On Sep 22, 2005, at 2:10 PM, Erwin Hoffmann wrote:
C'm on. The generation of the "challenge" and the way its used in qmail is well documented on my web site http://www.fehcom.de/qmail/smtpauth.html.

Everyone can read that and download the code to do it.

The only free parameters are the timestamp and the pid of the current process.

And the code to generate the response is freely available in an RFC. I know -- I implemented SMTP AUTH client code to work with PLAIN, LOGIN and CRAM-MD5.

Even so, it's a one-way function. Given the challenge and the response, you cannot derive the cleartext password.

This is the reason vpopmail requires cleartext passwords if you want to use CRAM-MD5. There's no way for it to derive the cleartext password from CRAM-MD5 in order to run it through crypt() with the proper salt and compare it to the stored, encrypted version.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet: sniffter.com

Reply via email to