This post originated from an RSS feed registered with Python Buzz by Ng Pheng Siong. Original Post: XMail Authentication Feed Title: (render-blog Ng Pheng Siong) Feed URL: http://sandbox.rulemaker.net/ngps/rdf10_xml Feed Description: Just another this here thing blog. Latest Python Buzz Posts Latest Python Buzz Posts by Ng Pheng Siong Latest Posts From (render-blog Ng Pheng Siong)

XMail provides an "in-service" username/password system for authentication, to support virtual user accounts, i.e., accounts that exist within XMail only.

The manual says that the "encrypted password is generated by 'XMCrypt'". The output of this program shows that it does not salt and a given password always produces the same "encrypted" string.

Inspecting the source of XMCrypt reveals that there is no cryptography at all, just a simple XOR of the password. Hmmmm...

At this point, allow me to mention security patterns, seen from Ralph Johnson's blog. Coincidentally, Ralph Johnson has written a paper on the security patterns of qmail, another piece of mail-related software.

Back to XMail, it also supports external authentication. The mechanism is similar to that of invoking SMTP filters.