fetchmail-friends
[Top] [All Lists]

[fetchmail]possible bug: "auth cram-md5" over POP3 causes CRAM-MD5 to _not_ be used

2002-02-04 18:11:05
[Please cc: replies to me, as I am not subscribed to the list.]

When I force CRAM-MD5 for a POP3 connection, fetchmail is sending the
username and password unencrypted.  When I don't force it, though,
CRAM-MD5 is used.

Operating System: Debian GNU/Linux Unstable i386
Using official 'fetchmail' deb, version 5.9.6-2

fetchmail -V:
This is fetchmail release 5.9.6+NTLM+SDPS+NLS
Linux bok.har 2.4.16 #1 Sun Dec 2 19:30:37 PST 2001 i686 unknown
Taking options from command line and /home/daniel/.fetchmailrc
Idfile is /home/daniel/.fetchids
Fetchmail will forward misaddressed multidrop messages to daniel.
Options for retrieving from erat(_at_)dungeonfyre(_dot_)com:
  True name of server is dungeonfyre.com.
  Protocol is POP3.
  CRAM-Md5 authentication will be forced.
  Server nonresponse timeout is 300 seconds (default).
  Default mailbox selected.
  Only new messages will be retrieved (--all off).
  Fetched messages will not be kept on the server (--keep off).
  Old messages will not be flushed before message retrieval (--flush off).
  Rewrite of server-local addresses is enabled (--norewrite off).
  Carriage-return stripping is disabled (stripcr off).
  Carriage-return forcing is disabled (forcecr off).
  Interpretation of Content-Transfer-Encoding is enabled (pass8bits off).
  MIME decoding is disabled (mimedecode off).
  Idle after poll is disabled (idle off).
  Nonempty Status lines will be kept (dropstatus off)
  Delivered-To lines will be kept (dropdelivered off)
  Messages will be SMTP-forwarded to: localhost (default)
  Recognized listener spam block responses are: 571 550 501 554
  Single-drop mode: 1 local name(s) recognized.
  No UIDs saved from this host.

When I run "fetchmail -v", I get the following output:

fetchmail: 5.9.6 querying dungeonfyre.com (protocol POP3) at Mon Feb
4 16:54:47 2002: poll started
fetchmail: POP3< +OK X1 NT-POP3 Server 
<476(_dot_)1012870252785(_at_)dungeonfyre(_dot_)com> (IMail 6.06 6252-1)
fetchmail: POP3> USER erat
fetchmail: POP3< +OK welcome
fetchmail: POP3> PASS *
...

Using a port sniffer confirms that the password is being sent
unencrypted.  Removing "auth cram-md5" from the entry in .fetchmailrc
results in the following output from "fetchmail -v":

fetchmail: 5.9.6 querying dungeonfyre.com (protocol POP3) at Mon Feb 4 16:56:17 
2002: poll started
fetchmail: POP3< +OK X1 NT-POP3 Server 
<1508(_dot_)1012870342784(_at_)dungeonfyre(_dot_)com> (IMail 6.06 6256-1)
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< TOP
fetchmail: POP3< USER
fetchmail: POP3< SASL LOGIN PLAIN CRAM-MD5
fetchmail: POP3< RESP-CODES
fetchmail: POP3< LOGIN-DELAY 120
fetchmail: POP3< PIPELINING
fetchmail: POP3< EXPIRE 30 USER
fetchmail: POP3< UIDL
fetchmail: POP3< IMPLEMENTATION Ipswitch_IMail_5.0
fetchmail: POP3< .
fetchmail: POP3> AUTH CRAM-MD5
fetchmail: POP3< + PDE5NjIxLjIzNDgwMDAxNEB3ZWJieT4=
fetchmail: POP3> [encrypted response]
fetchmail: POP3< +OK maildrop locked and ready
...

It seems odd that CRAM-MD5 is only used when I _don't_ force it.  When
I use IMAP instead of POP3, the "auth cram-md5" option functions as
expected -- CRAM-MD5 is used both when forced, and by default.

Thanks,

Daniel


<Prev in Thread] Current Thread [Next in Thread>
  • [fetchmail]possible bug: "auth cram-md5" over POP3 causes CRAM-MD5 to _not_ be used, Daniel Erat <=