On 09/10/2013 02:34 AM, Johannes Weberhofer wrote:
Dear all!
For security reasons I have disabled the storage of vpopmail's
plain-text passwords. Upon connection the qmail-server still responds with
250-server.test.com - Welcome to Qmail Toaster Ver. 1.03.5 SMTP Server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN CRAM-MD5
Qmail's implementation of cram-md5 is implemented in a way, that the
plain-text password is required [1] for CRAM-MD5 authentication. My
problem is, that some clients are sending the CRAM-MD5 response, but
Qmail is not able to process it correctly. Unfortunately I have not
found a way to turn this feature off. Does someone know, how to?
Best regards,
Johannes
[1] http://en.wikipedia.org/wiki/CRAM-MD5
You're one step ahead of me, Johannes. :)
I had planned to do so by having spamdyke handle authentication. The
current version doesn't implement this quite rightly though, but it'll
be fixed in the soon to be released version.
In the meantime, check for qmail config options in the .spec file. There
might be a ./configure option for turning cram-md5 off. I don't know off
hand, but I would expect so. Either that or vpopmail. I don't recall off
hand how qmail makes the determination of which auth methods are available.
Please let me know how you make out with this.
Thanks!
P.S. Just to be clear, plain-text passwords are required for any
implementation of cram-md5, not just qmail's. That's a weakness which is
inherent in the protocol.
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
