On Thu, 2011-06-09 at 13:48 +0530, kenja heramba wrote:
Hi,
I am writing a Pop3Client. I use dovecot server as POP3 server in linux and hMailServer in windows.
I was just testing digest-md5 auth with dovecot server.
I had an observation.
After server side verification, server sends a verification code to client. If this fails, how can client send the negative response or does it not exist?
It doesn't exist. What could the client do anyway? Tell the server that "I see you're doing a man-in-the-middle attack, no thanks"?
When I see packet capture, dovecot server sends +OK Logged in for anything client sends.
The last thing a client sends is the verification checksum, which finishes the DIGEST-MD5 authentication. After that the login is complete. So I'm not sure what you mean by "anything client sends". If you send a wrong checksum, it should fail the authentication.