> I'm not even sure that a general facility for handling CRAM-MD5 > authentication could be added to pwcheck ( or saslauthd ). The problem > is that many backend password stores ( ie mysql, ldap, etc ) store the > passwords as hashes that don't give the server enough information to > generate the hash needed to compare with the client generated hash. > Thanks Chris. See my earlier message to Rob S suggesting a way to get pwcheck and CRAM to interoperate.
Your comment about storing passwords as hashes is right on the money. We have had to start storing passwords as plain text in our DB to avoid this problem, since we use challenge-response with a pwcheck-like daemon for an address/contacts synchronization protocol that we've developed in-house. > Your root problem is that some of your subscribers are using IMAP > clients that are so stupid, they don't bother checking the server > CAPABILITY return before starting CRAM-MD5 authentication. This is not > terribly surprising. Try and find out what client is causing this > problem. From there you can try two approaches: find a way to > configure the client so that it behaves and add it to your sites FAQ, or > if its use is not too widespread, just put a list of MUAs that your > service works with and don't include the offending software. We'll look at this too. But I'd rather do whatever we can to make it easy for our users, rather than making them switch tools or negotiate configuration screens, wherever possible. -- Jeremy Howard [EMAIL PROTECTED]
