[Vmail-discuss] Re: vmail smtp auth

Jakob Hirsch jh at plonk.de
Fri, 25 Jul 2003 12:02:59 +0200

Donovan Craig wrote:

> I understand that it is not possible to retrieve the original text
> from an md5 string. However, what I am wanting to find out is if it is
> possible to hash the sting that comes from the client then compare
> this to the stored md5 sting.

no, since what comes from the client is already hashed (together with the
challange from the server).

According to rfc2195, it is be possible to store the password in a db _and_
use cram-md5 (though I do not completely understand how this works), but
this has to be supported by the application (Exim), which I think is not. To
make sure, ask on the exim-users list.
But for sure it is not possible to simply have the password md5-hashed and
use cram-md5.