Forum: NGINX Mail module: auth cram-md5 does not work

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Miguel Beccari (Guest)
on 2009-02-06 00:08
(Received via mailing list)
Hi list,

I am using nginx as a mail proxy. It works good but I experienced some
errors with cram-md5 smtp auth.

This is my SMTP TCP log

20 my_host ESMTP ready
EHLO macbook-pro-di-miguel-beccari.local
250-my_host
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN CRAM-MD5
250 STARTTLS
AUTH CRAM-MD5
334 PDc1Njk0NDk5MS4xMjMzODcwNTE3QG15c3FsPg==
bXlfdGVzdEBjbGlra2EuY29tIDdjNzRkYjUxYTNhZGZjMTZhNjVhNDdhY2ExMzZkNTE4
535 5.7.0 Invalid login or password

This is my HTTP auth log

HTTP_AUTH_USER = my_test_user
HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518


NOTE: password should be "test" and not
"7c74db51a3adfc16a65a47aca136d518"

Am I wrong?

Thank you,


Miguel
Petite A. (Guest)
on 2009-02-06 00:25
(Received via mailing list)
On Feb 5, 2009, at 10:55 PM, Miguel Beccari wrote:

>
> NOTE: password should be "test" and not
> "7c74db51a3adfc16a65a47aca136d518"
>
> Am I wrong?

With CRAM-MD5 [1], no password is sent in the clear, but rather a HMAC-
MD5 of the server challenge.

Cheers,

--
PA.
http://alt.textdrive.com/nanoki/

[1] http://en.wikipedia.org/wiki/CRAM-MD5
Miguel Beccari (Guest)
on 2009-02-06 00:50
(Received via mailing list)
Il giorno 05/feb/09, alle ore 23:14, Petite A. ha scritto:

>> HTTP_AUTH_USER = my_test_user
>> HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518
>>
>>
>> NOTE: password should be "test" and not
>> "7c74db51a3adfc16a65a47aca136d518"
>>
>> Am I wrong?
>
> With CRAM-MD5 [1], no password is sent in the clear, but rather a
> HMAC-MD5 of the server challenge.

I had suspects in that way....

Can you point me to a way to verify auth, please?

I have username and chanllenge (7c74db51a3adfc16a65a47aca136d518).
Could I go back to password?
Maxim D. (Guest)
on 2009-02-06 00:51
(Received via mailing list)
Hello!

On Thu, Feb 05, 2009 at 10:55:42PM +0100, Miguel Beccari wrote:

> 250-8BITMIME
> 250-PIPELINING

Unrelated note: nginx as of now doesn't support smtp pipelining.  You
are
searching from troubles by advertising it.

> HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518
>
>
> NOTE: password should be "test" and not
> "7c74db51a3adfc16a65a47aca136d518"
>
> Am I wrong?

With CRAM-MD5 no password is transferred from client to server.
In your auth script you should use Auth-Salt header and user's
plaintext password to check if hash sent by client (in Auth-Pass header)
is correct.

Also, for pop3/imap (not for smtp) you should return original user
password back to nginx if CRAM-MD5 used (or nginx will be unable to
authenticate to backend).

Maxim D.
Miguel Beccari (Guest)
on 2009-02-06 09:49
(Received via mailing list)
>

> Unrelated note: nginx as of now doesn't support smtp pipelining.  You are



> searching from troubles by advertising it.



Thanks you very much for this notes. I am still testing nginx... Where
can

I find complete documentation about features?



>

> With CRAM-MD5 no password is transferred from client to server.

> In your auth script you should use Auth-Salt header and user's

> plaintext password to check if hash sent by client (in Auth-Pass header)

> is correct.

>



And thank you very much for this tip. Where can I find complete

documentation about this feature?

I read mail modules documentation and I did not find anything about

Auth-Salt header.



An axample schema of auth script with CRAM-MD5 will be appreciated.





Thank you very much,



Miguel Beccari
Maxim D. (Guest)
on 2009-02-06 14:12
(Received via mailing list)
Hello!

On Fri, Feb 06, 2009 at 09:02:44AM +0100, Miguel Beccari wrote:

> > Unrelated note: nginx as of now doesn't support smtp pipelining.  You are
> > searching from troubles by advertising it.
>
> Thanks you very much for this notes. I am still testing nginx... Where can
> I find complete documentation about features?

The most complete one available on official site, but it's written
mostly in C language.  :)

Other possibilities include:

http://wiki.codemongers.com/NginxMailCoreModule (rather minimal)
http://citrin.ru/nginx:ngx_mail_core_module (in russian)

>
> An axample schema of auth script with CRAM-MD5 will be appreciated.

For both plain and CRAM-MD5 something like this should work (note
that this tests Auth-Method header before doing actual checks):

    use Digest::HMAC_MD5 qw/ hmac_md5_hex /;

    my $method = $ENV{HTTP_AUTH_METHOD};
    my $pass = $ENV{HTTP_AUTH_PASSWORD};
    my $salt = $ENV{HTTP_AUTH_SALT};
    my $realpass = ... # fetch user password based on Auth-Login here

    if (($method eq 'plain' && $pass eq $realpass) or
        ($method eq 'cram-md5' && $pass eq hmac_md5_hex($salt,
$realpass)))
    {
        # ... auth ok
    }

The same thing applies for APOP authentication for pop3 (with the
exception that Auth-Method will be apop, and you should check MD5,
not HMAC-MD5).

But actually I recommend avoid using both CRAM-MD5 and APOP since
they require plaintext passwords to be stored on server.  It's
much better to use plain authentication with security added by SSL
layer.

Maxim D.
Petite A. (Guest)
on 2009-02-06 20:01
(Received via mailing list)
On Feb 5, 2009, at 11:41 PM, Miguel Beccari wrote:

> I have username and chanllenge (7c74db51a3adfc16a65a47aca136d518).
> Could I go back to password?

No.

This is how it goes:

(1) Use the username to retrieve the password
(2) Use that password to HMAC-MD5 the challenge
(3) Compare the HMAC to the digest
(4) If digest and HMAC match, the authentication has succeeded

HTH.

Cheers,
Petite A. (Guest)
on 2009-02-06 20:01
(Received via mailing list)
On Feb 6, 2009, at 1:01 PM, Maxim D. wrote:

> But actually I recommend avoid using both CRAM-MD5 and APOP since
> they require plaintext passwords to be stored on server.  It's
> much better to use plain authentication with security added by SSL
> layer.

Yes, if you can afford it, STARTTLS and AUTH PLAIN is the way to go.

Cheers,
Miguel Beccari (Guest)
on 2009-02-07 12:07
(Received via mailing list)
Il giorno 06/feb/09, alle ore 13:01, Maxim D. ha scritto:

>> I find complete documentation about features?
>
> The most complete one available on official site, but it's written
> mostly in C language.  :)
>
> Other possibilities include:
>
> http://wiki.codemongers.com/NginxMailCoreModule (rather minimal)
> http://citrin.ru/nginx:ngx_mail_core_module (in russian)
>

Thank you very much for your precious informations: cram-md5 mechanism
is clear.

But now I have another problem. Logs say:

2009/02/07 10:51:19 [error] 23924#0: *73 upstream sent invalid
response: "551 sorry, your domain is not correct" while reading
response from upstream, client: 192.168.172.11 server: 0.0.0.0:25,
login: "my_test", upstream: 192.168.172.29:25

Should I write additional HTTP HEADER informations when using smtp
with CRAM-MD5 auth?


Miguel Beccari
Maxim D. (Guest)
on 2009-02-07 12:44
(Received via mailing list)
Hello!

On Sat, Feb 07, 2009 at 10:57:37AM +0100, Miguel Beccari wrote:

>>>
>> http://citrin.ru/nginx:ngx_mail_core_module (in russian)
> upstream: 192.168.172.29:25
This error was returned by your backend smtp server.  Check it's
configuration and logs to find out what's caused this error.

> Should I write additional HTTP HEADER informations when using smtp with
> CRAM-MD5 auth?

For smtp - no, you shouldn't, since nginx doesn't try to
authenticate against smtp backends.  For pop3/imap you have to
return plaintext users password back to nginx from your auth
script.

Maxim D.
This topic is locked and can not be replied to.