NB> I would rather there not be an option to force *every* connection to use
 NB> CRAM-MD5. It should be on a per-link basis instead (which that option is
 NB> already there also).

This is where the confusion is.  The MD5 option in the Echomail Nodes
configuration is for outbound connections (ie what FIDOPOLL uses), not what the
server uses.  The server doesn't look at the MD5 option from Echomail nodes.

The server always allows either MD5 or cleartext connections, unless you
specifically enable the Force MD5 option.  If Force MD5 is enabled then the
server will refuse any connection that attempts to send a cleartext password.
This even applies to unknown systems.

Its off by default and if someone doesn't want to use it then they can just
keep it turned off, so I don't understand the reasoning for removing it.

I *could* change it so that the option goes away, and the MD5 option is pulled
from the echomail node configuration like you mentioned.  But if there is
ever a situation where you need a different MD5 setting when connecting to a
system versus when it connects to you, you'd be totally screwed.

I am wondering if the problems you had are from a year or two ago when I was
developing the BINKP?  There were problems then with MD5 authentication against
things like broken IREX (which appends wrong characters on MD5 strings if I
remember correctly) among other things like some systems sending a MD5 hash
of "-" instead of a blank password, etc.

Hopefully most of the quirks from back then have been cleared up for 1.10 and
beyond!

--- Mystic BBS v1.12 A1 (Windows)