[Dovecot] Regarding Digest-MD5 auth
Hi,
I am writing a Pop3Client. I use dovecot server as POP3 server in linux and hMailServer in windows.
I was just testing digest-md5 auth with dovecot server.
I had an observation.
After server side verification, server sends a verification code to client. If this fails, how can client send the negative response or does it not exist?
When I see packet capture, dovecot server sends +OK Logged in for anything client sends.
I may be wrong. Please let me know your thoughts
Regards, Heramba
On Thu, 2011-06-09 at 13:48 +0530, kenja heramba wrote:
Hi,
I am writing a Pop3Client. I use dovecot server as POP3 server in linux and hMailServer in windows.
I was just testing digest-md5 auth with dovecot server.
I had an observation.
After server side verification, server sends a verification code to client. If this fails, how can client send the negative response or does it not exist?
It doesn't exist. What could the client do anyway? Tell the server that "I see you're doing a man-in-the-middle attack, no thanks"?
When I see packet capture, dovecot server sends +OK Logged in for anything client sends.
The last thing a client sends is the verification checksum, which finishes the DIGEST-MD5 authentication. After that the login is complete. So I'm not sure what you mean by "anything client sends". If you send a wrong checksum, it should fail the authentication.
participants (2)
-
kenja heramba
-
Timo Sirainen