Forum: NGINX Mail module: auth cram-md5 does not work

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
D6f322f71659a5cce1095b625114af3a?d=identicon&s=25 Miguel Beccari (Guest)
on 2009-02-05 23:08
(Received via mailing list)
Hi list,

I am using nginx as a mail proxy. It works good but I experienced some
errors with cram-md5 smtp auth.

This is my SMTP TCP log

20 my_host ESMTP ready
EHLO macbook-pro-di-miguel-beccari.local
250-my_host
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN CRAM-MD5
250 STARTTLS
AUTH CRAM-MD5
334 PDc1Njk0NDk5MS4xMjMzODcwNTE3QG15c3FsPg==
bXlfdGVzdEBjbGlra2EuY29tIDdjNzRkYjUxYTNhZGZjMTZhNjVhNDdhY2ExMzZkNTE4
535 5.7.0 Invalid login or password

This is my HTTP auth log

HTTP_AUTH_USER = my_test_user
HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518


NOTE: password should be "test" and not
"7c74db51a3adfc16a65a47aca136d518"

Am I wrong?

Thank you,


Miguel
Faf3b56a44269e2c5b92cf97435e29f6?d=identicon&s=25 Petite Abeille (Guest)
on 2009-02-05 23:25
(Received via mailing list)
On Feb 5, 2009, at 10:55 PM, Miguel Beccari wrote:

>
> NOTE: password should be "test" and not
> "7c74db51a3adfc16a65a47aca136d518"
>
> Am I wrong?

With CRAM-MD5 [1], no password is sent in the clear, but rather a HMAC-
MD5 of the server challenge.

Cheers,

--
PA.
http://alt.textdrive.com/nanoki/

[1] http://en.wikipedia.org/wiki/CRAM-MD5
D6f322f71659a5cce1095b625114af3a?d=identicon&s=25 Miguel Beccari (Guest)
on 2009-02-05 23:50
(Received via mailing list)
Il giorno 05/feb/09, alle ore 23:14, Petite Abeille ha scritto:

>> HTTP_AUTH_USER = my_test_user
>> HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518
>>
>>
>> NOTE: password should be "test" and not
>> "7c74db51a3adfc16a65a47aca136d518"
>>
>> Am I wrong?
>
> With CRAM-MD5 [1], no password is sent in the clear, but rather a
> HMAC-MD5 of the server challenge.

I had suspects in that way....

Can you point me to a way to verify auth, please?

I have username and chanllenge (7c74db51a3adfc16a65a47aca136d518).
Could I go back to password?
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-02-05 23:51
(Received via mailing list)
Hello!

On Thu, Feb 05, 2009 at 10:55:42PM +0100, Miguel Beccari wrote:

> 250-8BITMIME
> 250-PIPELINING

Unrelated note: nginx as of now doesn't support smtp pipelining.  You
are
searching from troubles by advertising it.

> HTTP_AUTH_PASS = 7c74db51a3adfc16a65a47aca136d518
>
>
> NOTE: password should be "test" and not
> "7c74db51a3adfc16a65a47aca136d518"
>
> Am I wrong?

With CRAM-MD5 no password is transferred from client to server.
In your auth script you should use Auth-Salt header and user's
plaintext password to check if hash sent by client (in Auth-Pass header)
is correct.

Also, for pop3/imap (not for smtp) you should return original user
password back to nginx if CRAM-MD5 used (or nginx will be unable to
authenticate to backend).

Maxim Dounin
D6f322f71659a5cce1095b625114af3a?d=identicon&s=25 Miguel Beccari (Guest)
on 2009-02-06 08:49
(Received via mailing list)
>

> Unrelated note: nginx as of now doesn't support smtp pipelining.  You are



> searching from troubles by advertising it.



Thanks you very much for this notes. I am still testing nginx... Where
can

I find complete documentation about features?



>

> With CRAM-MD5 no password is transferred from client to server.

> In your auth script you should use Auth-Salt header and user's

> plaintext password to check if hash sent by client (in Auth-Pass header)

> is correct.

>



And thank you very much for this tip. Where can I find complete

documentation about this feature?

I read mail modules documentation and I did not find anything about

Auth-Salt header.



An axample schema of auth script with CRAM-MD5 will be appreciated.





Thank you very much,



Miguel Beccari
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-02-06 13:12
(Received via mailing list)
Hello!

On Fri, Feb 06, 2009 at 09:02:44AM +0100, Miguel Beccari wrote:

> > Unrelated note: nginx as of now doesn't support smtp pipelining.  You are
> > searching from troubles by advertising it.
>
> Thanks you very much for this notes. I am still testing nginx... Where can
> I find complete documentation about features?

The most complete one available on official site, but it's written
mostly in C language.  :)

Other possibilities include:

http://wiki.codemongers.com/NginxMailCoreModule (rather minimal)
http://citrin.ru/nginx:ngx_mail_core_module (in russian)

>
> An axample schema of auth script with CRAM-MD5 will be appreciated.

For both plain and CRAM-MD5 something like this should work (note
that this tests Auth-Method header before doing actual checks):

    use Digest::HMAC_MD5 qw/ hmac_md5_hex /;

    my $method = $ENV{HTTP_AUTH_METHOD};
    my $pass = $ENV{HTTP_AUTH_PASSWORD};
    my $salt = $ENV{HTTP_AUTH_SALT};
    my $realpass = ... # fetch user password based on Auth-Login here

    if (($method eq 'plain' && $pass eq $realpass) or
        ($method eq 'cram-md5' && $pass eq hmac_md5_hex($salt,
$realpass)))
    {
        # ... auth ok
    }

The same thing applies for APOP authentication for pop3 (with the
exception that Auth-Method will be apop, and you should check MD5,
not HMAC-MD5).

But actually I recommend avoid using both CRAM-MD5 and APOP since
they require plaintext passwords to be stored on server.  It's
much better to use plain authentication with security added by SSL
layer.

Maxim Dounin
Faf3b56a44269e2c5b92cf97435e29f6?d=identicon&s=25 Petite Abeille (Guest)
on 2009-02-06 19:01
(Received via mailing list)
On Feb 5, 2009, at 11:41 PM, Miguel Beccari wrote:

> I have username and chanllenge (7c74db51a3adfc16a65a47aca136d518).
> Could I go back to password?

No.

This is how it goes:

(1) Use the username to retrieve the password
(2) Use that password to HMAC-MD5 the challenge
(3) Compare the HMAC to the digest
(4) If digest and HMAC match, the authentication has succeeded

HTH.

Cheers,
Faf3b56a44269e2c5b92cf97435e29f6?d=identicon&s=25 Petite Abeille (Guest)
on 2009-02-06 19:01
(Received via mailing list)
On Feb 6, 2009, at 1:01 PM, Maxim Dounin wrote:

> But actually I recommend avoid using both CRAM-MD5 and APOP since
> they require plaintext passwords to be stored on server.  It's
> much better to use plain authentication with security added by SSL
> layer.

Yes, if you can afford it, STARTTLS and AUTH PLAIN is the way to go.

Cheers,
D6f322f71659a5cce1095b625114af3a?d=identicon&s=25 Miguel Beccari (Guest)
on 2009-02-07 11:07
(Received via mailing list)
Il giorno 06/feb/09, alle ore 13:01, Maxim Dounin ha scritto:

>> I find complete documentation about features?
>
> The most complete one available on official site, but it's written
> mostly in C language.  :)
>
> Other possibilities include:
>
> http://wiki.codemongers.com/NginxMailCoreModule (rather minimal)
> http://citrin.ru/nginx:ngx_mail_core_module (in russian)
>

Thank you very much for your precious informations: cram-md5 mechanism
is clear.

But now I have another problem. Logs say:

2009/02/07 10:51:19 [error] 23924#0: *73 upstream sent invalid
response: "551 sorry, your domain is not correct" while reading
response from upstream, client: 192.168.172.11 server: 0.0.0.0:25,
login: "my_test", upstream: 192.168.172.29:25

Should I write additional HTTP HEADER informations when using smtp
with CRAM-MD5 auth?


Miguel Beccari
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-02-07 11:44
(Received via mailing list)
Hello!

On Sat, Feb 07, 2009 at 10:57:37AM +0100, Miguel Beccari wrote:

>>>
>> http://citrin.ru/nginx:ngx_mail_core_module (in russian)
> upstream: 192.168.172.29:25
This error was returned by your backend smtp server.  Check it's
configuration and logs to find out what's caused this error.

> Should I write additional HTTP HEADER informations when using smtp with
> CRAM-MD5 auth?

For smtp - no, you shouldn't, since nginx doesn't try to
authenticate against smtp backends.  For pop3/imap you have to
return plaintext users password back to nginx from your auth
script.

Maxim Dounin
This topic is locked and can not be replied to.