Re: [Exim] SMTP authentication with exim

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Philip Hazel
Datum:  
To: Christi Alice Scarborough
CC: exim-users
Betreff: Re: [Exim] SMTP authentication with exim
On Wed, 23 Aug 2000, Christi Alice Scarborough wrote:

> cram:
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = ${if crypteq{$2}{\{crypt\}${lookup {$1} lsearch{/etc/shadow}{${extract{1}{:}{$value}}} fail } } {secret1} fail }
>
> which I think should do the following. Take the secret string passed
> by the client, containing the username ($1) and password ($2) and extract
> the users crypted password string from the password file. This should
> then be compared with the value passed by the user.


No, that isn't the way CRAM-MD5 works. What you have described is the
way that LOGIN authentication works. CRAM-MD5 is a completely different
kettle of fish (see chapter 35). You need to have the secret stored *in
plain* on the server. You can't use an encrypted password. The client
doesn't send the secret - it sends an MD5 hash of the challenge string
plus the secret.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.