ietf-smtp
[Top] [All Lists]

RE: CRAM-MD5 Authentication failure

2006-09-08 04:29:05
The command in the MDaemon documentation is "AUTH LOGIN CRAM-MD5" (I have
always an error with it) but I tried "AUTH CRAM-MD5" and the server response
is "235 Authentication successful".
 
Thanks a lot for your response
 
Cédric
 
 
 

  _____  

De : Paul Smith [mailto:paul(_at_)pscs(_dot_)co(_dot_)uk] 
Envoyé : vendredi 8 septembre 2006 11:13
À : [H]e8u[S]; ietf-smtp(_at_)imc(_dot_)org
Objet : Re: CRAM-MD5 Authentication failure


At 21:37 07/09/2006, [H]e8u[S] wrote:


Hello,
 
 
First of all, I'm using a MDaemon 9.0.4 server and I have to make a small
SMTP client (linked to this server) for a website in PHP.
 
When I send the "EHLO" command, the server says:
 
250-he8us.XXXX.XXX Hello exponline, pleased to meet you
250-ETRN
250-AUTH=LOGIN
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 SIZE 0
 
So, I choose to authenticate with CRAM-MD5 method. I send the command and
the server says:
 
334 UGFzc3dvcmQ6 (the string is always the same)
 
I think the string is the thing you call "challenge" and I "base64 decode"
it:
 
Password:


If the CRAM-MD5 challenge is always the same that is really bad! The whole
point is that it should be different every time to prevent replay attacks.
Are you sure you're sending the 'AUTH CRAM-MD5' command correctly?
'Password:' is the correct response to the second half of an 'AUTH LOGIN'
authentication.

If you are sending the 'AUTH CRAM-MD5' command correctly, and the challenge
is always the same it looks like MDaemon's authors need to read the
standards a bit better again...



The first thing I do is to send my base64_encoded password but I had the
"535 Authentication failed" response.
So I base64_decode the string, I hash_hmac("md5", $challenge, $pass) (the
manual of the function: http://be.php.net/manual/en/function.hash-hmac.php)
That gave me:
 
0e3f380dc0f4788203a3594089ae8d46
 
I made the CRAM-MD5 string:


Note that the CRAM-MD5 string isn't just the MD5 of the challenge & password
put together. See RFC 2095

It's 
MD5 ((password XOR opad), MD5 ((password XOR ipad), challenge))




exponline(_at_)he8us(_dot_)XXXX(_dot_)XXX 0e3f380dc0f4788203a3594089ae8d46
 
I base64_encode it
 
ZXhwb25saW5lQGhlOHVzLm5vLWlwLm9yZyAwZTNmMzgwZGMwZjQ3ODgyMDNhMzU5NDA4OWFlOGQ0
Ng==
 
And I sended it to the server and I had the same error "535 Authentication
failed"
 
I tried without base64_decode the challenge => error
Without base64_decode the challenge and base64_encode the CRAM-MD5 => error
Without the base64_encode the CRAM-MD5 => error...
 
Does somebody have an idea on why it doesn't work?
Wich other authentication method can I use?


Have you tried using the CRAM-MD5 checker at
http://www.net-track.ch/opensource/cmd5/ to make sure that you are doing
your CRAM-MD5 encoding properly.

This utility will show the intermediate values as well for you.


<Prev in Thread] Current Thread [Next in Thread>