Mail module: auth cram-md5 does not work

Miguel_Beccari · February 5, 2009, 11:08pm

Hi list,

I am using nginx as a mail proxy. It works good but I experienced some
errors with cram-md5 smtp auth.

This is my SMTP TCP log

20 my_host ESMTP ready
EHLO macbook-pro-di-miguel-beccari.local
250-my_host
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN CRAM-MD5
250 STARTTLS
AUTH CRAM-MD5
334 PDc1Njk0NDk5MS4xMjMzODcwNTE3QG15c3FsPg==
bXlfdGVzdEBjbGlra2EuY29tIDdjNzRkYjUxYTNhZGZjMTZhNjVhNDdhY2ExMzZkNTE4
535 5.7.0 Invalid login or password

This is my HTTP auth log

HTTP_AUTH_USER = my_test_user
HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518

NOTE: password should be “test” and not
“7c74db51a3adfc16a65a47aca136d518”

Am I wrong?

Thank you,

Miguel

Miguel_Beccari · February 5, 2009, 11:25pm

On Feb 5, 2009, at 10:55 PM, Miguel Beccari wrote:

NOTE: password should be “test” and not
“7c74db51a3adfc16a65a47aca136d518”

Am I wrong?

With CRAM-MD5 [1], no password is sent in the clear, but rather a HMAC-
MD5 of the server challenge.

Cheers,

–
PA.
http://alt.textdrive.com/nanoki/

[1] CRAM-MD5 - Wikipedia

Miguel_Beccari · February 5, 2009, 11:50pm

Il giorno 05/feb/09, alle ore 23:14, Petite A. ha scritto:

HTTP_AUTH_USER = my_test_user
HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518

NOTE: password should be “test” and not
“7c74db51a3adfc16a65a47aca136d518”

Am I wrong?

With CRAM-MD5 [1], no password is sent in the clear, but rather a
HMAC-MD5 of the server challenge.

I had suspects in that way…

Can you point me to a way to verify auth, please?

I have username and chanllenge (7c74db51a3adfc16a65a47aca136d518).
Could I go back to password?

Miguel_Beccari · February 5, 2009, 11:51pm

Hello!

On Thu, Feb 05, 2009 at 10:55:42PM +0100, Miguel Beccari wrote:

250-8BITMIME
250-PIPELINING

Unrelated note: nginx as of now doesn’t support smtp pipelining. You
are
searching from troubles by advertising it.

HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518

NOTE: password should be “test” and not
“7c74db51a3adfc16a65a47aca136d518”

Am I wrong?

With CRAM-MD5 no password is transferred from client to server.
In your auth script you should use Auth-Salt header and user’s
plaintext password to check if hash sent by client (in Auth-Pass header)
is correct.

Also, for pop3/imap (not for smtp) you should return original user
password back to nginx if CRAM-MD5 used (or nginx will be unable to
authenticate to backend).

Maxim D.

Miguel_Beccari · February 6, 2009, 1:12pm

Hello!

On Fri, Feb 06, 2009 at 09:02:44AM +0100, Miguel Beccari wrote:

Unrelated note: nginx as of now doesn’t support smtp pipelining. You are
searching from troubles by advertising it.

Thanks you very much for this notes. I am still testing nginx… Where can
I find complete documentation about features?

The most complete one available on official site, but it’s written
mostly in C language.

Other possibilities include:

http://wiki.codemongers.com/NginxMailCoreModule (rather minimal)
Директивы модуля ngx_mail_core_module [Citrin's site] (in russian)

An axample schema of auth script with CRAM-MD5 will be appreciated.

For both plain and CRAM-MD5 something like this should work (note
that this tests Auth-Method header before doing actual checks):

use Digest::HMAC_MD5 qw/ hmac_md5_hex /;

my $method = $ENV{HTTP_AUTH_METHOD};
my $pass = $ENV{HTTP_AUTH_PASSWORD};
my $salt = $ENV{HTTP_AUTH_SALT};
my $realpass = ... # fetch user password based on Auth-Login here

if (($method eq 'plain' && $pass eq $realpass) or
    ($method eq 'cram-md5' && $pass eq hmac_md5_hex($salt,

$realpass)))
{
# … auth ok
}

The same thing applies for APOP authentication for pop3 (with the
exception that Auth-Method will be apop, and you should check MD5,
not HMAC-MD5).

But actually I recommend avoid using both CRAM-MD5 and APOP since
they require plaintext passwords to be stored on server. It’s
much better to use plain authentication with security added by SSL
layer.

Maxim D.

Miguel_Beccari · February 6, 2009, 7:01pm

On Feb 5, 2009, at 11:41 PM, Miguel Beccari wrote:

I have username and chanllenge (7c74db51a3adfc16a65a47aca136d518).
Could I go back to password?

No.

This is how it goes:

(1) Use the username to retrieve the password
(2) Use that password to HMAC-MD5 the challenge
(3) Compare the HMAC to the digest
(4) If digest and HMAC match, the authentication has succeeded

HTH.

Cheers,

Miguel_Beccari · February 6, 2009, 7:01pm

On Feb 6, 2009, at 1:01 PM, Maxim D. wrote:

But actually I recommend avoid using both CRAM-MD5 and APOP since
they require plaintext passwords to be stored on server. It’s
much better to use plain authentication with security added by SSL
layer.

Yes, if you can afford it, STARTTLS and AUTH PLAIN is the way to go.

Cheers,

Miguel_Beccari · February 7, 2009, 11:07am

Il giorno 06/feb/09, alle ore 13:01, Maxim D. ha scritto:

I find complete documentation about features?

The most complete one available on official site, but it’s written
mostly in C language.

Other possibilities include:

http://wiki.codemongers.com/NginxMailCoreModule (rather minimal)
Директивы модуля ngx_mail_core_module [Citrin's site] (in russian)

Thank you very much for your precious informations: cram-md5 mechanism
is clear.

But now I have another problem. Logs say:

2009/02/07 10:51:19 [error] 23924#0: *73 upstream sent invalid
response: “551 sorry, your domain is not correct” while reading
response from upstream, client: 192.168.172.11 server: 0.0.0.0:25,
login: “my_test”, upstream: 192.168.172.29:25

Should I write additional HTTP HEADER informations when using smtp
with CRAM-MD5 auth?

Miguel Beccari

Miguel_Beccari · February 6, 2009, 8:49am

Unrelated note: nginx as of now doesn’t support smtp pipelining. You are

searching from troubles by advertising it.

Thanks you very much for this notes. I am still testing nginx… Where
can

I find complete documentation about features?

With CRAM-MD5 no password is transferred from client to server.

In your auth script you should use Auth-Salt header and user’s

plaintext password to check if hash sent by client (in Auth-Pass header)

is correct.

And thank you very much for this tip. Where can I find complete

documentation about this feature?

I read mail modules documentation and I did not find anything about

Auth-Salt header.

An axample schema of auth script with CRAM-MD5 will be appreciated.

Thank you very much,

Miguel Beccari

Miguel_Beccari · February 7, 2009, 11:44am

Hello!

On Sat, Feb 07, 2009 at 10:57:37AM +0100, Miguel Beccari wrote:

Директивы модуля ngx_mail_core_module [Citrin's site] (in russian)
upstream: 192.168.172.29:25
This error was returned by your backend smtp server. Check it’s
configuration and logs to find out what’s caused this error.

Should I write additional HTTP HEADER informations when using smtp with
CRAM-MD5 auth?

For smtp - no, you shouldn’t, since nginx doesn’t try to
authenticate against smtp backends. For pop3/imap you have to
return plaintext users password back to nginx from your auth
script.

Maxim D.