Re: [Exim] CRAM-MD5 fudging

Startseite
Diese Nachricht ist Teil des folgenden Threads:
M--\Der komplette Thread sortiert nach Datum
M+\MJohn Jetmore am <-
MMMMTamas TEVESZ am ->
Nachricht löschen
Nachricht beantworten
Autor: Nico Erfurth
Datum:  
To: John Jetmore
CC: Tamas TEVESZ, exim-users
Betreff: Re: [Exim] CRAM-MD5 fudging
John Jetmore wrote:
> On Wed, 12 Mar 2003, Nico Erfurth wrote:
>
>
>>>umm, you're right. but how the hell was i able to properly
>>>authenticate everytime, then ? i did my first tests by hand, which
>>>involved manual b64 decoding, the creating the response hash,
>>>b64-encoding it, then feeding it to exim - it *definitely* takes more
>>>time than a second...
>>
>>Hmmm, well let me think, maybe it doesn't matter, whatever you have the
>>same Challange or not, in your situation?
>
>
> Just a thought, but if the challenge was literally
> '<$tod_epoch@$primary_hostname>', that's still a useable challenge string.
> It's not RFC compliant, but that doesn't necessarily mean anything. it
> would make your server vulnerable to a replay attack (or whatever it's
> called) though. I will say I just set up a test using the macro version
> and I do get presented with <1047505235@???> as the
> challenge, so it's getting expanded somewhere (this is 4.12, not sure when
> server_prompts started getting expanded).


Yes, it's expanded when exim uses it, but NOT when it reads the config
and substitues your macro.

Nico



Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
Exim-users
Mailing-List-Info | Nachrichten um die Zeit		<-[Exim] Problem with the RBL-Feature and Dial-Up Hosts authentificating via SMTP-AuthRe: [Exim] Problem with the RBL-Feature and Dial-Up Hosts authentificating via SMTP-Auth->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)