auth_http - Password always different

Maxim Dounin mdounin at
Mon Dec 23 12:40:12 UTC 2019


On Mon, Dec 23, 2019 at 12:47:11PM +0100, nsclick at wrote:

> Hello,
> I'm trying to use "auth_http" to handle the authentication for SMTP.
> The auth script itself is a PHP script. At the beginning of the script I'm doing the following (just for testing!!! The passwords will not be logged later):
> if( !isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"]) )
> {
> 	// User or Password are NOT set.
> 	fail("Invalid user or password");
> }
> $username = $_SERVER["HTTP_AUTH_USER"];
> $userpass = $_SERVER["HTTP_AUTH_PASS"];
> $protocol = $_SERVER["HTTP_AUTH_PROTOCOL"];
> $fd=fopen('php_mail.log', 'a');
> fputs($fd, "User: [".$username."]  Protocol: [".$protocol."]  Pass: [".$userpass."]\n");
> fclose($fd);
> However, the passwords I see in the log are different all the time for the same user.
> Often they consist of 32 hexadecimal digits (but never the same combination) or sometimes they are simply the username with brackets around.
> For my understanding the received password should be the same all the time, because otherwise I cannot check the user credentials.
> Is there a problem with my understanding or do I miss something?

Check the Auth-Method header, most likely the auth method used is 
not plain, but apop or cram-md5.  See docs here:

for details.  More information about APOP and CRAM-MD5 can be 
found in relevant RFCs.

Maxim Dounin

More information about the nginx mailing list