Thread: what have i found?

auth=login
501 garbled Base64 data

it was expecting a base64 encoded response (in this case the '=' is an illegal character).

it came out only to say, ' Username:' what is the purpose of having this encrypted in the first place

it's just a prompt, there really not a big security issue with it being encoded instead of encrypted - as far as why even bother...? without researching it, my guess would be it's either a standard for this method of authentication or just another microsoft quirk/perk (take your pick).

is there a possible hole here?

considering you have the ability to login - sure. considering it's microsoft and you'll be creating a luid with a successful login - you bet. but it's actually intended as a preventative mechanism against anonymous usage (typically where relaying and spam comes from).

What exactly are you trying to do? Log into an SMTP server? I didn't think you could "log" into an SMTP server -- per se. SMTP servers are for sending email. The only commands that the service should require are the HELO, MAIL TO, RCPT, and DATA. The server you're connecting to (websvr.txxx.org) probably is simply not configured to block email relay requests. Most mail servers are configured to block any attempts to send mail (and possibly other commands) unless you are connected to the same subnet as the mail server. This prevents malicious individuals from using your mail server for spam, or for anonymizing.
At least, that's how I understand it.

with esmtp you can restrict the ability to send with a valid login.

all i used was one of the commands given to me at the beginning.

in your original dialog you issued the auth login command, the response to that was:
334 VXNLcm5hbWU6
which is the username prompt. it was expecting a response rather than another command.

how do i have the ability to login? all i have is something that says username: is that like a backdoor?

not a backdoor - just an authentication mechanism. it's no different in purpose than say BASIC authentication on a web server. it simply identifies you as a user on the system.

all you would need would be a username/password to shutdown the mail sending completly? that seems like a hazard

as far as i know there are not any official management commands available through esmtp. although, i'm sure someone has implemented it somewhere. the reason for requiring a username and password are not to manage the service but to be able to send mail through it. in this way unauthorized user's can't use the service for spam or relaying purposes.

as far as i know there are not any official management commands available through esmtp.

Try typing HELP at the prompt after you connect. If ESMTP is anything like standard unix SMTP, then it will list all the available commands for you.

In fact, one of the RED HAT machines that I connect to occasionally uses ESTMP....here's what I got when I typed HELP:

214-2.0.0 This is sendmail version 8.11.2
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation send email to
214-2.0.0 [email protected].
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

Everything In caps are commands.