[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SMTP_AUTH



Thanks Brian,

Worked like a charm ;o). I will now work on:

o Encrypting the passwords in the smtp_auth_users file before conversion to
dbm format
o Get the smtp dialog between the client machine and the smtp server to be
done over ssl
o Using the PLAIN authentication mechanism with Netscape & Eudora MUAs.

Thanks again.

--Ayitey


----- Original Message -----
From: "Brian Candler" <B.Candler at pobox.com>
To: "Ayitey Bulley" <abulley at ghana.com>
Cc: <ph10 at cus.cam.ac.uk>; <afnog at afnog.org>
Sent: Wednesday, December 11, 2002 10:36 PM
Subject: Re: SMTP_AUTH


> On Wed, Dec 11, 2002 at 07:33:23PM -0000, Ayitey Bulley wrote:
> > fixed_login:
> >   driver = plaintext
> >    public_name = LOGIN
> >    server_prompts = "Username:: : Password::"
> >    server_condition = ${if
and{{eq{$1}{bulley}}{eq{$2}{password}}}{yes}{no}}
> >    server_set_id = $1
> > ----------------------
> >
> > And this seems to work with my outlook express MUA, however it does not
> > scale well. How do I get it to use the /etc/passwd file to authenticate
or
> > some other file (/usr/exim/smtp_auth_users)
> ...
> >    server_condition = ${if crypteq{$3}\
> >
> >
{${extract{1}{:}{${lookup{$2}lsearch{/usr/exim/smtp_auth_users}{$value}}}}\
> >        }{yes}{no}}
>
> In the above, I think you've got $3 and $2 where you should have $2 and $1
>
> The LOGIN (Microsoft specific) authentication mechanism uses $1 for
username
> and $2 for password. The PLAIN (RFC2595) mechanism uses $1 for
authorisation
> ID which is normally null, $2 for username, $3 for password.
>
> Apart from that, and valid encrypted passwords, I think it will work...
the
> reply I had started to compose is below but you can ignore it :-)
>
> Cheers,
>
> Brian.
>
>
> To find a password for a user in a flat text file (easiest for testing),
you
> would use ${lookup{$1}lsearch{/usr/exim/smtp_auth_users}{$value}fail}
>
> where the third expression ({$value} in this case) is evaluated if the
item
> is found, and the fourth expression (the special value 'fail') if it
isn't.
> So one way of writing that is:
>
>   server_condition = ${lookup{$1}lsearch{/usr/exim/smtp_auth_users}  \
> {${if eq{$value}{$2}{1}fail}}   \
> fail}
>
> For faster lookups change 'lsearch' to 'dbm', and then convert the file
into
> DBM format:
>
>   exim_dbmbuild /usr/exim/smtp_auth_users /usr/exim/smtp_auth_users.db
>
> Something extremely useful is the -be (expression testing) mode of exim.
For
> example, on the command line you can type:
>
> $ echo "ayitey mypasswd" >/tmp/testfile
> $ exim -be '${lookup{ayitey}lsearch{/tmp/testfile}{${if
eq{$value}{mypasswd}{1}fail}}fail}'
>
> and keep playing with the expression until it does what you want.
>
> The problem with using the Unix passwd file is that most Unixes keep the
> actual password in a shadow file (master.passwd and spwd.db under FreeBSD)
> which is only readable by root, and yet for security reasons exim runs as
an
> unprivileged user (usually 'exim') while receiving an incoming SMTP
> connection.
>
> You should be able to use the cyrus pwcheck daemon to get round this (exim
> talks to a separate daemon which runs as root but whose sole purpose is to
> check passwords) but I've never tried this myself.
>
> http://www.exim.org/exim-html-4.10/doc/html/spec_11.html#IX654
>
> If your passwords are kept in a separate database (LDAP, mysql etc) then
> this isn't an issue.
>


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org