Opened 16 years ago
Closed 16 years ago
#7670 closed defect (wontfix)
notifications don't work with certain smtp servers
| Reported by: | Owned by: | Emmanuel Blot | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | notification | Version: | 0.11 |
| Severity: | normal | Keywords: | needinfo |
| Cc: | gabriel.rossetti@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
The notifications don't work with certain SMTP servers because smtplib chooses MD5 Hash by default and the server fails. I submitted a patch to 0.11 (notification.py) that fixes this by falling back to sending AUTH LOGIN and using a base64 encoded username & password. I tested this and it works.
Attachments (1)
Change History (6)
by , 16 years ago
| Attachment: | notification.py.patch added |
|---|
follow-up: 2 comment:1 by , 16 years ago
This patch cannot be applied as-is, as the password is sent in clear text and this fact may remain unnoticed.
Worse: if the authentication fails for any reason, a password that should not have been disclosed is transmitted in plain text, even if the server does not support plain text authentication…
At least, there should be an option in smtp setting to explicitly allow plain text password.
But first, smtplib needs to be studied carefully: there are very badly configured SMTP servers out there that reports a MD5 authentication support and actually do no support it. This can lead to some kind of security hole.
follow-up: 3 comment:2 by , 16 years ago
Replying to eblot:
This patch cannot be applied as-is, as the password is sent in clear text and this fact may remain unnoticed.
Worse: if the authentication fails for any reason, a password that should not have been disclosed is transmitted in plain text, even if the server does not support plain text authentication…
At least, there should be an option in smtp setting to explicitly allow plain text password.
Ok, so add something somewhere in the config allowing plaintext fallback and when reverting to it make sure the server supports it?
But first, smtplib needs to be studied carefully: there are very badly configured SMTP servers out there that reports a MD5 authentication support and actually do no support it. This can lead to some kind of security hole.
Ok, I see, I tried using telnet and I think this is the case, EHLO gives me CRAM-MD5 but when I try it it gives me a "535 authorization failed (#5.7.0)". This is what prompted me to make this change. Either smtplib does something wrong or like you said the smtp server is misconfigured. It's probably the smtp server. I'll look into smtplib first though since I can just have a look at it's source, it's easier than calling my provider :-). I'll keep everyone up to date
comment:3 by , 16 years ago
| Keywords: | needinfo added |
|---|
Replying to anonymous:
Either smtplib does something wrong or like you said the smtp server is misconfigured. It's probably the smtp server. I'll look into smtplib first though since I can just have a look at it's source, it's easier than calling my provider :-). I'll keep everyone up to date
Any news on this issue?
comment:4 by , 16 years ago
Nope, I haven't had a chance to look into it, I've had lots of work lately, it's on my TODO list though.
comment:5 by , 16 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
No feedback, closing (please reopen if needed and if you have the requested information).
patch to notification.py for trac 0.11