[Vmail-discuss] smtp auth
Paul Warren
pdw@xxxxxxxxxxxxx
Mon, 12 Nov 2001 23:16:47 +0000
On Sun, Nov 11, 2001 at 04:51:42PM -0600, Eric Renfro wrote:
> A BIG problem could be the password hash. In my case, a crypt-md5 has
> a preleading {crypt-md5} to it, which disrupts anything that doesn't
> know about that.
>
> Paul if you read this, take a note, please. :)
>
> Proper MD5 hashed passwords /always/ start with $1, to signify that
> it's MD5, and hashed.
> DES hashed passwords don't have that. I forget it's identifier, if it
> even has one.
The reason for this is so that we can support multiple hashing formats,
beyond just MD5 and DES. In particular, APOP requires a plaintext copy
of the password.
With hindsight, it might have been more sensible to put the hash method
into a separate column.
<defence strength="weak">
We didn't invent the {crypt-md5} syntax - we copied it off anther
project although I forget which one.
</defence>
> I personally dare not ever use plaintext passwords as much as I
> possibly can.
I'd prefer to have plaintext passwords in a database that I can secure,
rather than passwords being sent in the clear over a network that I
can't, hence support for plaintext passwords so that we can do APOP, and
CRAM-MD5 SMTP AUTH.
Paul