[Dovecot] Regarding Digest-MD5 auth
Timo Sirainen
tss at iki.fi
Mon Jun 13 16:59:27 EEST 2011
On Thu, 2011-06-09 at 13:48 +0530, kenja heramba wrote:
> Hi,
>
> I am writing a Pop3Client. I use dovecot server as POP3 server in linux and
> hMailServer in windows.
>
> I was just testing digest-md5 auth with dovecot server.
>
> I had an observation.
>
> After server side verification, server sends a verification code to client.
> If this fails, how can client send the negative response or does it not
> exist?
It doesn't exist. What could the client do anyway? Tell the server that
"I see you're doing a man-in-the-middle attack, no thanks"?
> When I see packet capture, dovecot server sends +OK Logged in for anything
> client sends.
The last thing a client sends is the verification checksum, which
finishes the DIGEST-MD5 authentication. After that the login is
complete. So I'm not sure what you mean by "anything client sends". If
you send a wrong checksum, it should fail the authentication.
More information about the dovecot
mailing list