[Vmail-discuss] smtp auth

Paul Warren pdw@xxxxxxxxxxxxx
Tue, 13 Nov 2001 09:28:24 +0000


On Mon, Nov 12, 2001 at 11:42:49PM -0600, Eric Renfro wrote:
> |The reason for this is so that we can support multiple hashing 
> |formats, beyond just MD5 and DES.  In particular, APOP 
> |requires a plaintext copy of the password.
> |
> |With hindsight, it might have been more sensible to put the 
> |hash method into a separate column.
> 
> Oh yes. That would definitely be a better plan, so that you could
> actually make use of those hashes in other things, such as an
> example: Courier-IMAP's authdaemon.mysql, which can either use
> plaintext, or automagically test against several crypt() methods,
> including DES and Crypt-MD5.

OK.  I'll consider it for the next release.

> |I'd prefer to have plaintext passwords in a database that I 
> |can secure, rather than passwords being sent in the clear over 
> |a network that I can't, hence support for plaintext passwords 
> |so that we can do APOP, and CRAM-MD5 SMTP AUTH.
> |
> |Paul
> 
> I don't quite understand this concept, myself. What's different about
> APOP, and CRAM-MD5 SMTP AUTH? I'm unfamiliar with this. I use SSL
> tunneled encryption, when security is an issue, still testing a
> plaintext password from the client, to a hashed password from the
> server.

The difference with APOP (and I believe CRAM-MD5) is that it works using a
shared secret.  Both the server and client know what the password is,
the server then issues a challenge to the client - a random string -
which the client hashes with the password an returns.  The server then
performs the same hash and checks the result.  The advantage is that the
password never gets sent, this disadvantage is that the server needs a
plaintext copy of the password.

Paul