Fork me on GitHub
Subscribe 3

Ticket #408 (fixed bug)

Add CRAM-MD5 support to fluxbb-mailer

  • Created: 2011-04-18 10:21:07
  • Reported by: Reines
  • Assigned to: Reines
  • Milestone: 2.0-alpha2
  • Component: email
  • Priority: normal

At the moment fluxbb-mailer will attempt to use DIGEST-MD5 and CRAM-MD5 auth if supported by the server, but has no implementation of it and hence will fail.

These both need implemented still.

History

Reines 2011-04-18 10:36:38

  • Owner set to Reines.

Reines 2011-04-18 22:04:23

  • Status changed from open to fixed.
  • Summary changed from Add DIGEST-MD5 and CRAM-MD5 support to fluxbb-mailer to Add CRAM-MD5 support to fluxbb-mailer.

I've now commit an implementation of CRAM-MD5 in 4a894d5188ca8d0b0a7f.

This is still un-tested as I don't have access to any SMTP server that supports CRAM-MD5!

Franz 2011-04-18 22:11:52

What about DIGEST-MD5?

Reines 2011-04-18 22:15:27

I decided against supporting it, unless anyone specifically requests it - CRAM-MD5 and DIGEST-MD5 both require the passwords to be stored in plain-text form on the server, so barely anywhere actually supports these methods.

Also, it's more complex and I can't be bothered trying to code it if no-one wants it anyway tongue

Franz 2011-04-20 08:00:59

  • Milestone changed from 2.0-alpha2 to 2.0-alpha1.

Reines 2011-04-20 08:07:23

I've not actually changed FluxBB to make use of the new mailer module yet - should I do so, and move the tickets to alpha1?

Franz 2011-04-20 08:13:17

  • Milestone changed from 2.0-alpha1 to 2.0-alpha2.

My bad. No.

MattF 2011-05-10 19:20:36

"CRAM-MD5 and DIGEST-MD5 both require the passwords to be stored in plain-text form on the server"

Allowing for the fact my mind may be a bit rusty on the subject, since when and not to my knowledge.

Btw, I believe I have cram set up on the mailserver here. I can add a test account for you if you'd like?

Reines 2011-05-10 20:04:13

http://en.wikipedia.org/wiki/CRAM-MD5

Protocol weaknesses
  • Need to secure server: The server needs access to the users' plain text passwords. Therefore it must take additional care to secure these passwords. Typically by using reversible cryptography.

http://en.wikipedia.org/wiki/Digest_acc … entication

Disadvantages
  • Some servers require passwords to be stored using reversible encryption. However, it is possible to instead store the digested value of the username, realm, and password.

Sounds like this one depends on the server implementation...

MattF 2011-05-10 20:11:49

You should know better than to take Wikipedia's word for it. big_smile Dovecot, as one example, uses the latter method in that second snippet.

Reines 2011-05-10 20:18:19

I didn't come across it on Wikipedia originally, it was just the easiest link to find tongue

The one I actually found originally was a guide for postfix, which states:

Important
These three plugins support shared-secret mechanisms i.e. CRAM-MD5, DIGEST-MD5 and NTLM. These mechanisms send credentials encrypted but their verification process requires the password to be available in plaintext. Consequently passwords cannot (!) be stored in encrypted form.

Anyway if you have a server setup with CRAM-MD5 and/or DIGEST-MD5 then feel free to test fluxbb-mailer - it currently supports PLAIN, LOGIN, and CRAM-MD5 (untested). Alternatively if you want to email me (reines@fluxbb.org) with your server details and an account I'll test CRAM-MD5 and/or implement DIGEST-MD5.

MattF 2011-05-10 21:08:54

You were just unlucky picking that page. That's a throwback to years ago before Postfix had the auth support/mechanisms it does nowadays, (one being Dovecot's auth system, ironically big_smile).

I've e-mailed you the details. The account should be fully up and running for auth'd sending and the like, but let me know if there's any problems. smile

Reines 2011-05-10 21:13:12

  • Status changed from fixed to open.

Cheers. CRAM-MD5 seems to have worked - will look into implementing DIGEST-MD5 soon.

Reines 2011-05-13 08:35:31

I'm having trouble getting Digest-MD5 to work actually. Even the Pear::Net_SMTP (which uses Pear::AUTH_SASL) gets an authentication error.

MattF 2011-05-13 08:57:14

My apologies. Looks like that error may be caused by something at this end. I'll give you a shout as soon as I get that sorted. smile

Reines 2011-05-13 08:58:06

No problem, I actually just found a test server so am trying with that at the moment.

MattF 2011-05-13 09:25:37

That seems a useful test system. I've altered that test account to use the digest password scheme for the time being, btw. Configs combined with a shonky memory aren't a good mix. big_smile

Reines 2011-05-13 09:34:53

  • Status changed from open to fixed.

Tidied up a couple bits and added DIGEST-MD5 support in fc9202c8d14bb6c11a04.

@MattF: I'm still getting invalid credentials for your server when using DIGEST-MD5, but also for CRAM-MD5 now! Both seem to be working fine with the test.smtp.org server though.

In-case you want to test anything here is a quick test script, set up to use the test.smtp.org server: http://pastebin.com/0cuxjiT1

PS. It requires the latest version of the utf8 library.

Reines 2011-05-13 09:36:16

Should have mentioned - if you want to test anything you will want to set SMTPConnection::DEBUG to true, to actually see what is going on.

MattF 2011-05-13 09:41:17

Cheers. This must be why I never bothered implementing digest in the past, and stuck with just cram for auth. Digest seems to be an awkward devil to work with.