Mail module: auth cram-md5 does not work
Maxim Dounin
mdounin at mdounin.ru
Fri Feb 6 01:41:23 MSK 2009
Hello!
On Thu, Feb 05, 2009 at 10:55:42PM +0100, Miguel Beccari wrote:
> Hi list,
>
> I am using nginx as a mail proxy. It works good but I experienced some
> errors with cram-md5 smtp auth.
>
> This is my SMTP TCP log
>
> 20 my_host ESMTP ready
> EHLO macbook-pro-di-miguel-beccari.local
> 250-my_host
> 250-8BITMIME
> 250-PIPELINING
Unrelated note: nginx as of now doesn't support smtp pipelining. You are
searching from troubles by advertising it.
> 250-AUTH PLAIN LOGIN CRAM-MD5
> 250 STARTTLS
> AUTH CRAM-MD5
> 334 PDc1Njk0NDk5MS4xMjMzODcwNTE3QG15c3FsPg==
> bXlfdGVzdEBjbGlra2EuY29tIDdjNzRkYjUxYTNhZGZjMTZhNjVhNDdhY2ExMzZkNTE4
> 535 5.7.0 Invalid login or password
>
> This is my HTTP auth log
>
> HTTP_AUTH_USER = my_test_user
> HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518
>
>
> NOTE: password should be "test" and not
> "7c74db51a3adfc16a65a47aca136d518"
>
> Am I wrong?
With CRAM-MD5 no password is transferred from client to server.
In your auth script you should use Auth-Salt header and user's
plaintext password to check if hash sent by client (in Auth-Pass header)
is correct.
Also, for pop3/imap (not for smtp) you should return original user
password back to nginx if CRAM-MD5 used (or nginx will be unable to
authenticate to backend).
Maxim Dounin
More information about the nginx
mailing list