Hi, I'm one of the maintainers of aio-libs/aiosmtpd.

This issue also bit me when trying to write unit tests for aio-libs/aiosmtpd AUTH implementation

But I partially disagree with Dario D'Amico's changes, specifically the suggested change in the auth_login() method.

According to draft-murchison-sasl-login-00.txt [1], the two challenges sent by the server SHOULD be ignored. The example in that document uses b"VXNlciBOYW1lAA==" and b"UGFzc3dvcmQA" (b64 of b"User Name\x00" and b"Password\x00", respectively), and this is what we have implemented in aio-libs/aiosmtpd.

Furthermore, the same document never indicated that username may be sent along with "AUTH LOGIN", so we haven't implemented that in aio-libs/aiosmtpd.

So rather than hardcoding the challenges to b"Username:" and b"Password:", a compliant SMTP client must instead _count_ the number of challenges it received.

I propose the following changes instead:

    def auth(self, mechanism, authobject, *, initial_response_ok=True):
        ... snip ...
        if initial_response is not None:
            response = encode_base64(initial_response.encode('ascii'), eol='')
            (code, resp) = self.docmd("AUTH", mechanism + " " + response)
            self._challenge_count = 1
        else:
            (code, resp) = self.docmd("AUTH", mechanism)
            self._challenge_count = 0
        # If server responds with a challenge, send the response.
        while code == 334:
            self._challenge_count += 1
            challenge = base64.decodebytes(resp)
        ... snip ...

    ... snip ...

    def auth_login(self, challenge=None):
        """ Authobject to use with LOGIN authentication. Requires self.user and
        self.password to be set."""
        if challenge is None or self._challenge_count < 2:
            return self.user
        else:
            return self.password


[1] https://www.ietf.org/archive/id/draft-murchison-sasl-login-00.txt