On Sunday 03 September 2006 15:23, Achim Grolms wrote:
> On Friday 01 September 2006 16:47, Jürgen Herz wrote:
> > And client response (here decoded)
> > authzid="juergen",charset=utf-8,cnonce="7c1c927e756c9067dbf412c964a823c1"
> >, digest-uri="pop/pico",nc=00000001,nonce="S5hbmt7qeaQYOS/OLKOsYg==",
> > qop=auth,realm="",response=fed55b47609e097fdf7d145635e845ff,username="jue
> >rg en"
>
> After beeing in contact with Jürgen by private Mail
> we know now the 'authzid' is the problem because the pop3-serverside does
> not support it.
> From my point of view (and RFC-2831) authzid is optional.
> authzid is needed in case of the Authentication ID (username) differs
> from the Authorization ID (authzid).
> In case both are equal there is no need to send authzid.
> More worse - authzid should not be sent because that breaks authentication
> (For example in Jürgens case, Dovecot on serverside not supporting
> authzid).
>
> From my point of view Authen::SASL::Perl::DIGEST_MD5 should be changed to
>
> send authzid only in case of authzid ne username.
I was wrong, not Authen::SASL::Perl::DIGEST_MD5 is the problem,
Net::POP3 caused the problem.
The code in Net::POP3 is this
$sasl = Authen::SASL->new(mechanism=> $mechanisms,
callback => { user => $username,
pass => $password,
authname => $username,
});
and should be
$sasl = Authen::SASL->new(mechanism=> $mechanisms,
callback => { user => $username,
pass => $password,
});
because it is not usefull to set authzid ti the same value as username.
What do you think?
Achim
