The command in the MDaemon documentation is "AUTH LOGIN CRAM-MD5" (I have
always an error with it) but I tried "AUTH CRAM-MD5" and the server response
is "235 Authentication successful".
Thanks a lot for your response
De : Paul Smith [mailto:paul(_at_)pscs(_dot_)co(_dot_)uk]
Envoyé : vendredi 8 septembre 2006 11:13
À : [H]e8u[S]; ietf-smtp(_at_)imc(_dot_)org
Objet : Re: CRAM-MD5 Authentication failure
At 21:37 07/09/2006, [H]e8u[S] wrote:
First of all, I'm using a MDaemon 9.0.4 server and I have to make a small
SMTP client (linked to this server) for a website in PHP.
When I send the "EHLO" command, the server says:
250-he8us.XXXX.XXX Hello exponline, pleased to meet you
250-AUTH LOGIN CRAM-MD5
250 SIZE 0
So, I choose to authenticate with CRAM-MD5 method. I send the command and
the server says:
334 UGFzc3dvcmQ6 (the string is always the same)
I think the string is the thing you call "challenge" and I "base64 decode"
If the CRAM-MD5 challenge is always the same that is really bad! The whole
point is that it should be different every time to prevent replay attacks.
Are you sure you're sending the 'AUTH CRAM-MD5' command correctly?
'Password:' is the correct response to the second half of an 'AUTH LOGIN'
If you are sending the 'AUTH CRAM-MD5' command correctly, and the challenge
is always the same it looks like MDaemon's authors need to read the
standards a bit better again...
The first thing I do is to send my base64_encoded password but I had the
"535 Authentication failed" response.
So I base64_decode the string, I hash_hmac("md5", $challenge, $pass) (the
manual of the function: http://be.php.net/manual/en/function.hash-hmac.php)
That gave me:
I made the CRAM-MD5 string:
Note that the CRAM-MD5 string isn't just the MD5 of the challenge & password
put together. See RFC 2095
MD5 ((password XOR opad), MD5 ((password XOR ipad), challenge))
I base64_encode it
And I sended it to the server and I had the same error "535 Authentication
I tried without base64_decode the challenge => error
Without base64_decode the challenge and base64_encode the CRAM-MD5 => error
Without the base64_encode the CRAM-MD5 => error...
Does somebody have an idea on why it doesn't work?
Wich other authentication method can I use?
Have you tried using the CRAM-MD5 checker at
http://www.net-track.ch/opensource/cmd5/ to make sure that you are doing
your CRAM-MD5 encoding properly.
This utility will show the intermediate values as well for you.