Author: Nico Erfurth Date: To: John Jetmore CC: Tamas TEVESZ, exim-users Subject: Re: [Exim] CRAM-MD5 fudging
John Jetmore wrote: > On Wed, 12 Mar 2003, Nico Erfurth wrote:
>
>
>>>umm, you're right. but how the hell was i able to properly
>>>authenticate everytime, then ? i did my first tests by hand, which
>>>involved manual b64 decoding, the creating the response hash,
>>>b64-encoding it, then feeding it to exim - it *definitely* takes more
>>>time than a second...
>>
>>Hmmm, well let me think, maybe it doesn't matter, whatever you have the
>>same Challange or not, in your situation?
>
>
> Just a thought, but if the challenge was literally
> '<$tod_epoch@$primary_hostname>', that's still a useable challenge string.
> It's not RFC compliant, but that doesn't necessarily mean anything. it
> would make your server vulnerable to a replay attack (or whatever it's
> called) though. I will say I just set up a test using the macro version
> and I do get presented with <1047505235@???> as the
> challenge, so it's getting expanded somewhere (this is 4.12, not sure when
> server_prompts started getting expanded).
Yes, it's expanded when exim uses it, but NOT when it reads the config
and substitues your macro.