It's JUST login/plain and not CRAM-MD5. As proof, I used a test client script:
# Simple SMTP client with STARTTLS and AUTH support.
# Michal Ludvig <[EMAIL PROTECTED]>, 2003
# See for details.

# ./ --host=<IP> --hello-host=breaded --disable-starttls --auth-plain --user=webmaster --pass=webmaster --from="[EMAIL PROTECTED]" --to="[EMAIL PROTECTED]" --data="txt"

-- works with password of 'webmaster' when the password if vpopmail is either webmaste, webmaster. As soon as I change it to webmast, it stops working. CRAM-MD5 will only work if the password is 100% acurate.

So --auth-cram-md5 won't work unless the password is right. --auth-login and --auth-plain will work if the password is webmaste, webmaster, webmaster0, webmaster00.

Very strange.  Anything I can do to help.

From: Tom Collins <[EMAIL PROTECTED]>
To: vpopmail list <[EMAIL PROTECTED]>
Subject: Re: [vchkpw] SMTP-Auth bug in passwords?
Date: Tue, 9 Sep 2003 22:23:27 -0700

On Tuesday, September 9, 2003, at 10:06 PM, Anthony Baratta wrote:
Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If he put in AUTH CRAM-MD5 then it would be expecting MD5 encoding.

So this appears to be a problem with LOGIN, either in the patch or with vPopmail.

When vpopmail stores passwords (at least in cdb), it either uses crypt() with a two-character salt and DES encoding (where only the first 8 characters of the password matter), or it uses an 8-character salt and MD5 encoding.

It would be interesting to see whether the problem exists when using CRAM-MD5 as well. It could also be isolated by trying to authenticate with qmailadmin or courier-imap and using just the first 8 characters of the password.

Tom Collins
QmailAdmin:  Vpopmail:
Info on the Sniffter hand-held Network Tester:

Protect your PC - get VirusScan Online

Reply via email to