Friday, March 5, 2010

Authenticated SMTP tutorial

IndiMail supports three AUTH methods. LOGIN, PLAIN and CRAM-MD5. Most email clients like thunderbird, outlook, outlook express, evolution support these methods. These methods are provided using checkpassword compatible modules vchkpass(8) and pam-checkpwd(8)

To understand how these methods work is to use telnet and the base64 encoding/decoding utility /usr/bin/base64

For illustration purpose, let's say we have a user 'postmaster@example.com' with the password 'pass'

1. AUTH LOGIN
% echo -n postmaster@example.com | /usr/bin/base64 -i
cG9zdG1hc3RlckBleGFtcGxlLmNvbQ==


% echo -n pass | /usr/bin/base64 -i
cGFzcw==


% telent 0 smtp
220 Laptop (NO UCE) ESMTP IndiMail 1.28 21 Jun 2003 22:35:24 +0530
auth login
334 VXNlcm5hbWU6
cG9zdG1hc3RlckBleGFtcGxlLmNvbQ==
334 UGFzc3dvcmQ6
cGFzcw==
235 ok, go ahead (#2.0.0)


2. AUTH PLAIN

% printf "\0postmaster@example.com\0pass" | /usr/bin/base64
AHBvc3RtYXN0ZXJAZXhhbXBsZS5jb20AcGFzcw==

% telnet 0 smtp
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 Laptop (NO UCE) ESMTP IndiMail 1.28 21 Jun 2003 23:08:33 +0530
auth plain AHBvc3RtYXN0ZXJAZXhhbXBsZS5jb20AcGFzcw==
235 ok, go ahead (#2.0.0)

3. AUTH CRAM-MD5

The CRAM-MD5 is a challenge-response method where the password is not sent over the network. It is expected that the password is stored in the clear in IndiMail's backend database MySQL.

% sudo /usr/bin/vpasswd postmaster@example.com -e pass

Next step is to write a script named cram-md5

% cat > cram-md5 <<>"
sys.exit(1)
str=cram_md5_response(sys.argv[1], sys.argv[2], sys.argv[3]);
print "%s" %str
EOF

% sudo chmod +x ./cram-md5

Now when you do (see below) auth cram-md5, the server will issue a challenge
e.g. in the below example, the challenge is

PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg==

if you decode this, i.e.

% echo PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg== | base64 -d
<20137 .1267585100="" indimail.org="">

The response for the challenge can be generated using the cram-md5 shell script which we created above. i.e.

% ./cram-md5 PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg==
cG9zdG1hc3RlckBleGFtcGxlLmNvbSBjZWU4Mzk3YWIxMjNhMGQ0ZjNhN2ZkZGJiOWNiODcxOQ==

% telnet 0 smtp
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 indimail.org (NO UCE) ESMTP IndiMail 1.137 3 Mar 2010 08:28:17 +0530
auth cram-md5
334 PDIwMTM3LjEyNjc1ODUxMDBAaW5kaW1haWwub3JnPg==
cG9zdG1hc3RlckBleGFtcGxlLmNvbSBjZWU4Mzk3YWIxMjNhMGQ0ZjNhN2ZkZGJiOWNiODcxOQ==
235 ok, go ahead (#2.0.0)


Please do take a look at Erwin Hoffman's excellent tutorial on the same subject at
http://www.fehcom.de/qmail/smtpauth.html

No comments:

IndiMail Queue Mechanism

Indimail has the ability of configuring multiple local and remote queues. A queue is a location on your hard disk where email are deposited ...