Mail module: auth cram-md5 does not work

Maxim Dounin mdounin at mdounin.ru
Fri Feb 6 15:01:11 MSK 2009


Hello!

On Fri, Feb 06, 2009 at 09:02:44AM +0100, Miguel Beccari wrote:

> > Unrelated note: nginx as of now doesn't support smtp pipelining.  You are
> > searching from troubles by advertising it.
> 
> Thanks you very much for this notes. I am still testing nginx... Where can
> I find complete documentation about features?

The most complete one available on official site, but it's written 
mostly in C language.  :)

Other possibilities include:

http://wiki.codemongers.com/NginxMailCoreModule (rather minimal)
http://citrin.ru/nginx:ngx_mail_core_module (in russian)

> > With CRAM-MD5 no password is transferred from client to server.  
> > In your auth script you should use Auth-Salt header and user's 
> > plaintext password to check if hash sent by client (in Auth-Pass header) 
> > is correct.
> 
> And thank you very much for this tip. Where can I find complete
> documentation about this feature?
> 
> I read mail modules documentation and I did not find anything about
> Auth-Salt header.
> 
> An axample schema of auth script with CRAM-MD5 will be appreciated.

For both plain and CRAM-MD5 something like this should work (note
that this tests Auth-Method header before doing actual checks):

    use Digest::HMAC_MD5 qw/ hmac_md5_hex /;

    my $method = $ENV{HTTP_AUTH_METHOD};
    my $pass = $ENV{HTTP_AUTH_PASSWORD};
    my $salt = $ENV{HTTP_AUTH_SALT};
    my $realpass = ... # fetch user password based on Auth-Login here

    if (($method eq 'plain' && $pass eq $realpass) or
        ($method eq 'cram-md5' && $pass eq hmac_md5_hex($salt, $realpass)))
    {
        # ... auth ok
    }

The same thing applies for APOP authentication for pop3 (with the 
exception that Auth-Method will be apop, and you should check MD5, 
not HMAC-MD5).

But actually I recommend avoid using both CRAM-MD5 and APOP since 
they require plaintext passwords to be stored on server.  It's 
much better to use plain authentication with security added by SSL 
layer.

Maxim Dounin





More information about the nginx mailing list