Am 10.09.2013 15:59, schrieb Eric Shubert:
On 09/10/2013 02:34 AM, Johannes Weberhofer wrote:
Dear all!
For security reasons I have disabled the storage of vpopmail's
plain-text passwords. Upon connection the qmail-server still responds with
250-server.test.com - Welcome to Qmail Toaster Ver. 1.03.5 SMTP Server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN CRAM-MD5
Qmail's implementation of cram-md5 is implemented in a way, that the
plain-text password is required [1] for CRAM-MD5 authentication. My
problem is, that some clients are sending the CRAM-MD5 response, but
Qmail is not able to process it correctly. Unfortunately I have not
found a way to turn this feature off. Does someone know, how to?
Best regards,
Johannes
[1] http://en.wikipedia.org/wiki/CRAM-MD5
You're one step ahead of me, Johannes. :)
I had planned to do so by having spamdyke handle authentication. The current
version doesn't implement this quite rightly though, but it'll be fixed in the
soon to be released version.
In the meantime, check for qmail config options in the .spec file. There might
be a ./configure option for turning cram-md5 off. I don't know off hand, but I
would expect so. Either that or vpopmail. I don't recall off hand how qmail
makes the determination of which auth methods are available.
Please let me know how you make out with this.
Thanks!
I'll let you know (if). It's a matter of time...
P.S. Just to be clear, plain-text passwords are required for any implementation
of cram-md5, not just qmail's. That's a weakness which is inherent in the
protocol.
The wiki page says, that some (dovecot) implementation stores a intermediate
step of HMAC, so I guess there is anoter way to do that, too.
Best regards,
Johannes
--
Johannes Weberhofer
Weberhofer GmbH, Austria, Vienna
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
