[Vmail-discuss] smtp auth

[Paul Warren]

On Sun, Nov 11, 2001 at 04:51:42PM -0600, Eric Renfro wrote:
> A BIG problem could be the password hash. In my case, a crypt-md5 has
> a preleading {crypt-md5} to it, which disrupts anything that doesn't
> know about that.
> 
> Paul if you read this, take a note, please. :)
> 
> Proper MD5 hashed passwords /always/ start with $1, to signify that
> it's MD5, and hashed.
> DES hashed passwords don't have that. I forget it's identifier, if it
> even has one.

The reason for this is so that we can support multiple hashing formats,
beyond just MD5 and DES.  In particular, APOP requires a plaintext copy
of the password.

With hindsight, it might have been more sensible to put the hash method
into a separate column.

<defence strength="weak">
We didn't invent the {crypt-md5} syntax - we copied it off anther
project although I forget which one.
</defence>

> I personally dare not ever use plaintext passwords as much as I
> possibly can.

I'd prefer to have plaintext passwords in a database that I can secure,
rather than passwords being sent in the clear over a network that I
can't, hence support for plaintext passwords so that we can do APOP, and
CRAM-MD5 SMTP AUTH.

Paul