Some people are still having problems with CRAM-MD5 authentication

(e.g. latest reports are problems with outbound connections to
mbcico/1.0.6.8 with CRAM-MD5 authentication failures) - so added a new
per-link configuration key: "BinkpPlainAuthOnly" (default values is false).
Set this value to true to use *only* plain-text password authentication
for both inbound and outbound connections with this node. This should help
debug password issues, at minimum, and might work-around CRAM-MD5
incompatibilities with some mailers, if that is in fact the issue.
EchoCfg will need a way to set this option, but for now, just set it by
hand in the sbbsecho.ini (for each [node] section where you need it).

If you set BinkpPlainAuthOnly to true, do *not* set BinkpAllowPlainAuth
or BinkpAllowPlainText to false - that would be bad.

exec/binkit.js

@@ -166,7 +166,7 @@ function add_outbound_files(addrs, bp)
 				var ext = file_getext(file);
 				if (ext !== undefined)
 					ext = ext.toLowerCase();
-				
+
 				switch(ext) {
 					case '.clo':
 					case '.dlo':
@@ -539,6 +539,7 @@ function callout(addr, scfg, locks, bicfg)
 		host = bp.cb_data.binkitcfg.node[addr].host;
 		bp.require_md5 = !(bp.cb_data.binkitcfg.node[addr].nomd5);
 		bp.require_crypt = !(bp.cb_data.binkitcfg.node[addr].nocrypt);
+		bp.plain_auth_only = bp.cb_data.binkitcfg.node[addr].plain_auth_only;
 	}
 	// TODO: Force debug mode for now...
 	bp.debug = true;
@@ -879,7 +880,7 @@ function inbound_auth_cb(pwd, bp)
 					check_nocrypt(bp.cb_data.binkitcfg.node[addr]);
 					ret = cpw;
 				} else {
-					log(LOG_WARNING, "CRAM-MD5 password mismatch for " + addr 
+					log(LOG_WARNING, "CRAM-MD5 password mismatch for " + addr
 						+ format(" (expected: %s, received: %s)", expected, pwd[0]));
 					/*
 					 * TODO: This is in case Mystic/1.12A39 has both a working and
@@ -905,7 +906,7 @@ function inbound_auth_cb(pwd, bp)
 			}
 			else {
 				// TODO: Deal with arrays of passwords?
-				if (!bp.cb_data.binkitcfg.node[addr].nomd5)	// AllowPlainPasswords=false
+				if (!bp.cb_data.binkitcfg.node[addr].nomd5)	// BinkpAllowPlainAuth=false
 					log(LOG_WARNING, "CRAM-MD5 required (and not provided) by " + addr);
 				else if (bp.cb_data.binkitcfg.node[addr].pass === pwd[0]) {
 					log(LOG_INFO, "Plain-text password match for " + addr);
@@ -1132,7 +1133,7 @@ function upgrade()
 
 	var binkit_ini = new File(file_cfgname(system.ctrl_dir, "binkit.ini"));
 	if(binkit_ini.open("r")) {
-		
+
 		sbbsecho_ini.iniSetValue("BinkP", "Capabilities", binkit_ini.iniGetValue(null, "Capabilities", ""));
 		sbbsecho_ini.iniSetValue("BinkP", "Sysop", binkit_ini.iniGetValue(null, "Sysop", ""));
 
@@ -1169,7 +1170,7 @@ function upgrade()
 	/* Merge ftn_domains.ini -> sbbsecho.ini */
 	var domains_ini = new File(file_cfgname(system.ctrl_dir, "ftn_domains.ini"));
 	if(domains_ini.open("r")) {
-		
+
 		var domains = domains_ini.iniGetAllObjects("name");
 		for(var d in domains) {
 			var section = "domain:" + domains[d].name;

exec/load/binkp.js

@@ -5,15 +5,16 @@ require('fido.js', 'FIDO');
 
 /*
  * A binkp implementation...
- * 
+ *
  * Create a new instance with New passing a path to place received files
  * in to the constructor (defaults to system.temp_dir).
- * 
+ *
  * Next, adjust defaults as needed...
  * default_zone    - if no zone is specified, use this one for all addresses.
  * default_domain  - if no domain is specified, use this one for all addresses.
  * debug		   - If set, logs all sent/received frames via log(LOG_DEBUG)
- * require_md5	   - Require that the remote support MD5
+ * require_md5	   - Require that the remote support CRAM-MD5 authentication
+ * plain_auth_only - Use plain-text authentication always (no CRAM-MD5 auth, no encryption)
  * timeout		   - Max timeout
  * addr_list       - list of addresses handled by this system.  Defaults to system.fido_addr_list
  * system_name	   - BBS name to send to remote defaults to system.name
@@ -35,12 +36,12 @@ require('fido.js', 'FIDO');
  * tx_callback	   - Function that is called with two arguments, the filename
  * 					 and the BinkP object when a file is sent successfully.
  * name_ver        - Name and version of program in "name/ver.ver.ver" format
- * 
+ *
  * Now add any files you wish to send using the addFile(filename) method
- * 
+ *
  * Finally, call the connect() or accept() method
  * This method will return true if all files were transferred with no errors.
- * 
+ *
  * After return, the sent_files and received_files arrays will contain
  * lists of successfully transferred files.  The failed_sent_files and
  * failed_received_files arrays will contain files that failed to
@@ -77,6 +78,7 @@ function BinkP(name_ver, inbound, rx_callback, tx_callback)
 	this.sent_nr = false;
 	this.ver1_1 = false;
 	this.require_md5 = true;
+	this.plain_auth_only = false;
 	// IREX VER Internet Rex 2.29 Win32 (binkp/1.1) doesn't work with longer challenges
 	// TODO: Remove this knob
 	this.cram_challenge_length = 16;
@@ -433,7 +435,7 @@ BinkP.prototype.connect = function(addr, password, auth_cb, port, inet_host)
 		 * TODO: This is to work around an apparent incompatibility with
 		 * Radius.  I thought this worked with binkd, but it would need
 		 * to be tested again.
-		 * 
+		 *
 		 * Not super-important since using encryption without a password
 		 * is about as "secure" as rot13.
 		 */
@@ -455,7 +457,7 @@ BinkP.prototype.connect = function(addr, password, auth_cb, port, inet_host)
 	}
 
 	if (this.authenticated === undefined) {
-		if (this.cram === undefined || this.cram.algo !== 'MD5') {
+		if (this.plain_auth_only || this.cram === undefined || this.cram.algo !== 'MD5') {
 			if (this.require_md5)
 				this.sendCmd(this.command.M_ERR, "MD5 Required");
 			else {
@@ -558,7 +560,8 @@ BinkP.prototype.accept = function(sock, auth_cb)
 
 	this.cram = {algo:'MD5', challenge:challenge.replace(/[0-9a-fA-F]{2}/g, hex2ascii)};
 	this.authenticated = undefined;
-	this.sendCmd(this.command.M_NUL, "OPT CRAM-MD5-"+challenge+(this.wont_crypt?"":" CRYPT"));
+	if(!this.plain_auth_only)
+		this.sendCmd(this.command.M_NUL, "OPT CRAM-MD5-"+challenge+(this.wont_crypt?"":" CRYPT"));
 	pkt = this.recvFrame(this.timeout);
 	if (pkt === undefined || pkt === null)
 		return false;

exec/load/fidocfg.js

@@ -9,7 +9,7 @@ require('fido.js', 'FIDO');
  * acfg{}{}		per-address config objects all keys converted to lower-case
  * 				Each object supports 'Links', 'Dir', 'Path', and 'Handler'
  * 				properties.
- * 
+ *
  * A handler is a load() path to a script which must define a
  * Handle_TIC(tic, obj) method.  This method takes two arguments, the
  * tic object and the "this" context of the caller.  If Handle_TIC()
@@ -22,9 +22,9 @@ require('fido.js', 'FIDO');
  * sending to any of the configured links.  Failing to do this will result
  * in TIC files without the corresponding attachment being send to downlinks.
  * Further, the load file must not have a null last statement.
- * 
+ *
  * cset			character set used in base-X file naming
- * 
+ *
  * TickITCfg Methods:
  * get_next_tick_filename()		returns a string representing the next
  * 								sequential unique filename for a tic file
@@ -206,7 +206,7 @@ TickITCfg.prototype.save = function()
 
 /*
  * FREQITCfg configuration object
- * 
+ *
  * FREQITCfg properties
  * dirs[]			Array of directories that can be FREQed from
  * securedirs[]		Array of seucrely FREQable directories
@@ -341,6 +341,7 @@ function BinkITCfg()
 			this.node[sec].pass = f.iniGetValue(section, 'SessionPwd');
 			this.node[sec].nomd5 = f.iniGetValue(section, 'BinkpAllowPlainAuth', false);
 			this.node[sec].nocrypt = f.iniGetValue(section, 'BinkpAllowPlainText', false);
+			this.node[sec].plain_auth_only = f.iniGetValue(section, 'BinkpPlainAuthOnly', false);
 			this.node[sec].poll = f.iniGetValue(section, 'BinkpPoll', false);
 			this.node[sec].port = f.iniGetValue(section, 'BinkpPort');
 			this.node[sec].src = f.iniGetValue(section, 'BinkpSourceAddress');