XMail Authentication

XMail provides an "in-service" username/password system for authentication, to support virtual user accounts, i.e., accounts that exist within XMail only.

The manual says that the "encrypted password is generated by 'XMCrypt'". The output of this program shows that it does not salt and a given password always produces the same "encrypted" string.

Inspecting the source of XMCrypt reveals that there is no cryptography at all, just a simple XOR of the password. Hmmmm...

At this point, allow me to mention security patterns, seen from Ralph Johnson's blog. Coincidentally, Ralph Johnson has written a paper on the security patterns of qmail, another piece of mail-related software.

Back to XMail, it also supports external authentication. The mechanism is similar to that of invoking SMTP filters.