CRAM-MD5 authentication problem

Nicola Marangon

unread,

Oct 9, 2013, 10:44:32 AM10/9/13

to mailsend...@googlegroups.com

Hi,

I've a problem with CRAM-MD5 authentication.

This is the log of mailsend.

----------------------------------------------------------------------------------

mailsend -t blab...@mail.com -sub "cram-md5 test" -smtp x.x.x.x -f te...@pentaonline.it -name "Test User" -user te...@pentaonline.it -pass Prova123 -v -log mailsend.log -cs utf-8 -auth

Connecting to x.x.x.x:25

libmsock: using getaddrinfo

AF_INET IPv4

IP address: x.x.x.x:25

EINPROGRESS=10036,EWOULDBLOCK=10035

connect(): socket=300,rc=-1, errno=10035

(Debug) Try socket 300

[S] 220 pentaonline.it ESMTP MDaemon 13.5.2; Wed, 09 Oct 2013 11:06:10 +0200

[C] EHLO localhost

[S] 250-pentaonline.it Hello localhost, pleased to meet you

[S] 250-ETRN

[S] 250-AUTH LOGIN CRAM-MD5 PLAIN

[S] 250-8BITMIME

[S] 250-STARTTLS

[S] 250 SIZE

Using AUTH CRAM-MD5

[C] AUTH CRAM-MD5

[S] 334 PE1EQUVNT04tRjIwMTMxMDA5MTEwNi5BQTA2MTA0NzJNRDAwMTJAcGVudGFvbmxpbmUuaXQ+

[C] dGVzdEBwZW50YW9ubGluZS5pdCA5ZGM4OGIwNjNkMzQ5ODdlMmU3MDAxYzU5

OWI0ZGMzNg==

[S] 535 Authentication failed

Error: AUTH CRAM-MD5 failed: '535 Authentication failed'

Could not send mail

----------------------------------------------------------------------------------

This is the log seen from the server side:

----------------------------------------------------------------------------------

Wed 2013-10-09 11:06:10: 05: Session 214203; child 0001

Wed 2013-10-09 11:06:10: 05: Accepting SMTP connection from [y.x.x.x:51811] to [x.x.x.x:25]

Wed 2013-10-09 11:06:10: 03: --> 220 pentaonline.it ESMTP MDaemon 13.5.2; Wed, 09 Oct 2013 11:06:10 +0200

Wed 2013-10-09 11:06:10: 02: <-- EHLO localhost

Wed 2013-10-09 11:06:10: 03: --> 250-pentaonline.it Hello localhost, pleased to meet you

Wed 2013-10-09 11:06:10: 03: --> 250-ETRN

Wed 2013-10-09 11:06:10: 03: --> 250-AUTH LOGIN CRAM-MD5 PLAIN

Wed 2013-10-09 11:06:10: 03: --> 250-8BITMIME

Wed 2013-10-09 11:06:10: 03: --> 250-STARTTLS

Wed 2013-10-09 11:06:10: 03: --> 250 SIZE

Wed 2013-10-09 11:06:10: 02: <-- AUTH CRAM-MD5

Wed 2013-10-09 11:06:10: 03: --> 334 PE1EQUVNT04tRjIwMTMxMDA5MTEwNi5BQTA2MTA0NzJNRDAwMTJAcGVudGFvbmxpbmUuaXQ+

Wed 2013-10-09 11:06:10: 02: <-- dGVzdEBwZW50YW9ubGluZS5pdCA5ZGM4OGIwNjNkMzQ5ODdlMmU3MDAxYzU5

Wed 2013-10-09 11:06:10: 03: --> 535 Authentication failed

Wed 2013-10-09 11:06:10: 02: <-- OWI0ZGMzNg==

Wed 2013-10-09 11:06:10: 03: --> 500 What? I don't understand that.

Wed 2013-10-09 11:06:10: 04: * Winsock Error 10054

Wed 2013-10-09 11:06:10: 04: SMTP session terminated (Bytes in/out: 107/351)

Wed 2013-10-09 11:06:10: 01: ----------

----------------------------------------------------------------------------------

As you can see there could be a problem with a linefeed:

Wed 2013-10-09 11:06:10: 03: --> 535 Authentication failed

Wed 2013-10-09 11:06:10: 02: <-- OWI0ZGMzNg==

Wed 2013-10-09 11:06:10: 03: --> 500 What? I don't understand that.

Anyway, I've used the CRAM-MD5 authentication tester (http://www.net-track.ch/opensource/cmd5/) to check response and this is the result:

----------------------------------------------------------------------------------

./cmd5 te...@pentaonline.it Prova123 PE1EQUVNT04tRjIwMTMxMDA5MTEwNi5BQTA2MTA0NzJNRDAwMTJAcGVudGFvbmxpbmUuaXQ+

username: te...@pentaonline.it

password: Prova123

challenge: <MDAEMON-F201310091...@pentaonline.it>

digest: 9975139252d906d4d5ee11466016965e

base64 decoded: te...@pentaonline.it 9975139252d906d4d5ee11466016965e

base64 encoded: dGVzdEBwZW50YW9ubGluZS5pdCA5OTc1MTM5MjUyZDkwNmQ0ZDVlZTExNDY2MDE2OTY1ZQ==

----------------------------------------------------------------------------------

Here the client's response is different from the one generated by mailsend.

Hope this helps.

--

Nicola Marangon

Muhammad Muquit

unread,

Oct 11, 2013, 4:03:59 PM10/11/13

to mailsend...@googlegroups.com

Yes, definitely a bug. The base64 function is usually used for creating attachments, and it adds CRLF after 60 characters.

Will fix asap.

Thanks.

challenge: <MDAEMON-F201310091106.AA06104...@pentaonline.it>

Muhammad Muquit

unread,

Oct 13, 2013, 5:09:26 PM10/13/13

to mailsend...@googlegroups.com

The HMAC-MD5 calculation by cmd5 program is not correct, that's why the final base64 is different.

Example:

take hamc-md5 of the challenge:

$ echo -n '<MDAEMON-F201310091...@pentaonline.it>' | openssl dgst -md5 -hmac 'Prova123'

9dc88b063d34987e2e7001c599b4dc36

cmd5 calculated digest as: 9975139252d906d4d5ee11466016965e, which is wrong.

Now calculate base64 of " user digest"

$ echo -n 'te...@pentaonline.it 9dc88b063d34987e2e7001c599b4dc36'|openssl enc -base64

dGVzdEBwZW50YW9ubGluZS5pdCA5ZGM4OGIwNjNkMzQ5ODdlMmU3MDAxYzU5OWI0

ZGMzNg==

which matches with the base64 of mailsend.

Yes newline is a bug and will be fixed in next release.

Thanks.

On Wednesday, October 9, 2013 10:44:32 AM UTC-4, Nicola Marangon wrote:

challenge: <MDAEMON-F201310091106.AA06104...@pentaonline.it>

Nicola Marangon

unread,

Oct 14, 2013, 1:25:26 AM10/14/13

to mailsend...@googlegroups.com

Il giorno domenica 13 ottobre 2013 23:09:26 UTC+2, Muhammad Muquit ha scritto:

Yes newline is a bug and will be fixed in next release.

Hi Muhammad,

thank you for your prompt answer.

I'll wait for the fix.

Keep up the good work.

Muhammad Muquit

unread,

Oct 19, 2013, 9:28:33 PM10/19/13

to mailsend...@googlegroups.com

It should be fixed in v1.17b13. I sent a mail to the author of cmd5 that it has issue with HAMC-MD5 calculation in 64 bit systems.

Reply all

Reply to author

Forward