Re: [vchkpw] vchkpw fails and then succeeds!
On Wed, 15 Dec 2004 03:24:07 -0300, Eduardo M. Bragatto [EMAIL PROTECTED] wrote: Charles Sprickman wrote: I don't really care if some user has his mail sniffed (if he thinks it's confidential, he should be responsible for encrypting it, so even when it's written to the storage system the message would still be encrypted). But I do care if some spammer sniffs him and starts getting relay to do spam trough my smtpd (smtp-auth). I'm not sure, but I think that the only thing that's encrypted is the login data. Or am I wrong? -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
unsubscribe - Original Message - From: Eduardo M. Bragatto [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 15, 2004 10:03 AM Subject: Re: [vchkpw] vchkpw fails and then succeeds! Pedro Pais wrote: I'm not sure, but I think that the only thing that's encrypted is the login data. Or am I wrong? Yes, it's true. That's exactly what I want: protect the login data (it means that I want it encrypted via CRAM-MD5 on smtp-auth as well on my DB). -- Best regards, Eduardo M. Bragatto.
Re: [vchkpw] vchkpw fails and then succeeds!
On Wednesday 15 December 2004 12:24 am, Eduardo M. Bragatto wrote: Charles Sprickman wrote: So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)? No... You did not pointed how to do what I'm asking: is it possible to use CRAM-MD5 without clear passwords? cram-md5 requires the clear text password on both ends, however, the transmission of the password is secure. There's a simple workaround; use standard auth and in your setup guides show your users how to click the Use SSL/TLS option in their mail program. Then your login (and the contents of the message they are sending/receiving) is encrypted, and you can use an auth mechanism that does not require clear-text passwords. It's not a workaround for me. I do not use TLS patch and I don't really want to encrypt messages. I just want to be sure that my users' password will not be acessible for anyone but themselves. setting up SSL is very easy to do. http://superscript.com/ucspi-ssl/intro.html it's about 3 changes to your run script, and generating your SSL certificates, which takes about 5-10 minutes to do. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED] pgpz6Cd4JEM1M.pgp Description: PGP signature
Re: [vchkpw] vchkpw fails and then succeeds!
On Mon, 13 Dec 2004 21:26:10 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Tue, 14 Dec 2004, Pedro Pais wrote: Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( Oops. Sorry about that. It indeed does not work. This run script is interesting, it will put up an stunnel SSL connection that should make Outhouse Express happy: http://www.jms1.net/qmail/run.smtp Charles Will I be able to run two concurrent qmail processes, on different ports? One listening on 25 and other listening on 465? -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1 -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
Charles Sprickman wrote: So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)? No... You did not pointed how to do what I'm asking: is it possible to use CRAM-MD5 without clear passwords? They don't have to sniff your LAN, they can sniff at the end-users side. You're probably using smtp-auth to provide roaming to travelling users, and there's a decent chance some of those are on unfriendly networks like wireless... Exactly. There's a simple workaround; use standard auth and in your setup guides show your users how to click the Use SSL/TLS option in their mail program. Then your login (and the contents of the message they are sending/receiving) is encrypted, and you can use an auth mechanism that does not require clear-text passwords. It's not a workaround for me. I do not use TLS patch and I don't really want to encrypt messages. I just want to be sure that my users' password will not be acessible for anyone but themselves. I don't really care if some user has his mail sniffed (if he thinks it's confidential, he should be responsible for encrypting it, so even when it's written to the storage system the message would still be encrypted). But I do care if some spammer sniffs him and starts getting relay to do spam trough my smtpd (smtp-auth). -- Best regards, Eduardo M. Bragatto.
Re: [vchkpw] vchkpw fails and then succeeds!
On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote: Tom Collins wrote: If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it. So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)? No... Sure I can guarantee that getting access to my DB is more difficult than getting access to my LAN (in case of sniffing), so I would choose having the plain password stored, but it's still being a hole on the system (if some guy gains access to DB, he'll have access to ALL passwords, while sniffing would just compromise some users). They don't have to sniff your LAN, they can sniff at the end-users side. You're probably using smtp-auth to provide roaming to travelling users, and there's a decent chance some of those are on unfriendly networks like wireless... Is there any plans for workaround this problem? Is there a way to do it? How does behavior other softwares that uses CRAM-MD5? They always kept the plain password? There's a simple workaround; use standard auth and in your setup guides show your users how to click the Use SSL/TLS option in their mail program. Then your login (and the contents of the message they are sending/receiving) is encrypted, and you can use an auth mechanism that does not require clear-text passwords. Another auth mechanism that works like this is CHAP. We used to have a roaming dial provider that had a handful of POPs that only supported CHAP and had to ditch them since it required us to store cleartext passwords. Since we auth dialup users out of our vpopmail db, we just decided not to mess with them. I've never been worried about the attack CHAP tries to protect against, which involves tapping the modem line to grab user/pass info - it's just not a realistic threat for most people. Charles -- Best regards, Eduardo M. Bragatto.
Re: [vchkpw] vchkpw fails and then succeeds!
On Mon, 13 Dec 2004 17:37:00 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote: Tom Collins wrote: If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it. So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)? No... Sure I can guarantee that getting access to my DB is more difficult than getting access to my LAN (in case of sniffing), so I would choose having the plain password stored, but it's still being a hole on the system (if some guy gains access to DB, he'll have access to ALL passwords, while sniffing would just compromise some users). They don't have to sniff your LAN, they can sniff at the end-users side. You're probably using smtp-auth to provide roaming to travelling users, and there's a decent chance some of those are on unfriendly networks like wireless... Is there any plans for workaround this problem? Is there a way to do it? How does behavior other softwares that uses CRAM-MD5? They always kept the plain password? There's a simple workaround; use standard auth and in your setup guides show your users how to click the Use SSL/TLS option in their mail program. Then your login (and the contents of the message they are sending/receiving) is encrypted, and you can use an auth mechanism that does not require clear-text passwords. Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( Another auth mechanism that works like this is CHAP. We used to have a roaming dial provider that had a handful of POPs that only supported CHAP and had to ditch them since it required us to store cleartext passwords. Since we auth dialup users out of our vpopmail db, we just decided not to mess with them. I've never been worried about the attack CHAP tries to protect against, which involves tapping the modem line to grab user/pass info - it's just not a realistic threat for most people. Charles -- Best regards, Eduardo M. Bragatto. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Mon, 13 Dec 2004 21:26:10 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Tue, 14 Dec 2004, Pedro Pais wrote: Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( Oops. Sorry about that. It indeed does not work. This run script is interesting, it will put up an stunnel SSL connection that should make Outhouse Express happy: http://www.jms1.net/qmail/run.smtp thanks. Charles -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1 -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Thu, 9 Dec 2004, Tom Collins wrote: On Dec 9, 2004, at 1:53 PM, Charles Sprickman wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Good point (clear-text). The change is pretty easy -- just modify qmail-smtpd.c. Search for a line like 250-AUTH LOGIN CRAM-MD5 PLAIN and remove the CRAM-MD5 part. Cool. I really like Bill's patch. That plus all the work Antonio's been doing on chkuser and we're one step closer to having a vpopmail patch for netqmail. Now if one day that were bundled in with vpopmail in a way where we ended up with an integrated mail system... m... One of the things having an official patchset would do would be to alter our patching of qmail to take into account all the vpopmail configure options (ie: patch qmail intelligently so that CRAM-MD5 isn't offered if clear-text passwords are not enabled in vpopmail). Just thinking out loud, but it seems like something that might be worth looking at down the line - it would probably reduce some common questions on this list and make supporting the casual user a bit easier... Charles -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] vchkpw fails and then succeeds!
On Tue, 14 Dec 2004, Pedro Pais wrote: Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( Oops. Sorry about that. It indeed does not work. This run script is interesting, it will put up an stunnel SSL connection that should make Outhouse Express happy: http://www.jms1.net/qmail/run.smtp Charles -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Fri, 10 Dec 2004 19:28:32 +, Pedro Pais [EMAIL PROTECTED] wrote: On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins [EMAIL PROTECTED] wrote: On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Really? That doesn't sound too secure, or even ethical. CRAM-MD5 is more secure because someone sniffing the network can't derive the sender's password. With all other SMTP AUTH methods, you can easily decode sniffed packets to get the email address and password. The only way for CRAM-MD5 to work is for the server to know the user's cleartext password. Granted, you need to make sure the cleartext password is stored securely... But why isn't the password stored in the passwd/mysql using CRAM-MD5 format? That way you could always check it. It wouldn't matter if the client authenticated using plain or using CRAM-MD5. You could even double cypher the password using mysql PASSWORD(). a) Client authenticates using plain username/password Create CRAM-MD5 from those tokens and check with the password stored. b) Client authenticates usign CRAM-MD5 username/password. Directly compare with the stored password. Am I missing something important in here? Maybe I'm over-simplifying things a bit, right? I'm skimming the RFC and the process of creation of the CRAM-MD5 authentication token doesn't seem to be very straight-forward... -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1 -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
Tom Collins wrote: If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it. So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)? Sure I can guarantee that getting access to my DB is more difficult than getting access to my LAN (in case of sniffing), so I would choose having the plain password stored, but it's still being a hole on the system (if some guy gains access to DB, he'll have access to ALL passwords, while sniffing would just compromise some users). Is there any plans for workaround this problem? Is there a way to do it? How does behavior other softwares that uses CRAM-MD5? They always kept the plain password? -- Best regards, Eduardo M. Bragatto.
Re: [vchkpw] vchkpw fails and then succeeds!
On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins [EMAIL PROTECTED] wrote: On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Really? That doesn't sound too secure, or even ethical. CRAM-MD5 is more secure because someone sniffing the network can't derive the sender's password. With all other SMTP AUTH methods, you can easily decode sniffed packets to get the email address and password. The only way for CRAM-MD5 to work is for the server to know the user's cleartext password. Granted, you need to make sure the cleartext password is stored securely... But why isn't the password stored in the passwd/mysql using CRAM-MD5 format? That way you could always check it. It wouldn't matter if the client authenticated using plain or using CRAM-MD5. You could even double cypher the password using mysql PASSWORD(). a) Client authenticates using plain username/password Create CRAM-MD5 from those tokens and check with the password stored. b) Client authenticates usign CRAM-MD5 username/password. Directly compare with the stored password. Am I missing something important in here? -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Dec 10, 2004, at 11:28 AM, Pedro Pais wrote: But why isn't the password stored in the passwd/mysql using CRAM-MD5 format? That way you could always check it. It wouldn't matter if the client authenticated using plain or using CRAM-MD5. You could even double cypher the password using mysql PASSWORD(). a) Client authenticates using plain username/password Create CRAM-MD5 from those tokens and check with the password stored. b) Client authenticates usign CRAM-MD5 username/password. Directly compare with the stored password. Am I missing something important in here? Every time the client authenticates, it uses a different challenge (issued by the server) to encode the response. CRAM-MD5 works in a way that if you and I both know the cleartext password (secret), we can both generate the same response to the common challenge. You can tell me the response, and I can verify whether you know the password, but someone overhearing our conversation can't determine the actual password. If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] vchkpw fails and then succeeds!
On Wed, 8 Dec 2004, Tom Collins wrote: On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote: When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? It looks like the client is trying CRAM-MD5, failing, and then using PLAIN authentication. You probably have an older patch, or a version problem between the smtp-auth patch and vpopmail. The older patch sent the information in the incorrect order, and vpopmail was written to accept it in that order. We fixed vpopmail for the 5.4.0 release, but it required updating to the correct SMTP AUTH patch. Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Charles If you're using vpopmail 5.4.0 and later, make sure you're using an up-to-date patch that passes the MD5 challenge and response in the correct order. The patch in vpopmail's contrib directory works properly. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] vchkpw fails and then succeeds!
On Thu, 9 Dec 2004 16:53:30 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Wed, 8 Dec 2004, Tom Collins wrote: On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote: When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? It looks like the client is trying CRAM-MD5, failing, and then using PLAIN authentication. You probably have an older patch, or a version problem between the smtp-auth patch and vpopmail. The older patch sent the information in the incorrect order, and vpopmail was written to accept it in that order. We fixed vpopmail for the 5.4.0 release, but it required updating to the correct SMTP AUTH patch. Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Charles Really? That doesn't sound too secure, or even ethical. Well, I've found a way to disable the announcement of CRAM-MD5: edit qmail-smtpd.c, and delete (or comment out) the line that says #define AUTHCRAM. Then compile, install qmal and CRAM-MD5 support is gone. If you're using vpopmail 5.4.0 and later, make sure you're using an up-to-date patch that passes the MD5 challenge and response in the correct order. The patch in vpopmail's contrib directory works properly. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Dec 9, 2004, at 1:53 PM, Charles Sprickman wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Good point (clear-text). The change is pretty easy -- just modify qmail-smtpd.c. Search for a line like 250-AUTH LOGIN CRAM-MD5 PLAIN and remove the CRAM-MD5 part. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] vchkpw fails and then succeeds!
On Thursday 09 December 2004 06:16 pm, Tom Collins wrote: On Dec 9, 2004, at 1:53 PM, Charles Sprickman wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Good point (clear-text). The change is pretty easy -- just modify qmail-smtpd.c. Search for a line like 250-AUTH LOGIN CRAM-MD5 PLAIN and remove the CRAM-MD5 part. most of them also have an ifdef around that, so simply undefine CRAM_MD5 (near the top of the file) and you're set. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED] pgpZSW8mZwcAs.pgp Description: PGP signature
Re: [vchkpw] vchkpw fails and then succeeds!
On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Really? That doesn't sound too secure, or even ethical. CRAM-MD5 is more secure because someone sniffing the network can't derive the sender's password. With all other SMTP AUTH methods, you can easily decode sniffed packets to get the email address and password. The only way for CRAM-MD5 to work is for the server to know the user's cleartext password. Granted, you need to make sure the cleartext password is stored securely... -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
[vchkpw] vchkpw fails and then succeeds!
When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? Oh.. and the greatest of all is that this only happens while authenticating for smtp relay, POP3 and IMAP work out perfectly. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote: When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? It looks like the client is trying CRAM-MD5, failing, and then using PLAIN authentication. You probably have an older patch, or a version problem between the smtp-auth patch and vpopmail. The older patch sent the information in the incorrect order, and vpopmail was written to accept it in that order. We fixed vpopmail for the 5.4.0 release, but it required updating to the correct SMTP AUTH patch. If you're using vpopmail 5.4.0 and later, make sure you're using an up-to-date patch that passes the MD5 challenge and response in the correct order. The patch in vpopmail's contrib directory works properly. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] vchkpw fails and then succeeds!
On Wed, 8 Dec 2004 10:39:35 -0800, Tom Collins [EMAIL PROTECTED] wrote: On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote: When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? It looks like the client is trying CRAM-MD5, failing, and then using PLAIN authentication. You probably have an older patch, or a version problem between the smtp-auth patch and vpopmail. The older patch sent the information in the incorrect order, and vpopmail was written to accept it in that order. We fixed vpopmail for the 5.4.0 release, but it required updating to the correct SMTP AUTH patch. If you're using vpopmail 5.4.0 and later, make sure you're using an up-to-date patch that passes the MD5 challenge and response in the correct order. The patch in vpopmail's contrib directory works properly. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ Thanks a lot for your tips, but it still doesn't work. :( I'm using gentoo, that already has qmail way patches. I tried to compile it with the patch in the contrib dir, and it worked out. But the result is just the same. But I guess you're totally right. I've tried more extensively and with Outlook Express it doesn't give any error (I suppose OE doesn't use CRAM-MD5). I'm using vpopmail 5.4.6, and qmail is already patched with smtp auth, but still nothing. Any thing else you can remember? -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1