Cisco Cisco Email Security Appliance C160 Guia Do Utilizador

The appliance negotiates the SASL mechanism with the MUA before getting the password, and the 
appliance and the MUA decide on what method (LOGIN, PLAIN, MD5, SHA, SSHA, and CRYPT SASL 
mechanisms are supported). Then, the appliance queries the LDAP database to fetch a password. In 
LDAP, the password can have a prefix in braces.

If there is no prefix, the appliance assumes that the password was stored in LDAP in plaintext. 

If there is a prefix, the appliance will fetch the hashed password, perform the hash on the username 
and/or password supplied by the MUA, and compare the hashed versions. The appliance supports 
SHA1 and MD5 hash types based on the RFC 2307 convention of prepending the hash mechanism 
type to the hashed password in the password field.

Some LDAP servers, like the OpenWave LDAP server, do not prefix the encrypted password with 
the encryption type; instead, they store the encryption type as a separate LDAP attribute. In these 
cases, you can specify a default SMTP AUTH encryption method the appliance will assume when 
comparing the password with the password obtained in the SMTP conversation. 

The appliance takes an arbitrary username from the SMTP Auth exchange and converts that to an LDAP 
query that fetches the clear or hashed password field. It will then perform any necessary hashing on the 
password supplied in the SMTP Auth credentials and compare the results with what it has retrieved from 
LDAP (with the hash type tag, if any, removed). A match means that the SMTP Auth conversation shall 
proceed. A failure to match will result in an error code.