On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote:
If you use CRAM-MD5 for the AUTH method, it's impossible to sniff
the cleartext password.
I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt
the password.
I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64
encoded cleartext and you can determine the password from them.
CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash
and determine the cleartext password. Each time you connect, a
different challenge results in a different response. The only way the
server and client can generate the correct response is to have the same
cleartext password available.
Given the challenge and response, it is not possible to generate the
cleartext password.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet:
sniffter.com