Hello g00r00,

On 14 Dec 15 06:00, g00r00 wrote to Nicholas Boel:

 NB>> I would rather there not be an option to force *every* connection
 NB>> to use CRAM-MD5. It should be on a per-link basis instead (which
 NB>> that option is already there also).

 gr> This is where the confusion is.  The MD5 option in the Echomail Nodes
 gr> configuration is for outbound connections (ie what FIDOPOLL uses), not
 gr> what the server uses.  The server doesn't look at the MD5 option from
 gr> Echomail nodes.

 gr> The server always allows either MD5 or cleartext connections, unless
 gr> you specifically enable the Force MD5 option.  If Force MD5 is enabled
 gr> then the server will refuse any connection that attempts to send a
 gr> cleartext password. This even applies to unknown systems.

I have a feeling this is where the confusion lies with people setting up
Mystic for the first time. If they set it in one place (ie: server
settings) then maybe they don't think they have to set it up on a per link
basis. Or vice versa, or I'm not sure really. While it's fairly self
explanatory, it has probably cause the most issues on the binkp side of
things. Disabling the FORCE option in the server settings, and adding or
keeping a per link MD5 authentication usually has proved to work the best
all along. Usually when FORCE option is set problems arise when my system
connects to theirs.

With binkd, all I use here is a node definition switch in my config file of
"-md" which is supposed to auth via CRAM-MD5 and has seemed to do
so for quite some time.

 gr> Its off by default and if someone doesn't want to use it then they can
 gr> just keep it turned off, so I don't understand the reasoning for
 gr> removing it.

 gr> I *could* change it so that the option goes away, and the MD5 option
 gr> is pulled from the echomail node configuration like you mentioned.
 gr> But if there is ever a situation where you need a different MD5
 gr> setting when connecting to a system versus when it connects to you,
 gr> you'd be totally screwed.

I see where you're coming from there.

 gr> I am wondering if the problems you had are from a year or two ago when
 gr> I was developing the BINKP?  There were problems then with MD5
 gr> authentication against things like broken IREX (which appends wrong
 gr> characters on MD5 strings if I remember correctly) among other things
 gr> like some systems sending a MD5 hash of "-" instead of a blank
 gr> password, etc.

 gr> Hopefully most of the quirks from back then have been cleared up for
 gr> 1.10 and beyond!

I'm unsure as to if or when the issue has ever stopped, but I don't think
this particular issue I'm describing had anything to do with IREX, since
I'm using binkd here, and pretty sure the issue was when trying to connect
to Mystic's binkp server. Whether the other system was misconfigured or
not, that's also up in the air. Whenever the issue did arise though,
disabling the FORCE option in the server settings, and enabling the one in
echomail nodes seemed to fix whatever issue was happening, though.
Unfortunately I've never been able to get more specifics than that, or am
unsure if it's still happening or not. :(

Regards,
Nick

--- GoldED+/LNX 1.1.5-b20151129