No, you can not do CRAM-MD5 authentication with pwcheck. CRAM-MD5 authentication works by transmitting a random value, called a nonce, between the client and server instead of sending the actual password. The first step in authentication is to send the nonce to the client, the client then generates a hash with the nonce and the user password. This hash is passed back to the server, where the server also generates a hash using the nonce and the password. If the hash the server and client generated match, they must have used the same password. This system of authentication does not require the password to be transmitted over the network, adding a level of security to the authentication.
The problem with pwcheck is that the server never knows what the password is until the client sends it. I'm not even sure that a general facility for handling CRAM-MD5 authentication could be added to pwcheck ( or saslauthd ). The problem is that many backend password stores ( ie mysql, ldap, etc ) store the passwords as hashes that don't give the server enough information to generate the hash needed to compare with the client generated hash. Your root problem is that some of your subscribers are using IMAP clients that are so stupid, they don't bother checking the server CAPABILITY return before starting CRAM-MD5 authentication. This is not terribly surprising. Try and find out what client is causing this problem. From there you can try two approaches: find a way to configure the client so that it behaves and add it to your sites FAQ, or if its use is not too widespread, just put a list of MUAs that your service works with and don't include the offending software. Cheers Chris Jeremy Howard wrote: >Well, I've happily been supporting nothing but plain/login at fastmail.fm >during our 3 years of development and beta testing, but now that we've just >gone live I'm starting to see new mail clients with behaviours I haven't >seen before. > >Some mail clients are trying to use CRAM-MD5, according to our logs. Can >anyone give me a quick overview of what this is, and what I need to do to >support it? I use a custom pwcheck daemon for authentication--am I going to >have to change this in any way, or do I just have to compile something into >SASL? > >TIA, > Jeremy > >
