SMTP Service Extension for Authentication的外文翻译Word文档下载推荐.docx
《SMTP Service Extension for Authentication的外文翻译Word文档下载推荐.docx》由会员分享,可在线阅读,更多相关《SMTP Service Extension for Authentication的外文翻译Word文档下载推荐.docx(13页珍藏版)》请在冰豆网上搜索。
2.ConventionsUsedinthisDocument
Inexamples,"
C:
"
and"
S:
indicatelinessentbytheclientandserverrespectively.Thekeywords"
MUST"
"
MUSTNOT"
SHOULD"
SHOULDNOT"
and"
MAY"
inthisdocumentaretobeinterpretedasdefinedin"
KeywordsforuseinRFCstoIndicateRequirementLevels"
[KEYWORDS].
3.TheAuthenticationserviceextension
(1)thenameoftheSMTPserviceextensionis"
Authentication"
(2)theEHLOkeywordvalueassociatedwiththisextensionis"
AUTH"
(3)TheAUTHEHLOkeywordcontainsasaparameteraspaceseparatedlistofthenamesofsupportedSASLmechanisms.
(4)anewSMTPverb"
isdefined
(5)anoptionalparameterusingthekeyword"
isaddedtotheMAILFROMcommand,andextendsthemaximumlinelengthoftheMAILFROMcommandby500characters.
(6)thisextensionisappropriateforthesubmissionprotocol[SUBMIT].
4.TheAUTHcommandAUTHmechanism[initial-response]
Arguments:
astringidentifyingaSASLauthenticationmechanism.anoptionalbase64-encodedresponse
Restrictions:
AfteranAUTHcommandhassuccessfullycompleted,nomoreAUTHcommandsmaybeissuedinthesamesession.AfterasuccessfulAUTHcommandcompletes,aserverMUSTrejectanyfurtherAUTHcommandswitha503reply.TheAUTHcommandisnotpermittedduringamailtransaction.
Discussion:
TheAUTHcommandindicatesanauthenticationmechanismtotheserver.Iftheserversupportstherequestedauthenticationmechanism,itperformsanauthenticationprotocolexchangetoauthenticateandidentifytheuser.Optionally,italsonegotiatesasecuritylayerforsubsequentprotocolinteractions.Iftherequestedauthenticationmechanismisnotsupported,theserverrejectstheAUTHcommandwitha504reply.
Theauthenticationprotocolexchangeconsistsofaseriesofserverchallengesandclientanswersthatarespecifictotheauthenticationmechanism.Aserverchallenge,otherwiseknownasareadyresponse,isa334replywiththetextpartcontainingaBASE64encodedstring.TheclientanswerconsistsofalinecontainingaBASE64encodedstring.Iftheclientwishestocancelanauthenticationexchange,itissuesalinewithasingle"
*"
.Iftheserverreceivessuchananswer,itMUSTrejecttheAUTHcommandbysendinga501reply.
Theoptionalinitial-responseargumenttotheAUTHcommandisusedtosavearoundtripwhenusingauthenticationmechanismsthataredefinedtosendnodataintheinitialchallenge.
Whentheinitial-responseargumentisusedwithsuchamechanism,theinitialemptychallengeisnotsenttotheclientandtheserverusesthedataintheinitial-responseargumentasifitweresentinresponsetotheemptychallenge.Unlikeazero-lengthclientanswertoa334reply,azero-lengthinitialresponseissentasasingleequalssign("
="
).Iftheclientusesaninitial-responseargumenttotheAUTHcommandwithamechanismthatsendsdataintheinitialchallenge,theserverrejectstheAUTHcommandwitha535reply.
IftheservercannotBASE64decodetheargument,itrejectstheAUTHcommandwitha501reply.Iftheserverrejectstheauthenticationdata,itSHOULDrejecttheAUTHcommandwitha535replyunlessamorespecificerrorcode,suchasonelistedinsection6,isappropriate.Shouldtheclientsuccessfullycompletetheauthenticationexchange,theSMTPserverissuesa235reply.
Theservicenamespecifiedbythisprotocol'
sprofileofSASLis"
smtp"
.
IfasecuritylayerisnegotiatedthroughtheSASLauthenticationexchange,ittakeseffectimmediatelyfollowingtheCRLFthatconcludestheauthenticationexchangefortheclient,andtheCRLFofthesuccessreplyfortheserver.Uponasecuritylayer'
stakingeffect,theSMTPprotocolisresettotheinitialstate(thestateinSMTPafteraserverissuesa220servicereadygreeting).TheserverMUSTdiscardanyknowledgeobtainedfromtheclient,suchastheargumenttotheEHLOcommand,whichwasnotobtainedfromtheSASLnegotiationitself.TheclientMUSTdiscardanyknowledgeobtainedfromtheserver,suchasthelistofSMTPserviceextensions,whichwasnotobtainedfromtheSASLnegotiationitself(withtheexceptionthataclientMAYcomparethelistofadvertisedSASLmechanismsbeforeandafterauthenticationinordertodetectanactivedown-negotiationattack).TheclientSHOULDsendanEHLOcommandasthefirstcommandafterasuccessfulSASLnegotiationwhichresultsintheenablingofasecuritylayer.
Theserverisnotrequiredtosupportanyparticularauthenticationmechanism,norareauthenticationmechanismsrequiredtosupportanysecuritylayers.IfanAUTHcommandfails,theclientmaytryanotherauthenticationmechanismbyissuinganotherAUTHcommand.
IfanAUTHcommandfails,theserverMUSTbehavethesameasiftheclienthadnotissuedtheAUTHcommand.
TheBASE64stringmayingeneralbearbitrarilylong.ClientsandserversMUSTbeabletosupportchallengesandresponsesthatareaslongasaregeneratedbytheauthenticationmechanismstheysupport,independentofanylinelengthlimitationstheclientorservermayhaveinotherpartsofitsprotocolimplementation.
Examples:
220ESMTPserverready
EHLO
250-
250AUTHCRAM-MD5DIGEST-MD5
AUTHFOOBAR
504Unrecognizedauthenticationtype.
AUTHCRAM-MD5
235Authenticationsuccessful.
5.TheAUTHparametertotheMAILFROMcommand
AUTH=addr-spec
Anaddr-speccontainingtheidentitywhichsubmittedthemessagetothedeliverysystem,orthetwocharactersequence"
<
>
indicatingsuchanidentityisunknownorinsufficientlyauthenticated.
TheoptionalAUTHparametertotheMAILFROMcommandallowscooperatingagentsinatrustedenvironmenttocommunicatetheauthenticationofindividualmessages.
Iftheservertruststheauthenticatedidentityoftheclientto
assertthatthemessagewasoriginallysubmittedbythesuppliedaddr-spec,thentheserverSHOULDsupplythesameaddr-specinanAUTHparameterwhenrelayingthemessagetoanyserverwhichsupportstheAUTHextension.
AMAILFROMparameterofAUTH=<
indicatesthattheoriginalsubmitterofthemessageisnotknown.TheserverMUSTNOTtreatthemessageashavingbeenoriginallysubmittedbytheclient.
IftheAUTHparametertotheMAILFROMisnotsupplied,theclienthasauthenticated,andtheserverbelievesthemessageisanoriginalsubmissionbytheclient,theserverMAYsupplytheclient'
sidentityintheaddr-specinanAUTHparameterwhenrelayingthemessagetoanyserverwhichsupportstheAUTHextension.
Iftheserverdoesnotsufficientlytrusttheauthenticatedidentityoftheclient,oriftheclientisnotauthenticated,thentheserverMUSTbehaveasiftheAUTH=<
parameterwassupplied.TheserverMAY,however,writethevalueoftheAUTHparametertoalogfile.
IfanAUTH=<
parameterwassupplied,eitherexplicitlyorduetotherequirementinthepreviousparagraph,thentheserverMUSTsupplytheAUTH=<
parameterwhenrelayingthemessagetoanyserverwhichithasauthenticatedtousingtheAUTHextension.
AserverMAYtreatexpansionofamailinglistasanewsubmission,settingtheAUTHparametertothemailinglistaddressormailinglistadministrationaddresswhenrelayingthemessagetolistsubscribers.
Itisconformingforanimplementationtobehard-codedtotreatallclientsasbeinginsufficientlytrusted.Inthatcase,theimplementationdoesnothingmorethanparseanddiscardsyntacticallyvalidAUTHparameterstotheMAILFROMcommandandsupplyAUTH=<
parameterstoanyserverstowhichitauthenticatesusingtheAUTHextension.
MAILFROM:
e=mc2@>
AUTH=e+3Dmc2@
250OK
6.ErrorCodes
Thefollowingerrorcodesmaybeusedtoindicatevariousconditionsasdescribed.
432Apasswordtransitionisneeded
ThisresponsetotheAUTHcommandindicatesthattheuserneedstotransitiontotheselectedauthenticationmechanism.ThistypicallydonebyauthenticatingonceusingthePLAINauthenticationmechanism.
534Authenticationmechanismistooweak
ThisresponsetotheAUTHcommandindicatesthattheselectedauthenticationmechanismisweakerthanserverpolicypermitsforthatuser.
538Encryptionrequiredforrequestedauthenticationmechanism
ThisresponsetotheAUTHcommandindicatesthattheselectedauthenticationmechanismmayonlybeusedwhentheunderlyingSMTPconnectionisencrypted.
454Temporaryauthenticationfailure
ThisresponsetotheAUTHcommandindicatesthattheauthenticationfailedduetoatemporaryserverfailure.
530Authenticationrequired
ThisresponsemaybereturnedbyanycommandotherthanAUTH,EHLO,HELO,NOOP,RSET,orQUIT.Itindicatesthatserverpolicyrequiresauthenticationinordertoperformtherequestedaction.
7.FormalSyntax
ThefollowingsyntaxspecificationusestheaugmentedBackus-NaurForm(BNF)notationasspeci