From: Xiyue Deng <manphiz@gmail.com>
Date: Fri, 16 May 2025 09:48:52 +0000 (-0700)
Subject: Make xoauth2 auth fail when a smtp server replies 334 (Bug#78366)
X-Git-Tag: archive/raspbian/1%30.2+1-2+rpi1^2~2^2~24^2~60
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22Program/%22http:/www.example.com/cgi/%22https:/%22Program?a=commitdiff_plain;h=41f8dc18dfdb003dbcd27f619960f2533a02fde2;p=emacs.git

Make xoauth2 auth fail when a smtp server replies 334 (Bug#78366)

* lisp/mail/smtpmail.el (smtpmail-try-auth-method): Throw error 535
when receiving a "334 server challenge" reply.

(cherry picked from commit 53371c959462a677a29ee869b3b6627facf3ed79)
---

diff --git a/lisp/mail/smtpmail.el b/lisp/mail/smtpmail.el
index dcec0b1d9e9..dc3293fb2f4 100644
--- a/lisp/mail/smtpmail.el
+++ b/lisp/mail/smtpmail.el
@@ -639,11 +639,21 @@ USER and PASSWORD should be non-nil."
 
 (cl-defmethod smtpmail-try-auth-method
   (process (_mech (eql 'xoauth2)) user password)
-  (smtpmail-command-or-throw
-   process
-   (concat "AUTH XOAUTH2 "
-           (base64-encode-string
-            (concat "user=" user "\1auth=Bearer " password "\1\1") t))))
+  (let ((ret (smtpmail-command-or-throw
+              process
+              (concat "AUTH XOAUTH2 "
+                      (base64-encode-string
+                       (concat "user=" user "\1auth=Bearer " password "\1\1")
+                       t)))))
+    (if (eq (car ret) 334)
+        ;; When a server returns 334 server challenge, it usually means
+        ;; the credentials it received were wrong (e.g. was an actual
+        ;; password instead of an access token).  In such a case, we
+        ;; should return a string with 535 to indicate a failure so that
+        ;; smtpmail will try other authentication mechanisms.  See also
+        ;; https://debbugs.gnu.org/78366.
+        (throw 'done "535 5.7.8 Authentication credentials invalid")
+      ret)))
 
 (defun smtpmail-response-code (string)
   (when string