[aklug] smtp auth

I ran across this conversation about smtp auth and thought I'd share =20
it with the group.

>>>
>>>> Is there a way to test smtp-auth using digest-md5 and cram-md5 =20
>>>> with telnet?
>>>
>>> Yes. RFC 2554 shows you exactly what it looks like. The challenge &
>>> response will be base64 encoded, I believe.
>>
>> I should have clarified that CRAM-MD5 is shown by that RFC. I think the S=
ASL
>> docs have examples of the DIGEST-MD5 method.
>
> While through telnet I could authenticate using 'LOGIN and PLAIN'
> because these were just wanting base64 encoded strings. But trying to
> do CRAM-MD5 I not only needed it to be base64 encoded but it first
> need to be encrypted with MD5, this was my first problem. The second
> was that I didn't know how to send the Challenge/Response string back
> to the server. I could find copious amounts of info showing people
> feeding their MD5/Base64 encrypted/encoded Response string back to the
> Challenge question in telnet, but nobody showed how they got that
> Response string.
>

Below is a program that assists in generating the needed codes.
>
> gen-auth.pl
>
> root@vmail:/etc/mail# perl gen-auth.pl
> encryption type: cram-md5
> username: jonr@destar.net
> password:
> challenge: PDIwNTMwODUwODMuMzY1MDc3MUB2bWFpbC5kZXN0YXIubmV0Pg=3D=3D
> am9uckBkZXN0YXIubmV0IDJjMzQwZmM5YmQwMTIyZmI0Mzk5N2JiYjBlMzNlNjBl
>
> It asks you the right questions and gives you the right answer to the
> Challenge. Here is a telnet session showing an authentication:
>
> bash-3.00$ telnet vmail 25
> Trying 192.168.9.60...
> Connected to vmail.destar.net (192.168.9.60).
> Escape character is '^]'.
> 220 vmail.destar.net ESMTP Sendmail 8.14.2/8.14.2; Fri, 23 May 2008
> 22:24:01 -0800
> ehlo destar.net
> 250-vmail.destar.net Hello [192.168.9.40], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250-SIZE 8000000
> 250-DSN
> 250-ETRN
> 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> auth cram-md5
> 334 PDIwNTMwODUwODMuMzY1MDc3MUB2bWFpbC5kZXN0YXIubmV0Pg=3D=3D
> am9uckBkZXN0YXIubmV0IDJjMzQwZmM5YmQwMTIyZmI0Mzk5N2JiYjBlMzNlNjBl
> 235 2.0.0 OK Authenticated
>
> Now this only encrypts the login session and nothing else, so the data
> portion of the email is in clear-text and can be sniffed off the wire.
> The Challenge needs to constantly rotate to a new Challenge string or
> else it would be easy to figure out logins. Luckily, it seems sendmail
> does this by default.
>
> This was done so that I could have roaming users that would be able to
> authenticate no matter what ISP they were using. After all of this, I
> decided not to use CRAM-MD5 after all but instead to setup STARTTLS so
> the session is encrypted end to end.
>

This was a conversation between Jon Reynolds and Arthur Corliss and I =20
have clipped out some sections of the transaction because they were =20
not relevant to smtp auth.

Hope someone finds it helpful.

Mike B.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun May 25 21:47:58 2008