dovecot - Jun 2011 - Regarding Digest-MD5 auth

Hi,

I am writing a Pop3Client. I use dovecot server as POP3 server in linux and
hMailServer in windows.

I was just testing digest-md5 auth with dovecot server.

I had an observation.

After server side verification, server sends a verification code to client.
If this fails, how can client send the negative response or does it not
exist?

When I see packet capture, dovecot server sends +OK Logged in for anything
client sends.

I may be wrong. Please let me know your thoughts

Regards,
Heramba

On Thu, 2011-06-09 at 13:48 +0530, kenja heramba wrote:
> Hi,
> 
> I am writing a Pop3Client. I use dovecot server as POP3 server in linux and
> hMailServer in windows.
> 
> I was just testing digest-md5 auth with dovecot server.
> 
> I had an observation.
> 
> After server side verification, server sends a verification code to client.
> If this fails, how can client send the negative response or does it not
> exist?
It doesn't exist. What could the client do anyway? Tell the server that
"I see you're doing a man-in-the-middle attack, no thanks"?
> When I see packet capture, dovecot server sends +OK Logged in for anything
> client sends.
The last thing a client sends is the verification checksum, which
finishes the DIGEST-MD5 authentication. After that the login is
complete. So I'm not sure what you mean by "anything client
sends". If
you send a wrong checksum, it should fail the authentication.