>> AUTH CRAM-MD5
<< 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=
4) retrieve the challenge the server responded with, Decode it through Base64, use it to generate the appropriate response, encode in Base64, then upload it:
>> ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
<< 235 Authentication successful.

That's all!


(It looks like there is a &quot;PLAIN&quot; auth mechanism that skips the Challenge part of the Chal-Resp, and can be done like this (still requires Base64):

>> EHLO smtp.servername.com
<< 250 AUTH CRAM-MD5 DIGEST-MD5 PLAIN
>> AUTH PLAIN
<< 334
>> AHdlbGRvbgB3M2xkMG4=
<< 235 2.0.0 OK Authenticated

The client's response is Base64Encode( CHR(0)+cUserName+CHR(0)+cPwd )

This is not very secure because anyone packet snooping could filter looking for &quot;AUTH PLAIN&quot; then capture your user & pwd, and simply Base64 decoded.

I hope someone picks this up and runs with it!

 

[wgcs]

Of course, at

http://www.technoids.org/saslmech.html

it says:
Since the vast majority of e-mail clients support only PLAIN or LOGIN, mail server administrators will probably want to consider using STARTTLS to provide an encryption &quot;tunnel&quot; between the client and server, to protect the user name and password.

so maybe AUTH PLAIN is enough... )

Here's a good discussion of the subject:

http://www.swelltech.com/pipermail/webmin-l-archive/2000-February/002969.html

 

[jhall251]

Thank you all for your responses -- I will try to digest and apply them...

Joe Halloran