Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-15 Thread Pedro Pais
On Wed, 15 Dec 2004 03:24:07 -0300, Eduardo M. Bragatto
[EMAIL PROTECTED] wrote:
 Charles Sprickman wrote:
 I don't really care if some user has his mail sniffed (if he thinks
 it's confidential, he should be responsible for encrypting it, so even
 when it's written to the storage system the message would still be
 encrypted). But I do care if some spammer sniffs him and starts getting
 relay to do spam trough my smtpd (smtp-auth).
I'm not sure, but I think that the only thing that's encrypted is the
login data. Or am I wrong?

-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-15 Thread Eduardo M. Bragatto
Pedro Pais wrote:
I'm not sure, but I think that the only thing that's encrypted is the
login data. Or am I wrong?
	Yes, it's true. That's exactly what I want: protect the login data (it 
means that I want it encrypted via CRAM-MD5 on smtp-auth as well on my DB).

--
Best regards,
Eduardo M. Bragatto.


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-15 Thread Rob Sutton
unsubscribe
- Original Message - 
From: Eduardo M. Bragatto [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 15, 2004 10:03 AM
Subject: Re: [vchkpw] vchkpw fails and then succeeds!


Pedro Pais wrote:
I'm not sure, but I think that the only thing that's encrypted is the
login data. Or am I wrong?
Yes, it's true. That's exactly what I want: protect the login data (it 
means that I want it encrypted via CRAM-MD5 on smtp-auth as well on my 
DB).

--
Best regards,
Eduardo M. Bragatto.




Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-15 Thread Jeremy Kitchen
On Wednesday 15 December 2004 12:24 am, Eduardo M. Bragatto wrote:
 Charles Sprickman wrote:
  So I have to choose: using a cryptography authentication method
  that's not safe or having the password being save as plain (wich is
  not safe either)?
 
  No...

   You did not pointed how to do what I'm asking: is it possible to use
 CRAM-MD5 without clear passwords?

cram-md5 requires the clear text password on both ends, however, the 
transmission of the password is secure.

  There's a simple workaround; use standard auth and in your setup guides
  show your users how to click the Use SSL/TLS option in their mail
  program.  Then your login (and the contents of the message they are
  sending/receiving) is encrypted, and you can use an auth mechanism that
  does not require clear-text passwords.

   It's not a workaround for me. I do not use TLS patch and I don't really
 want to encrypt messages. I just want to be sure that my users' password
 will not be acessible for anyone but themselves.

setting up SSL is very easy to do.  
http://superscript.com/ucspi-ssl/intro.html

it's about 3 changes to your run script, and generating your SSL certificates, 
which takes about 5-10 minutes to do.

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
  [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l
  kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail
 GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]


pgpz6Cd4JEM1M.pgp
Description: PGP signature


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-14 Thread Pedro Pais
On Mon, 13 Dec 2004 21:26:10 -0500 (EST), Charles Sprickman
[EMAIL PROTECTED] wrote:
 On Tue, 14 Dec 2004, Pedro Pais wrote:
 
  Yes, does Outlook Express support TLS? I can't make it use it, which
  is not very nice :(
 
 Oops.  Sorry about that.  It indeed does not work.
 
 This run script is interesting, it will put up an stunnel SSL connection
 that should make Outhouse Express happy:
 
 http://www.jms1.net/qmail/run.smtp
 
 Charles

Will I be able to run two concurrent qmail processes, on different
ports? One listening on 25 and other listening on 465?
 
  --
  Pedro Pais
  Skype name: pedro.pais
  MSN: [EMAIL PROTECTED]
  Get Firefox! 
  http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
 
 


-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-14 Thread Eduardo M. Bragatto
Charles Sprickman wrote:
So I have to choose: using a cryptography authentication method 
that's not safe or having the password being save as plain (wich is 
not safe either)?
No...
	You did not pointed how to do what I'm asking: is it possible to use 
CRAM-MD5 without clear passwords?

They don't have to sniff your LAN, they can sniff at the end-users side. 
You're probably using smtp-auth to provide roaming to travelling users, 
and there's a decent chance some of those are on unfriendly networks 
like wireless...
Exactly.
There's a simple workaround; use standard auth and in your setup guides 
show your users how to click the Use SSL/TLS option in their mail 
program.  Then your login (and the contents of the message they are 
sending/receiving) is encrypted, and you can use an auth mechanism that 
does not require clear-text passwords.
	It's not a workaround for me. I do not use TLS patch and I don't really 
want to encrypt messages. I just want to be sure that my users' password 
will not be acessible for anyone but themselves.
	I don't really care if some user has his mail sniffed (if he thinks 
it's confidential, he should be responsible for encrypting it, so even 
when it's written to the storage system the message would still be 
encrypted). But I do care if some spammer sniffs him and starts getting 
relay to do spam trough my smtpd (smtp-auth).

--
Best regards,
Eduardo M. Bragatto.


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-13 Thread Charles Sprickman
On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote:
Tom Collins wrote:
If you stored a single encoded password, anyone sniffing the line could 
learn the encoded version and just re-use it.
	So I have to choose: using a cryptography authentication method 
that's not safe or having the password being save as plain (wich is not safe 
either)?
No...
	Sure I can guarantee that getting access to my DB is more difficult 
than getting access to my LAN (in case of sniffing), so I would choose having 
the plain password stored, but it's still being a hole on the system (if some 
guy gains access to DB, he'll have access to ALL passwords, while sniffing 
would just compromise some users).
They don't have to sniff your LAN, they can sniff at the end-users side. 
You're probably using smtp-auth to provide roaming to travelling users, 
and there's a decent chance some of those are on unfriendly networks 
like wireless...

	Is there any plans for workaround this problem? Is there a way to do 
it? How does behavior other softwares that uses CRAM-MD5? They always kept 
the plain password?
There's a simple workaround; use standard auth and in your setup guides 
show your users how to click the Use SSL/TLS option in their mail 
program.  Then your login (and the contents of the message they are 
sending/receiving) is encrypted, and you can use an auth mechanism that 
does not require clear-text passwords.

Another auth mechanism that works like this is CHAP.  We used to have a 
roaming dial provider that had a handful of POPs that only supported CHAP 
and had to ditch them since it required us to store cleartext passwords. 
Since we auth dialup users out of our vpopmail db, we just decided not to 
mess with them.  I've never been worried about the attack CHAP tries to 
protect against, which involves tapping the modem line to grab user/pass 
info - it's just not a realistic threat for most people.

Charles
--
Best regards,
Eduardo M. Bragatto.


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-13 Thread Pedro Pais
On Mon, 13 Dec 2004 17:37:00 -0500 (EST), Charles Sprickman
[EMAIL PROTECTED] wrote:
 On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote:
 
  Tom Collins wrote:
 
  If you stored a single encoded password, anyone sniffing the line could
  learn the encoded version and just re-use it.
 
So I have to choose: using a cryptography authentication method
  that's not safe or having the password being save as plain (wich is not safe
  either)?
 
 No...
 
Sure I can guarantee that getting access to my DB is more difficult
  than getting access to my LAN (in case of sniffing), so I would choose 
  having
  the plain password stored, but it's still being a hole on the system (if 
  some
  guy gains access to DB, he'll have access to ALL passwords, while sniffing
  would just compromise some users).
 
 They don't have to sniff your LAN, they can sniff at the end-users side.
 You're probably using smtp-auth to provide roaming to travelling users,
 and there's a decent chance some of those are on unfriendly networks
 like wireless...
 
Is there any plans for workaround this problem? Is there a way to do
  it? How does behavior other softwares that uses CRAM-MD5? They always kept
  the plain password?
 
 There's a simple workaround; use standard auth and in your setup guides
 show your users how to click the Use SSL/TLS option in their mail
 program.  Then your login (and the contents of the message they are
 sending/receiving) is encrypted, and you can use an auth mechanism that
 does not require clear-text passwords.

Yes, does Outlook Express support TLS? I can't make it use it, which
is not very nice :(

 
 Another auth mechanism that works like this is CHAP.  We used to have a
 roaming dial provider that had a handful of POPs that only supported CHAP
 and had to ditch them since it required us to store cleartext passwords.
 Since we auth dialup users out of our vpopmail db, we just decided not to
 mess with them.  I've never been worried about the attack CHAP tries to
 protect against, which involves tapping the modem line to grab user/pass
 info - it's just not a realistic threat for most people.
 
 Charles
 
 
 
  --
Best regards,
Eduardo M. Bragatto.
 
 


-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-13 Thread Pedro Pais
On Mon, 13 Dec 2004 21:26:10 -0500 (EST), Charles Sprickman
[EMAIL PROTECTED] wrote:
 On Tue, 14 Dec 2004, Pedro Pais wrote:
 
  Yes, does Outlook Express support TLS? I can't make it use it, which
  is not very nice :(
 
 Oops.  Sorry about that.  It indeed does not work.
 
 This run script is interesting, it will put up an stunnel SSL connection
 that should make Outhouse Express happy:
 
 http://www.jms1.net/qmail/run.smtp

thanks.
 
 Charles
 
  --
  Pedro Pais
  Skype name: pedro.pais
  MSN: [EMAIL PROTECTED]
  Get Firefox! 
  http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
 
 


-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-13 Thread Charles Sprickman
On Thu, 9 Dec 2004, Tom Collins wrote:
On Dec 9, 2004, at 1:53 PM, Charles Sprickman wrote:
Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text 
passwords enabled.  I still need to look at my pop and smtp servers to see 
how I can make them not advertise something that's not available on my 
system...
Good point (clear-text).
The change is pretty easy -- just modify qmail-smtpd.c.  Search for a line 
like 250-AUTH LOGIN CRAM-MD5 PLAIN and remove the CRAM-MD5 part.
Cool.  I really like Bill's patch.  That plus all the work Antonio's been 
doing on chkuser and we're one step closer to having a vpopmail patch for 
netqmail.  Now if one day that were bundled in with vpopmail in a way 
where we ended up with an integrated mail system...  m...  One of 
the things having an official patchset would do would be to alter our 
patching of qmail to take into account all the vpopmail configure options 
(ie: patch qmail intelligently so that CRAM-MD5 isn't offered if 
clear-text passwords are not enabled in vpopmail).

Just thinking out loud, but it seems like something that might be worth 
looking at down the line - it would probably reduce some common questions 
on this list and make supporting the casual user a bit easier...

Charles
--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/



Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-13 Thread Charles Sprickman
On Tue, 14 Dec 2004, Pedro Pais wrote:
Yes, does Outlook Express support TLS? I can't make it use it, which
is not very nice :(
Very much so.  Let me fire up VPC and see what they call that...
Go to tools - accounts - then click the mail tab.
Highlight the mail account in question and hit properties.
Go to the servers tab, check off my server requires authentication,
Then click the advanced tab.  There's a checkbox under smtp that says 
this server requires a secure connection (SSL).  Check it.

All set in a dozen easy steps. :)
Charles
--
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-13 Thread Charles Sprickman
On Tue, 14 Dec 2004, Pedro Pais wrote:
Yes, does Outlook Express support TLS? I can't make it use it, which
is not very nice :(
Oops.  Sorry about that.  It indeed does not work.
This run script is interesting, it will put up an stunnel SSL connection 
that should make Outhouse Express happy:

http://www.jms1.net/qmail/run.smtp
Charles
--
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-10 Thread Pedro Pais
On Fri, 10 Dec 2004 19:28:32 +, Pedro Pais [EMAIL PROTECTED] wrote:
 On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins [EMAIL PROTECTED] wrote:
 
 
  On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote:
   Also, I'm fairly certain that CRAM-MD5 requires that you have
   clear-text
   passwords enabled.  I still need to look at my pop and smtp servers
   to see
   how I can make them not advertise something that's not available on my
   system...
  
   Really? That doesn't sound too secure, or even ethical.
 
  CRAM-MD5 is more secure because someone sniffing the network can't
  derive the sender's password.  With all other SMTP AUTH methods, you
  can easily decode sniffed packets to get the email address and
  password.  The only way for CRAM-MD5 to work is for the server to know
  the user's cleartext password.
 
  Granted, you need to make sure the cleartext password is stored
  securely...
 But why isn't the password stored in the passwd/mysql using CRAM-MD5
 format? That way you could always check it. It wouldn't matter if the
 client authenticated using plain or using CRAM-MD5. You could even
 double cypher the password using mysql PASSWORD().
 a) Client authenticates using plain username/password Create CRAM-MD5
 from those tokens and check with the password stored.
 b) Client authenticates usign CRAM-MD5 username/password. Directly
 compare with the stored password.
 
 Am I missing something important in here?

Maybe I'm over-simplifying things a bit, right? I'm skimming the RFC
and the process of creation of the CRAM-MD5 authentication token
doesn't seem to be very straight-forward...
 
 
  --
 
 
 
 
  Tom Collins  -  [EMAIL PROTECTED]
  QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
  Info on the Sniffter hand-held Network Tester: http://sniffter.com/
 
 
 
 --
 Pedro Pais
 Skype name: pedro.pais
 MSN: [EMAIL PROTECTED]
 Get Firefox! 
 http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
 


-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-10 Thread Eduardo M. Bragatto
Tom Collins wrote:
If you stored a single encoded password, anyone sniffing the line could 
learn the encoded version and just re-use it.
	So I have to choose: using a cryptography authentication method that's 
not safe or having the password being save as plain (wich is not safe 
either)?
	Sure I can guarantee that getting access to my DB is more difficult 
than getting access to my LAN (in case of sniffing), so I would choose 
having the plain password stored, but it's still being a hole on the 
system (if some guy gains access to DB, he'll have access to ALL 
passwords, while sniffing would just compromise some users).
	Is there any plans for workaround this problem? Is there a way to do 
it? How does behavior other softwares that uses CRAM-MD5? They always 
kept the plain password?

--
Best regards,
Eduardo M. Bragatto.


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-10 Thread Pedro Pais
On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins [EMAIL PROTECTED] wrote:
 On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote:
  Also, I'm fairly certain that CRAM-MD5 requires that you have
  clear-text
  passwords enabled.  I still need to look at my pop and smtp servers
  to see
  how I can make them not advertise something that's not available on my
  system...
 
  Really? That doesn't sound too secure, or even ethical.
 
 CRAM-MD5 is more secure because someone sniffing the network can't
 derive the sender's password.  With all other SMTP AUTH methods, you
 can easily decode sniffed packets to get the email address and
 password.  The only way for CRAM-MD5 to work is for the server to know
 the user's cleartext password.
 
 Granted, you need to make sure the cleartext password is stored
 securely...
But why isn't the password stored in the passwd/mysql using CRAM-MD5
format? That way you could always check it. It wouldn't matter if the
client authenticated using plain or using CRAM-MD5. You could even
double cypher the password using mysql PASSWORD().
a) Client authenticates using plain username/password Create CRAM-MD5
from those tokens and check with the password stored.
b) Client authenticates usign CRAM-MD5 username/password. Directly
compare with the stored password.

Am I missing something important in here?


 
 --
 
 
 Tom Collins  -  [EMAIL PROTECTED]
 QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
 Info on the Sniffter hand-held Network Tester: http://sniffter.com/
 
 


-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-10 Thread Tom Collins
On Dec 10, 2004, at 11:28 AM, Pedro Pais wrote:
But why isn't the password stored in the passwd/mysql using CRAM-MD5
format? That way you could always check it. It wouldn't matter if the
client authenticated using plain or using CRAM-MD5. You could even
double cypher the password using mysql PASSWORD().
a) Client authenticates using plain username/password Create CRAM-MD5
from those tokens and check with the password stored.
b) Client authenticates usign CRAM-MD5 username/password. Directly
compare with the stored password.
Am I missing something important in here?
Every time the client authenticates, it uses a different challenge 
(issued by the server) to encode the response.  CRAM-MD5 works in a way 
that if you and I both know the cleartext password (secret), we can 
both generate the same response to the common challenge.  You can tell 
me the response, and I can verify whether you know the password, but 
someone overhearing our conversation can't determine the actual 
password.

If you stored a single encoded password, anyone sniffing the line could 
learn the encoded version and just re-use it.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-09 Thread Charles Sprickman
On Wed, 8 Dec 2004, Tom Collins wrote:
On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote:
When a user tries to authenticate itself, the first time vchkpw fails with:
Dec  6 21:50:08 [vpopmail] vchkpw-smtp: password fail
but then it succeeds immediatly after:
Dec  6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success
This is very annoying, besides the fact that this only happens with
Thunderbird, with other e-mail clients they give an error message and
the connection is terminated. Is there any way to solve this thing?
It looks like the client is trying CRAM-MD5, failing, and then using PLAIN 
authentication.

You probably have an older patch, or a version problem between the smtp-auth 
patch and vpopmail.  The older patch sent the information in the incorrect 
order, and vpopmail was written to accept it in that order.  We fixed 
vpopmail for the 5.4.0 release, but it required updating to the correct SMTP 
AUTH patch.
Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text 
passwords enabled.  I still need to look at my pop and smtp servers to see 
how I can make them not advertise something that's not available on my 
system...

Charles
If you're using vpopmail 5.4.0 and later, make sure you're using an 
up-to-date patch that passes the MD5 challenge and response in the correct 
order.  The patch in vpopmail's contrib directory works properly.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/



Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-09 Thread Pedro Pais
On Thu, 9 Dec 2004 16:53:30 -0500 (EST), Charles Sprickman
[EMAIL PROTECTED] wrote:
 On Wed, 8 Dec 2004, Tom Collins wrote:
 
 
 
  On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote:
  When a user tries to authenticate itself, the first time vchkpw fails with:
 
  Dec  6 21:50:08 [vpopmail] vchkpw-smtp: password fail
 
  but then it succeeds immediatly after:
 
  Dec  6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success
 
  This is very annoying, besides the fact that this only happens with
  Thunderbird, with other e-mail clients they give an error message and
  the connection is terminated. Is there any way to solve this thing?
 
  It looks like the client is trying CRAM-MD5, failing, and then using PLAIN
  authentication.
 
  You probably have an older patch, or a version problem between the smtp-auth
  patch and vpopmail.  The older patch sent the information in the incorrect
  order, and vpopmail was written to accept it in that order.  We fixed
  vpopmail for the 5.4.0 release, but it required updating to the correct SMTP
  AUTH patch.
 
 Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text
 passwords enabled.  I still need to look at my pop and smtp servers to see
 how I can make them not advertise something that's not available on my
 system...
 
 Charles
Really? That doesn't sound too secure, or even ethical.
Well, I've found a way to disable the announcement of CRAM-MD5:
edit qmail-smtpd.c, and delete (or comment out) the line that says
#define AUTHCRAM. Then compile, install qmal and CRAM-MD5 support is
gone.

 
 
 
  If you're using vpopmail 5.4.0 and later, make sure you're using an
  up-to-date patch that passes the MD5 challenge and response in the correct
  order.  The patch in vpopmail's contrib directory works properly.
 
  --
  Tom Collins  -  [EMAIL PROTECTED]
  QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
  Info on the Sniffter hand-held Network Tester: http://sniffter.com/
 
 
 


-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-09 Thread Tom Collins
On Dec 9, 2004, at 1:53 PM, Charles Sprickman wrote:
Also, I'm fairly certain that CRAM-MD5 requires that you have 
clear-text passwords enabled.  I still need to look at my pop and smtp 
servers to see how I can make them not advertise something that's not 
available on my system...
Good point (clear-text).
The change is pretty easy -- just modify qmail-smtpd.c.  Search for a 
line like 250-AUTH LOGIN CRAM-MD5 PLAIN and remove the CRAM-MD5 
part.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-09 Thread Jeremy Kitchen
On Thursday 09 December 2004 06:16 pm, Tom Collins wrote:
 On Dec 9, 2004, at 1:53 PM, Charles Sprickman wrote:
  Also, I'm fairly certain that CRAM-MD5 requires that you have
  clear-text passwords enabled.  I still need to look at my pop and smtp
  servers to see how I can make them not advertise something that's not
  available on my system...

 Good point (clear-text).

 The change is pretty easy -- just modify qmail-smtpd.c.  Search for a
 line like 250-AUTH LOGIN CRAM-MD5 PLAIN and remove the CRAM-MD5
 part.

most of them also have an ifdef around that, so simply undefine CRAM_MD5 (near 
the top of the file) and you're set.

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
  [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l
  kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail
 GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]


pgpZSW8mZwcAs.pgp
Description: PGP signature


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-09 Thread Tom Collins
On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote:
Also, I'm fairly certain that CRAM-MD5 requires that you have 
clear-text
passwords enabled.  I still need to look at my pop and smtp servers 
to see
how I can make them not advertise something that's not available on my
system...
Really? That doesn't sound too secure, or even ethical.
CRAM-MD5 is more secure because someone sniffing the network can't 
derive the sender's password.  With all other SMTP AUTH methods, you 
can easily decode sniffed packets to get the email address and 
password.  The only way for CRAM-MD5 to work is for the server to know 
the user's cleartext password.

Granted, you need to make sure the cleartext password is stored 
securely...

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-08 Thread Tom Collins
On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote:
When a user tries to authenticate itself, the first time vchkpw fails 
with:

Dec  6 21:50:08 [vpopmail] vchkpw-smtp: password fail
but then it succeeds immediatly after:
Dec  6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success
This is very annoying, besides the fact that this only happens with
Thunderbird, with other e-mail clients they give an error message and
the connection is terminated. Is there any way to solve this thing?
It looks like the client is trying CRAM-MD5, failing, and then using 
PLAIN authentication.

You probably have an older patch, or a version problem between the 
smtp-auth patch and vpopmail.  The older patch sent the information in 
the incorrect order, and vpopmail was written to accept it in that 
order.  We fixed vpopmail for the 5.4.0 release, but it required 
updating to the correct SMTP AUTH patch.

If you're using vpopmail 5.4.0 and later, make sure you're using an 
up-to-date patch that passes the MD5 challenge and response in the 
correct order.  The patch in vpopmail's contrib directory works 
properly.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/


Re: [vchkpw] vchkpw fails and then succeeds!

2004-12-08 Thread Pedro Pais
On Wed, 8 Dec 2004 10:39:35 -0800, Tom Collins [EMAIL PROTECTED] wrote:
 On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote:
 
 
  When a user tries to authenticate itself, the first time vchkpw fails
  with:
 
  Dec  6 21:50:08 [vpopmail] vchkpw-smtp: password fail
 
  but then it succeeds immediatly after:
 
  Dec  6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success
 
  This is very annoying, besides the fact that this only happens with
  Thunderbird, with other e-mail clients they give an error message and
  the connection is terminated. Is there any way to solve this thing?
 
 It looks like the client is trying CRAM-MD5, failing, and then using
 PLAIN authentication.
 
 You probably have an older patch, or a version problem between the
 smtp-auth patch and vpopmail.  The older patch sent the information in
 the incorrect order, and vpopmail was written to accept it in that
 order.  We fixed vpopmail for the 5.4.0 release, but it required
 updating to the correct SMTP AUTH patch.
 
 If you're using vpopmail 5.4.0 and later, make sure you're using an
 up-to-date patch that passes the MD5 challenge and response in the
 correct order.  The patch in vpopmail's contrib directory works
 properly.
 
 --
 Tom Collins  -  [EMAIL PROTECTED]
 QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
 Info on the Sniffter hand-held Network Tester: http://sniffter.com/
 
 
Thanks a lot for your tips, but it still doesn't work. :( I'm using
gentoo, that already has qmail way patches. I tried to compile it with
the patch in the contrib dir, and it worked out. But the result is
just the same.
But I guess you're totally right. I've tried more extensively and with
Outlook Express it doesn't give any error (I suppose OE doesn't use
CRAM-MD5).
I'm using vpopmail 5.4.6, and qmail is already patched with smtp auth,
but still nothing. Any thing else you can remember?

-- 
Pedro Pais
Skype name: pedro.pais
MSN: [EMAIL PROTECTED]
Get Firefox! 
http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1