Author Topic: Is it possible to prevent use of CRAM-MD5 and DIGEST-MD5?  (Read 4367 times)

mmccarn

  • Freshman
  • *
  • Posts: 33
    • View Profile
Is it possible to prevent use of CRAM-MD5 and DIGEST-MD5?
« on: March 18, 2011, 09:24:30 am »
History
======
My mail server (Kerio) reports the availability of both CRAM-MD5 and DIGEST-MD5.  However, neither of these will work for the one Active-Directory-Integrated domain on the mail server.  (Basically, the mail server reports that these auth methods are available, but they cannot possibly work for *my* domain, even though they do work for other domains on the same server).

If I setup email accounts in Feng Office, the system hangs trying to login to the mail server, attempting to connect using Digest-MD5.  I have to re-start httpd to recover after attempting any sort of connection to my mail server.

Question
========
So - does anyone know how to modify either PEAR or Feng Office to prevent any attempt to use DIGEST-MD5 or CRAM-MD5 for email authentication?

Or - can anyone point me in the right direction?

I've tried deleting library/PEAR/Auth/SASL/CramMD5.php and library/PEAR/Auth/SASL/DigestMD5.php - this just throws 'missing file' errors.

I've tried editing library/PEAR/Auth/SASL.php to use Plain.php for 'crammd5' and 'digestmd5' auth methods - this doesn't give any errors, but it doesn't work, either.

Any help would be greatly appreciated.

mmccarn

  • Freshman
  • *
  • Posts: 33
    • View Profile
Re: Is it possible to prevent use of CRAM-MD5 and DIGEST-MD5?
« Reply #1 on: November 01, 2014, 11:04:33 am »
FYI -

I finally (FO 2.7.1.6) learned that everything works if I disable DIGEST-MD5 and CRAM-MD5 on my mail server during email account setup in FO.

That is, I did this:
1) disable DIGEST-MD5 and CRAM-MD5 authentication on my mail server
2) Setup my email account in fengoffice
3) re-enable DIGEST-MD5 and CRAM-MD5 on the mail server

... and everything works OK.

The root of this problem (I believe) is that my Kerio Connect mail server supports DIGEST-MD5 and CRAM-MD5, but *also* supports external authentication mechanisms (Active Directory and Open Directory) that do not.  Consequently, the server must advertise the availability of these protocols in case the remote user is authenticating against the local user database, but then the authentication fails for my active-directory-integrated account:
http://manuals.kerio.com/connect/adminguide/en/sect-advanced.html


mmccarn

  • Freshman
  • *
  • Posts: 33
    • View Profile
Re: Is it possible to prevent use of CRAM-MD5 and DIGEST-MD5?
« Reply #2 on: November 13, 2015, 09:36:57 am »
Somewhere between FengOffice 3.1.x and FengOffice 3.4 it became possible to disable CramMD5 and DigestMD5 authentication as follows:

Edit OC/library/Pear/Net/IMAPProtocol.php

on line 38, change this:
Code: [Select]
var $supportedAuthMethods = array('DIGEST-MD5', 'CRAM-MD5','LOGIN');

To this:
Code: [Select]
var $supportedAuthMethods = array('LOGIN');

Finally, after 4 years, I can begin to evaluate FengOffice ;-)

 

anything