[Dovecot] Regarding Digest-MD5 auth

Timo Sirainen tss at iki.fi
Mon Jun 13 16:59:27 EEST 2011


On Thu, 2011-06-09 at 13:48 +0530, kenja heramba wrote:
> Hi,
> 
> I am writing a Pop3Client. I use dovecot server as POP3 server in linux and
> hMailServer in windows.
> 
> I was just testing digest-md5 auth with dovecot server.
> 
> I had an observation.
> 
> After server side verification, server sends a verification code to client.
> If this fails, how can client send the negative response or does it not
> exist?

It doesn't exist. What could the client do anyway? Tell the server that
"I see you're doing a man-in-the-middle attack, no thanks"?

> When I see packet capture, dovecot server sends +OK Logged in for anything
> client sends.

The last thing a client sends is the verification checksum, which
finishes the DIGEST-MD5 authentication. After that the login is
complete. So I'm not sure what you mean by "anything client sends". If
you send a wrong checksum, it should fail the authentication.




More information about the dovecot mailing list