On Sat, Sep 22, 2001 at 03:03:28PM +0200, ml wrote:
[snip]
> Now, I must say that I'm really puzzled with the way CRAM-MD5 auth works
> in Exim.
[snip]
> This way claims the passwd to be stored in plain text somewhere and, as
> you know, wherever it is stored (LDAP, databases), a plain passwd is not
> very secure way to work with.
> Why can we imagine server_secret as a variable $server_secret (or $2) that
> would permit with the keyword server_condition to work like a charm :
> ${if crypteq {$server_secret} {....{yes}{no}}
> WHY ?
What are you trying to "secure" with SMTP auth?
CRAM-MD5 relies on a challenge-response authentication mechanism, where some
shared secret (call it an auth-equivalent token) is known by both ends. AIUI
it uses a one-way hash on the challenge and the secret. Only by knowing the
secret can you generate the correct hash. The server can check this hash
against the one it's generated.
How do you intend to do something like this where you don't store an
auth-equivalent token - ie a password?
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/