On Thu, 2011-06-09 at 13:48 +0530, kenja heramba wrote: > Hi, > > I am writing a Pop3Client. I use dovecot server as POP3 server in linux and > hMailServer in windows. > > I was just testing digest-md5 auth with dovecot server. > > I had an observation. > > After server side verification, server sends a verification code to client. > If this fails, how can client send the negative response or does it not > exist?
It doesn't exist. What could the client do anyway? Tell the server that "I see you're doing a man-in-the-middle attack, no thanks"? > When I see packet capture, dovecot server sends +OK Logged in for anything > client sends. The last thing a client sends is the verification checksum, which finishes the DIGEST-MD5 authentication. After that the login is complete. So I'm not sure what you mean by "anything client sends". If you send a wrong checksum, it should fail the authentication.
