Hello!

On Mon, Dec 23, 2019 at 12:47:11PM +0100, nsclick@gmx.de wrote:

> Hello,
>
> I'm trying to use "auth_http" to handle the authentication for SMTP.
> The auth script itself is a PHP script. At the beginning of the script I'm doing the following (just for testing!!! The passwords will not be logged later):
>
> if( !isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"]) )
> {
> // User or Password are NOT set.
> fail("Invalid user or password");
> }
>
> $username = $_SERVER["HTTP_AUTH_USER"];
> $userpass = $_SERVER["HTTP_AUTH_PASS"];
> $protocol = $_SERVER["HTTP_AUTH_PROTOCOL"];
>
> $fd=fopen('php_mail.log', 'a');
> fputs($fd, "User: [".$username."] Protocol: [".$protocol."] Pass: [".$userpass."]\n");
> fclose($fd);
>
>
> However, the passwords I see in the log are different all the time for the same user.
> Often they consist of 32 hexadecimal digits (but never the same combination) or sometimes they are simply the username with brackets around.
>
> For my understanding the received password should be the same all the time, because otherwise I cannot check the user credentials.
>
> Is there a problem with my understanding or do I miss something?

Check the Auth-Method header, most likely the auth method used is
not plain, but apop or cram-md5. See docs here:

http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol

for details. More information about APOP and CRAM-MD5 can be
found in relevant RFCs.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx