On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote:
If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password.

I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password.

I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 encoded cleartext and you can determine the password from them. CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash and determine the cleartext password. Each time you connect, a different challenge results in a different response. The only way the server and client can generate the correct response is to have the same cleartext password available.

Given the challenge and response, it is not possible to generate the cleartext password.

Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet: sniffter.com

Reply via email to