Re: IMAP plain text authentication

[Myroslava Dzikovska <myros cs rochester edu>]

OK, so I recompiled the newest version, balsa 1.2.1 with SSL. Now I get 
this message

/C=Russia/L=Moscow/O.U.= Zenon N.S.P. Certificate
This certificate accepted but not verified!!!
SSL connection using TLSv1/SSLv3(RC4-SHA)
CRAM-MD5 authentication failed

Where do I go from here? Looks like I won't get any help from the sysadmin 
- since several people are using it with windows programs with no 
problems, and Netscape on my system works, he says I should look 
for trouble in my settings, and that's it. Any suggestions about what else 
can I check would be appreciated.

A couple of questions in relation to it. I'm behind a firewall. Can this 
be causing trouble? Also, would it make any difference if I compiled 
--with-sasl? I actually tried, but there's a file missing from the 
disctribution (mutt_sasl.c), how do I get it?

Myrosia 



> 
> On 2001.10.24 17:40 Myroslava Dzikovska wrote:
> > Oh, I should have mentioned this. I have no problems connecting with
> > Netscape 4.77 from the same machine. Also, older Balsa (1.0.0) still
> > complains that CRAM-MD5 authentication failed, but lets me see the
> > mailbox.
> 
> The capabilities list would be useful to confirm my theory about it. I
> think the server advertises as being capable to do CRAM-MD5. Older balsa
> tried first CRAM-MD5 and when it failed, tried LOGIN.
> 
> The current balsa stops the authentication process if CRAM-MD5 fails - and 
> it
> makes sense. I think there are some cracking schemes (downgrading attacks) 
> that attempt to enforce weakest authentication method available. The 
> algorithm balsa uses now (i.e. use strongest method available, or fail) 
> protects against it.
> 
> The bottom line is: one should verify if the server claims to support 
> CRAM-MD5. If it does, you will need to talk to you system administrator. 
> But please, start from verifying the server capabilities.
> 
> /Pawel
>