Go to the first, previous, next, last section, table of contents.


The cram_md5 authenticator

The CRAM-MD5 authentication mechanism is described in RFC 2195. The server sends a `challenge' string to the client, and the response consists of a `user name' and the CRAM-MD5 digest of the challenge string combined with a secret string (password) which is known to both server and client. Thus the secret does not get sent over the network as plain text, which makes this authenticator more secure than `plaintext'.

Using cram_md5 as a server

This authenticator has one server option, which must be set to configure the authenticator as a server.

server_secret (cram_md5) option

Option: server_secret
Type: string
Default: unset

When the server receives the client's response, the `user name' is placed in the expansion variable `$1', and `server_secret' is expanded to obtain the password for that user. The server then computes the CRAM-MD5 digest that the client should have sent, and checks that it received the correct string. If the expansion of `server_secret' is forced to fail, authentication fails. If the expansion fails for some other reason, a temporary error code is returned to the client.

For example, the following authenticator checks that the user name given by the client is `ph10', and if so, uses `secret' as the password. For any other user name, authentication fails. A more sophisticated version might look up the secret string in a file, using the user name as the key.

fixed_cram:
  driver = cram_md5
  public_name = CRAM-MD5
  server_secret = ${if eq{$1}{ph10}{secret}fail}
  server_set_id = $1

If authentication succeeds, the setting of `server_set_id' preserves the user name in `$authenticated_id'.

Using cram_md5 as a client

When used as a client, the `cram_md5' authenticator has two options:

client_name (cram_md5) option

Option: client_name
Type: string
Default: "the primary host name"

This string is expanded, and the result used as the `user name' data when computing the response to the server's challenge.

client_secret (cram_md5) option

Option: client_secret
Type: string
Default: unset

This option must be set for the authenticator to work as a client. Its value is expanded and the result used as the secret string when computing the response.

Different user names and secrets can be used for different servers by referring to `$host' or `$host_address' in the options.

Forced failure of either expansion string is treated as an indication that this authenticator is not prepared to handle this case. Exim moves on to the next configured client authenticator. Any other expansion failure causes Exim to give up trying to send the message to the current server.

A simple example configuration of a `cram_md5' authenticator, using fixed strings, is:

fixed_cram:
  driver = cram_md5
  public_name = CRAM-MD5
  client_name = ph10
  client_secret = secret


Go to the first, previous, next, last section, table of contents.