On 1 Aug 2005 at 11:32, Marc Perkel wrote about
"Re: [exim] Why doesn't Exim authent":
| Fred Viles wrote:
|...
| >FYI, it wouldn't work with CRAM-MD5 or other one-way-hash SASL
| >mechanisms. The password would not be available for exim to pass to
| >the IMAP server.
|...
| Why wouldn't the password be available?
RTFRFC (RFC 2195, according to spec.txt).
The client does not send the password in plaintext (that's a GOOD
thing). It sends a cryptographic hash made from the password and the
challenge string sent by the server. The server can't recover the
plain text password from the hash (it's a one-way hash), it has to
have the plain text password already to hand so it can hash it
itself, and verify that the client sent the expected hash.
- Fred
