4.1 Server Successfully Authenticating Client

  • Article

In this example a server successfully authenticates a client by using the SMTP AUTH Extension for SPNEGO. The following sequence diagram shows the flow of command requests and responses in a successful authentication negotiation.

Server successfully authenticates client

Figure 2: Server successfully authenticates client

  1. When the client connects to the SMTP port on the server, the server responds with a greeting.

     220 server.contoso.com Authenticated Receive Connector

  2. The client sends an EHLO command as described in [RFC5321].

     EHLO client.contoso.com

  3. The server sends a response that includes an AUTH keyword containing a list of SASL mechanism names that it supports, including "GSSAPI".

     250-server-contoso.com Hello [203.0.113.1]
 250-AUTH GSSAPI NTLM
 250 OK

  4. The client examines the SASL mechanism names after the AUTH keyword and selects one that it supports. In this example, the client selects "GSSAPI" and begins to use the SPNEGO Extension. The SMTP AUTH Extension for SPNEGO then uses GSS-API to ask the SPNEGO Extension for an initial response. As specified in [MS-SPNG], this is a NegTokenInit message that contains the client's list of requested GSS-API mechanisms, which the SMTP AUTH Extension specified in [RFC2554] then base64-encodes.

     AUTH GSSAPI <base64-encoded NegTokenInit>

  5. The server determines that the client is requesting "GSSAPI" and begins to use the SPNEGO Extension. The SMTP AUTH Extension for SPNEGO then base64-decodes the initial response and uses GSS-API to supply the NegTokenInit message and to request a reply from the SPNEGO Extension. As specified in [MS-SPNG], this will be a NegTokenResp message, which in this example includes a server challenge for the selected GSS-API mechanism. The SMTP AUTH Extension base64-encodes the message and returns it in a 334 reply.

     334 <base64-encoded NegTokenResp>

  6. The client base64-decodes the reply and passes the result to the SPNEGO Extension. Depending on the GSS-API mechanism used by the SPNEGO Extension, there might or might not be another response to send to the server. In this example, the SPNEGO Extension returns another response to send, which the SMTP AUTH Extension again base64-encodes.

      <base64-encoded client answer>

  7. The server base64-decodes the response and passes the result to the SPNEGO Extension. Depending on the GSS-API mechanism used by the SPNEGO Extension, there might or might not be another challenge reply to send to the client. In this example, the SPNEGO Extension determines that the authentication succeeded, so the SMTP AUTH Extension reports success back to the client.

     235 2.7.0 Authentication successful