On Sep 22, 2005, at 2:10 PM, Erwin Hoffmann wrote:
C'm on. The generation of the "challenge" and the way its used in
qmail is well documented on my web site
http://www.fehcom.de/qmail/smtpauth.html.
Everyone can read that and download the code to do it.
The only free parameters are the timestamp and the pid of the current
process.
And the code to generate the response is freely available in an RFC. I
know -- I implemented SMTP AUTH client code to work with PLAIN, LOGIN
and CRAM-MD5.
Even so, it's a one-way function. Given the challenge and the
response, you cannot derive the cleartext password.
This is the reason vpopmail requires cleartext passwords if you want to
use CRAM-MD5. There's no way for it to derive the cleartext password
from CRAM-MD5 in order to run it through crypt() with the proper salt
and compare it to the stored, encrypted version.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet:
sniffter.com
