auth_http - Password always different

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

auth_http - Password always different

nsclick
Hello,

I'm trying to use "auth_http" to handle the authentication for SMTP.
The auth script itself is a PHP script. At the beginning of the script I'm doing the following (just for testing!!! The passwords will not be logged later):

if( !isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"]) )
{
        // User or Password are NOT set.
        fail("Invalid user or password");
}

$username = $_SERVER["HTTP_AUTH_USER"];
$userpass = $_SERVER["HTTP_AUTH_PASS"];
$protocol = $_SERVER["HTTP_AUTH_PROTOCOL"];

$fd=fopen('php_mail.log', 'a');
fputs($fd, "User: [".$username."]  Protocol: [".$protocol."]  Pass: [".$userpass."]\n");
fclose($fd);


However, the passwords I see in the log are different all the time for the same user.
Often they consist of 32 hexadecimal digits (but never the same combination) or sometimes they are simply the username with brackets around.

For my understanding the received password should be the same all the time, because otherwise I cannot check the user credentials.

Is there a problem with my understanding or do I miss something?

Thanks,

Thomas
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: auth_http - Password always different

Maxim Dounin
Hello!

On Mon, Dec 23, 2019 at 12:47:11PM +0100, [hidden email] wrote:

> Hello,
>
> I'm trying to use "auth_http" to handle the authentication for SMTP.
> The auth script itself is a PHP script. At the beginning of the script I'm doing the following (just for testing!!! The passwords will not be logged later):
>
> if( !isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"]) )
> {
> // User or Password are NOT set.
> fail("Invalid user or password");
> }
>
> $username = $_SERVER["HTTP_AUTH_USER"];
> $userpass = $_SERVER["HTTP_AUTH_PASS"];
> $protocol = $_SERVER["HTTP_AUTH_PROTOCOL"];
>
> $fd=fopen('php_mail.log', 'a');
> fputs($fd, "User: [".$username."]  Protocol: [".$protocol."]  Pass: [".$userpass."]\n");
> fclose($fd);
>
>
> However, the passwords I see in the log are different all the time for the same user.
> Often they consist of 32 hexadecimal digits (but never the same combination) or sometimes they are simply the username with brackets around.
>
> For my understanding the received password should be the same all the time, because otherwise I cannot check the user credentials.
>
> Is there a problem with my understanding or do I miss something?

Check the Auth-Method header, most likely the auth method used is
not plain, but apop or cram-md5.  See docs here:

http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol

for details.  More information about APOP and CRAM-MD5 can be
found in relevant RFCs.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx