Re: [Exim] CRAM-MD5 fudging

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: John Jetmore
CC: Tamas TEVESZ, exim-users
Subject: Re: [Exim] CRAM-MD5 fudging
John Jetmore wrote:
> On Wed, 12 Mar 2003, Nico Erfurth wrote:
>
>
>>>umm, you're right. but how the hell was i able to properly
>>>authenticate everytime, then ? i did my first tests by hand, which
>>>involved manual b64 decoding, the creating the response hash,
>>>b64-encoding it, then feeding it to exim - it *definitely* takes more
>>>time than a second...
>>
>>Hmmm, well let me think, maybe it doesn't matter, whatever you have the
>>same Challange or not, in your situation?
>
>
> Just a thought, but if the challenge was literally
> '<$tod_epoch@$primary_hostname>', that's still a useable challenge string.
> It's not RFC compliant, but that doesn't necessarily mean anything. it
> would make your server vulnerable to a replay attack (or whatever it's
> called) though. I will say I just set up a test using the macro version
> and I do get presented with <1047505235@???> as the
> challenge, so it's getting expanded somewhere (this is 4.12, not sure when
> server_prompts started getting expanded).



Yes, it's expanded when exim uses it, but NOT when it reads the config
and substitues your macro.

Nico