At 21:37 07/09/2006, [H]e8u[S] wrote:
First of all, I'm using a MDaemon 9.0.4 server and I have to make a
small SMTP client (linked to this server) for a website in PHP.
When I send the "EHLO" command, the server says:
250-he8us.XXXX.XXX Hello exponline, pleased to meet you
250-AUTH LOGIN CRAM-MD5
250 SIZE 0
So, I choose to authenticate with CRAM-MD5 method. I send the
command and the server says:
334 UGFzc3dvcmQ6 (the string is always the same)
I think the string is the thing you call "challenge" and I "base64 decode" it:
If the CRAM-MD5 challenge is always the same that is really bad! The
whole point is that it should be different every time to prevent
replay attacks. Are you sure you're sending the 'AUTH CRAM-MD5'
command correctly? 'Password:' is the correct response to the second
half of an 'AUTH LOGIN' authentication.
If you are sending the 'AUTH CRAM-MD5' command correctly, and the
challenge is always the same it looks like MDaemon's authors need to
read the standards a bit better again...
The first thing I do is to send my base64_encoded password but I had
the "535 Authentication failed" response.
So I base64_decode the string, I hash_hmac("md5", $challenge, $pass)
(the manual of the function:
That gave me:
I made the CRAM-MD5 string:
Note that the CRAM-MD5 string isn't just the MD5 of the challenge &
password put together. See RFC 2095
MD5 ((password XOR opad), MD5 ((password XOR ipad), challenge))
I base64_encode it
And I sended it to the server and I had the same error "535
I tried without base64_decode the challenge => error
Without base64_decode the challenge and base64_encode the CRAM-MD5 => error
Without the base64_encode the CRAM-MD5 => error...
Does somebody have an idea on why it doesn't work?
Wich other authentication method can I use?
Have you tried using the CRAM-MD5 checker at
http://www.net-track.ch/opensource/cmd5/ to make sure that you are
doing your CRAM-MD5 encoding properly.
This utility will show the intermediate values as well for you.