【正文】 This extension is appropriate for the submission protocol [SUBMIT].4. The AUTH mand AUTH mechanism [initialresponse]Arguments:A string identifies a SASL authentication mechanism. An optional base64encoded responseRestrictions:After an AUTH mand has successfully pleted, no more AUTH mands may be issued in the same session. After a successful AUTH mand pletes, a server MUST reject any further AUTH mands with a 503 reply. The AUTH mand is not permitted during a mail transaction.Discussion:The AUTH mand indicates an authentication mechanism to the server. If the server supports the requested authentication mechanism, it performs an authentication protocol exchange to authenticate and identify the user. Optionally, it also negotiates a security layer for subsequent protocol interactions. If the requested authentication mechanism is not supported, the server rejects the AUTH mand with a 504 reply.The authentication protocol exchange consists of a series of server challenges and client answers that are specific to the authentication mechanism. A server challenge, otherwise known as a ready response, is a 334 reply with the text part containing a BASE64 encoded string. The client answer consists of a line containing a BASE64 encoded string. If the client wishes to cancel an authentication exchange, it issues a line with a single *. If the server receives such an answer, it MUST reject the AUTH mand by sending a 501 reply. The optional initialresponse argument to the AUTH mand is used to save a round trip when using authentication mechanisms that are defined to send no data in the initial challenge.When the initialresponse argument is used with such a mechanism, the initial empty challenge is not sent to the client and the server uses the data in the initialresponse argument as if it were sent in response to the empty challenge. Unlike a zerolength client answer to a 334 reply, a zero length initial response is sent as a single equals sign (=). If the client uses an initialresponse argument to the AUTH mand with a mechanism that sends data in the initial challenge, the server rejects the AUTH mand with a 535 reply.If the server cannot BASE64 decode the argument, it rejects the AUTH mand with a 501 reply. If the server rejects the authentication data, it SHOULD reject the AUTH mand with a 535 reply unless a more specific error code, such as one listed in section 6, is appropriate. Should the client successfully plete the authentication exchange, the SMTP server issues a 235 reply.The service name specified by this protocol39。s profile of SASL is SMTP.If a security layer is negotiated through the SASL authentication exchange, it takes effect immediately following the CRLF that concludes the authentication exchange for the client, and the CRLF of the success reply for the server. Upon a security layer39。s taking effect, the SMTP protocol is reset to the initial state (the state in SMTP after a server issues a 220 service ready greeting). The server MUST discard any knowledge obtained from the client, such as the argument to the EHLO mand, which was not obtained from the SASL negotiation itself. The client MUST discard any knowledge obtained from the server, such as the list of SMTP service extensions, which was not obtained from the SASL negotiation itself (with the exception that a client MAY pare the list of advertised SASL mechanisms before and after authentication in order to detect an active downnegotiation attack). The client SHOULD send an EHLO mand as the first mand after a successful SASL negotiation which results in the enabling of a security layer.The server is not required to support any particular authentication mechanism, nor are authentication mechanisms required to support any security layers. If an AUTH mand fails, the client may try another authentication mechanism by issuing another AUTH mand.If an AUTH mand fails, the server MUST behave the same as if the client had not issued the AUTH mand.The BASE64 string may in general be arbitrarily long. Clients and servers MUST be able to support challenges and responses that are as long as are generated by the authentication mechanisms they support, independent of any line length limitations the client or server may have in other parts of its protocol implementation.Examples:S: 220 ESMTP server readyC: EHLO S: S: 250 AUTH CRAMMD5 DIGESTMD5C: AUTH FOOBARS: 504 unrecognized authentication types.C: AUTH CRAMMD5S: 235 Authentication successful.5. The AUTH parameter to the MAIL FROM mandAUTH=addrspecArguments:An addrspec containing the identity which submitted the message to the delivery system, or the two character sequence , indicating such an identity is unknown or insufficiently authenticated.Discussion