ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: CRAM-MD5 Authentication failure

2006-09-08 02:42:30
from [Paul Smith] [Permanent Link] 
At 21:37 07/09/2006, [H]e8u[S] wrote:

Hello,
First of all, I'm using a MDaemon 9.0.4 server and I have to make a small SMTP client (linked to this server) for a website in PHP. 

When I send the "EHLO" command, the server says:

250-he8us.XXXX.XXX Hello exponline, pleased to meet you
250-ETRN
250-AUTH=LOGIN
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 SIZE 0
So, I choose to authenticate with CRAM-MD5 method. I send the command and the server says: 

334 UGFzc3dvcmQ6 (the string is always the same)

I think the string is the thing you call "challenge" and I "base64 decode" it:

Password:
If the CRAM-MD5 challenge is always the same that is really bad! The whole point is that it should be different every time to prevent replay attacks. Are you sure you're sending the 'AUTH CRAM-MD5' command correctly? 'Password:' is the correct response to the second half of an 'AUTH LOGIN' authentication.
If you are sending the 'AUTH CRAM-MD5' command correctly, and the challenge is always the same it looks like MDaemon's authors need to read the standards a bit better again...
The first thing I do is to send my base64_encoded password but I had the "535 Authentication failed" response. So I base64_decode the string, I hash_hmac("md5", $challenge, $pass) (the manual of the function: <http://be.php.net/manual/en/function.hash-hmac.php>http://be.php.net/manual/en/function.hash-hmac.php) 
That gave me:

0e3f380dc0f4788203a3594089ae8d46

I made the CRAM-MD5 string:
Note that the CRAM-MD5 string isn't just the MD5 of the challenge & password put together. See RFC 2095 

It's
MD5 ((password XOR opad), MD5 ((password XOR ipad), challenge))
<mailto:exponline(_at_)he8us(_dot_)XXXX(_dot_)XXX>exponline(_at_)he8us(_dot_)XXXX(_dot_)XXX 0e3f380dc0f4788203a3594089ae8d46 

I base64_encode it

ZXhwb25saW5lQGhlOHVzLm5vLWlwLm9yZyAwZTNmMzgwZGMwZjQ3ODgyMDNhMzU5NDA4OWFlOGQ0Ng==
And I sended it to the server and I had the same error "535 Authentication failed" 

I tried without base64_decode the challenge => error
Without base64_decode the challenge and base64_encode the CRAM-MD5 => error
Without the base64_encode the CRAM-MD5 => error...

Does somebody have an idea on why it doesn't work?
Wich other authentication method can I use?
Have you tried using the CRAM-MD5 checker at http://www.net-track.ch/opensource/cmd5/ to make sure that you are doing your CRAM-MD5 encoding properly. 

This utility will show the intermediate values as well for you.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  CRAM-MD5 Authentication failure, [H]e8u[S]
Next by Date:  RE: CRAM-MD5 Authentication failure, [H]e8u[S]
Previous by Thread:  CRAM-MD5 Authentication failure, [H]e8u[S]
Next by Thread:  RE: CRAM-MD5 Authentication failure, [H]e8u[S]
Indexes:  [Date] [Thread] [Top] [All Lists]