[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SMTP_AUTH
Thanks Brian,
Worked like a charm ;o). I will now work on:
o Encrypting the passwords in the smtp_auth_users file before conversion to
dbm format
o Get the smtp dialog between the client machine and the smtp server to be
done over ssl
o Using the PLAIN authentication mechanism with Netscape & Eudora MUAs.
Thanks again.
--Ayitey
----- Original Message -----
From: "Brian Candler" <B.Candler at pobox.com>
To: "Ayitey Bulley" <abulley at ghana.com>
Cc: <ph10 at cus.cam.ac.uk>; <afnog at afnog.org>
Sent: Wednesday, December 11, 2002 10:36 PM
Subject: Re: SMTP_AUTH
> On Wed, Dec 11, 2002 at 07:33:23PM -0000, Ayitey Bulley wrote:
> > fixed_login:
> > driver = plaintext
> > public_name = LOGIN
> > server_prompts = "Username:: : Password::"
> > server_condition = ${if
and{{eq{$1}{bulley}}{eq{$2}{password}}}{yes}{no}}
> > server_set_id = $1
> > ----------------------
> >
> > And this seems to work with my outlook express MUA, however it does not
> > scale well. How do I get it to use the /etc/passwd file to authenticate
or
> > some other file (/usr/exim/smtp_auth_users)
> ...
> > server_condition = ${if crypteq{$3}\
> >
> >
{${extract{1}{:}{${lookup{$2}lsearch{/usr/exim/smtp_auth_users}{$value}}}}\
> > }{yes}{no}}
>
> In the above, I think you've got $3 and $2 where you should have $2 and $1
>
> The LOGIN (Microsoft specific) authentication mechanism uses $1 for
username
> and $2 for password. The PLAIN (RFC2595) mechanism uses $1 for
authorisation
> ID which is normally null, $2 for username, $3 for password.
>
> Apart from that, and valid encrypted passwords, I think it will work...
the
> reply I had started to compose is below but you can ignore it :-)
>
> Cheers,
>
> Brian.
>
>
> To find a password for a user in a flat text file (easiest for testing),
you
> would use ${lookup{$1}lsearch{/usr/exim/smtp_auth_users}{$value}fail}
>
> where the third expression ({$value} in this case) is evaluated if the
item
> is found, and the fourth expression (the special value 'fail') if it
isn't.
> So one way of writing that is:
>
> server_condition = ${lookup{$1}lsearch{/usr/exim/smtp_auth_users} \
> {${if eq{$value}{$2}{1}fail}} \
> fail}
>
> For faster lookups change 'lsearch' to 'dbm', and then convert the file
into
> DBM format:
>
> exim_dbmbuild /usr/exim/smtp_auth_users /usr/exim/smtp_auth_users.db
>
> Something extremely useful is the -be (expression testing) mode of exim.
For
> example, on the command line you can type:
>
> $ echo "ayitey mypasswd" >/tmp/testfile
> $ exim -be '${lookup{ayitey}lsearch{/tmp/testfile}{${if
eq{$value}{mypasswd}{1}fail}}fail}'
>
> and keep playing with the expression until it does what you want.
>
> The problem with using the Unix passwd file is that most Unixes keep the
> actual password in a shadow file (master.passwd and spwd.db under FreeBSD)
> which is only readable by root, and yet for security reasons exim runs as
an
> unprivileged user (usually 'exim') while receiving an incoming SMTP
> connection.
>
> You should be able to use the cyrus pwcheck daemon to get round this (exim
> talks to a separate daemon which runs as root but whose sole purpose is to
> check passwords) but I've never tried this myself.
>
> http://www.exim.org/exim-html-4.10/doc/html/spec_11.html#IX654
>
> If your passwords are kept in a separate database (LDAP, mysql etc) then
> this isn't an issue.
>
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org
- References:
- SMTP_AUTH
- From: "Ayitey Bulley" <abulley at ghana.com>
- Re: SMTP_AUTH
- From: Brian Candler <B.Candler at pobox.com>