[Top] [All Lists]

Re: CRAM-MD5 Authentication failure

2006-09-08 02:42:30
At 21:37 07/09/2006, [H]e8u[S] wrote:

First of all, I'm using a MDaemon 9.0.4 server and I have to make a small SMTP client (linked to this server) for a website in PHP.

When I send the "EHLO" command, the server says:

250-he8us.XXXX.XXX Hello exponline, pleased to meet you
250 SIZE 0

So, I choose to authenticate with CRAM-MD5 method. I send the command and the server says:

334 UGFzc3dvcmQ6 (the string is always the same)

I think the string is the thing you call "challenge" and I "base64 decode" it:


If the CRAM-MD5 challenge is always the same that is really bad! The whole point is that it should be different every time to prevent replay attacks. Are you sure you're sending the 'AUTH CRAM-MD5' command correctly? 'Password:' is the correct response to the second half of an 'AUTH LOGIN' authentication.

If you are sending the 'AUTH CRAM-MD5' command correctly, and the challenge is always the same it looks like MDaemon's authors need to read the standards a bit better again...

The first thing I do is to send my base64_encoded password but I had the "535 Authentication failed" response. So I base64_decode the string, I hash_hmac("md5", $challenge, $pass) (the manual of the function: <>
That gave me:


I made the CRAM-MD5 string:

Note that the CRAM-MD5 string isn't just the MD5 of the challenge & password put together. See RFC 2095

MD5 ((password XOR opad), MD5 ((password XOR ipad), challenge))

<mailto:exponline(_at_)he8us(_dot_)XXXX(_dot_)XXX>exponline(_at_)he8us(_dot_)XXXX(_dot_)XXX 0e3f380dc0f4788203a3594089ae8d46

I base64_encode it


And I sended it to the server and I had the same error "535 Authentication failed"

I tried without base64_decode the challenge => error
Without base64_decode the challenge and base64_encode the CRAM-MD5 => error
Without the base64_encode the CRAM-MD5 => error...

Does somebody have an idea on why it doesn't work?
Wich other authentication method can I use?

Have you tried using the CRAM-MD5 checker at to make sure that you are doing your CRAM-MD5 encoding properly.

This utility will show the intermediate values as well for you.

<Prev in Thread] Current Thread [Next in Thread>