Re: [Exim] Re: SMTP auth, MySQL & passwords stored in clear

Nigel Metheringham wrote:
> On Wed, 2004-01-14 at 00:30, Philip Hazel wrote:
>
>>On Mon, 12 Jan 2004, Nigel Metheringham wrote:
>>
>>
>>>On Sun, 2004-01-11 at 14:14, Svein E. Seldal wrote:
>>>
>>>>I dont get it. I have a server with a sendmail MTA. It is able to use
>>>>CRAM-MD5 without using having the password available in cleartext. It
>>>>reads the /etc/shadow (which IFAIK is one-way hashed, right?). How is
>>>>that possible?
>>>
>>>It cannot be doing this.
>>
>>...unless the encrypted password is kept at both ends, in which case the
>>encrypted string is essentially being used as the "password". I suppose
>>the client could be generating the encrypted string each time, assuming
>>it can discover which salt to use.
>
>
> This simply means that the encrypted password on the server, if
> retrieved, can be used in place of the original password - ie it is
> plain text password equivalent.

Hmm. Maybe you're right that it isnt possible to use encr. passwds on
CRAM-MD5. -- That sendmail doesnt use CRAM-MD5 on shadow passwds at all.

The sendmail server sais it supports AUTH CRAM-MD5 PLAIN. When my
mailclient connects, it tries to auth via. CRAM-MD5 (as I told you
previously). The client and the server exchanges CRAM-MD5 data, however
I failed to notice that it actually fails to auth via CRAM-MD5 (500 auth
failure). So what happens next is that my mail client uses AUTH PLAIN
which succeeds! So much for that security.

Alas, If I knew this a little earlier... I'm sorry If I confused
someone. SSL here we come...

Regards embarrassed,
Svein