Author: John Jetmore Date: To: Nico Erfurth CC: Tamas TEVESZ, exim-users Subject: Re: [Exim] CRAM-MD5 fudging
On Wed, 12 Mar 2003, Nico Erfurth wrote:
> > umm, you're right. but how the hell was i able to properly
> > authenticate everytime, then ? i did my first tests by hand, which
> > involved manual b64 decoding, the creating the response hash,
> > b64-encoding it, then feeding it to exim - it *definitely* takes more
> > time than a second...
>
> Hmmm, well let me think, maybe it doesn't matter, whatever you have the
> same Challange or not, in your situation?
Just a thought, but if the challenge was literally
'<$tod_epoch@$primary_hostname>', that's still a useable challenge string.
It's not RFC compliant, but that doesn't necessarily mean anything. it
would make your server vulnerable to a replay attack (or whatever it's
called) though. I will say I just set up a test using the macro version
and I do get presented with <1047505235@???> as the
challenge, so it's getting expanded somewhere (this is 4.12, not sure when
server_prompts started getting expanded).