Re: [exim] Why doesn't Exim authenticate against IMAP direct…

Top Page
Delete this message
Reply to this message
Author: Fred Viles
Date:  
To: exim-users
Subject: Re: [exim] Why doesn't Exim authenticate against IMAP directly?
On 1 Aug 2005 at 11:32, Marc Perkel wrote about
    "Re: [exim] Why doesn't Exim authent":


| Fred Viles wrote:

|...
| >FYI, it wouldn't work with CRAM-MD5 or other one-way-hash SASL
| >mechanisms. The password would not be available for exim to pass to
| >the IMAP server.

|...
| Why wouldn't the password be available?


RTFRFC (RFC 2195, according to spec.txt).

The client does not send the password in plaintext (that's a GOOD
thing). It sends a cryptographic hash made from the password and the
challenge string sent by the server. The server can't recover the
plain text password from the hash (it's a one-way hash), it has to
have the plain text password already to hand so it can hash it
itself, and verify that the client sent the expected hash.

- Fred