Friday, October 15, 2004

Telnet and IMAP4 incompatible!

Recently on the IMAP4 implementors mailing list, the creator of the IMAP4 protocol had this to say:

You can not telnet to a modern IMAP or POP3 server, since TELNET does not have session encryption to protect the confidentiality of the password.

I guess modern servers only support connections over SSL (and telnet-ssl must not count as "TELNET"), and logging in with anything other than plaintext passwords is impossible by hand. Since I do this all the time, I thought it a bit odd. I suppose Mr. Crispin simply wanted to discourage insecure logins, or perhaps he just thinks it is difficult enough to respond to, say, a Cram-MD5 challenge that it may as well be considered impossible in casual conversation.

I've had this Python utility lying around for a while, this seems like a good opportunity to share it.


import sys
import hmac

def main(args=None):
if args is None:
args = sys.argv[1:]

response = hmac.HMAC(args[1], args[2].decode('base64')).hexdigest()
print (args[0] + ' ' + response).encode('base64')

if __name__ == '__main__':

I use it pretty frequently, since I work with IMAP4, SMTP, and POP3 servers and clients a lot, and it is generally too time consuming to use an actual client, and usually actual clients won't give me the information I want anyway. Here's an example of its usage (italics are things I send to the server, the rest is from the shell or received from the server):

exarkun@boson:~$ telnet 143
Connected to
Escape character is '^]'.
01 authenticate cram-md5
telnet> z

[1]+ Stopped telnet 143
exarkun@boson:~$ hmac username password bk04TXh3SURQSlJVNGlZbENRUkZWVmVMRXFEeEJWUzA=

exarkun@boson:~$ fg
telnet 143
01 OK Authentication successful
02 logout
* BYE Nice talking to you
02 OK LOGOUT successful
Connection closed by foreign host.

Perhaps telnet and IMAP4 are not as incompatible as one may otherwise have been led to believe...

1 comment:

  1. JP,

    I "roll my own" Mime. I don't like letting some mysterious program
    write my Mime for me. The Mime *is* the message. Then I send the Mime
    using netcat. Telnet has trouble with long messages, but netcat has
    never failed me. Authenticating is the problem. And tying it all
    together so that the Mime can be generated and sent in a batch fashion.
    (That's a big plus--I can generate and send an email by invoking a
    command at the command line.)

    Each of my emails starts as a text file template that has a few special
    commands built in. These commands are email server directives or
    special Unix instructions. The file contains or codes for everything
    the email server needs.

    I don't pipe this file into netcat, rather I translate it first using
    code that runs the Unix instructions (and leaves the ouput of the
    instructions in context), then the results of the translation are piped
    into netcat.

    This is the invocation

    splurge9 $2 | nc -q 5 -t $smtp $port | divert

    where splurge9 is the translation tool I spoke of and divert is a
    filter that allows me to see the output, yet it captures the cram-md5

    Here is an example $2. This sends an email to myself. My password
    (mypass) and server name (myserver) have been changed. The command
    go_hmac calls your Python code (Thanks a bunch). The chunk command
    stores strings for later recall:

    `chunk to_name "Joe Rosevear";
    chunk to;

    chunk from_name "Joe Rosevear";
    chunk from;

    chunk subject "test";

    read nothing;
    auth cram-md5
    `read challenge < $env_handy/challeng;
    go_hmac mypass $challenge;
    `mail from: `chunk from`
    rcpt to: `chunk to`
    rcpt to: `chunk from`
    MIME-Version: 1.0
    To: "`chunk to_name`" <`chunk to`>
    From: "`chunk from_name`" <`chunk from`>
    Date: `date -R
    `Subject: `chunk subject`
    Content-type: text/plain; charset="US-ASCII"
    Content-transfer-encoding: 7bit


    This does it all. With the use of mimencode I can put in attachments
    too (`cat picture.jpg | mimencode`). Of course, Mime content statments
    and boundaries are needed. Granted, it's cumbersome. Sometimes I give
    in and use Yahoo email.

    Then as a partner to this I use a Perl script that I found (called
    Poppy) to pull the incoming emails off the Pop3 server and save them as

    I had this working before, by the way, but only for "auth login" with
    your help it now does "auth cram-md5" which I needed, because of
    changes with my ISP.

    -Joe Rosevear