I have logging turned off for MySQL, and I believe that even if it was
enabled that no normal system user would be able to access that information
as MySQL runs as separate user/group entirely than users, and users get only
specific database access anyways. Oh and users don't have access to
/var/log, so they couldn't snoop in any error logfiles stored anywhere in
there :)
Eli
-----Original Message-----
From: Wakko Warner [
mailto:wakko@animx.eu.org]
Sent: Friday, June 20, 2003 12:39 PM
To: Eli
Cc: 'ODHIAMBO Washington'; exim-users@???
Subject: Re: [Exim] SMTP authentication
> begin authenticators
>
> plain_login:
> driver = plaintext
> public_name = PLAIN
> server_condition = ${lookup mysql{SELECT '1' FROM users
WHERE
> CONCAT(user, '@', host) = '${quote_mysql:$2}' AND
> pass = '${quote_mysql:$3}'} {yes}{no}}
> server_set_id = $2
>
> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${lookup mysql{SELECT '1' FROM users
WHERE
> CONCAT(user, '@', host) = '${quote_mysql:$1}' AND
> pass = '${quote_mysql:$2}'} {yes}{no}}
> server_set_id = $1
I wouldn't do this because the password may be logged in the SQL log file.
You could try this using the encrypt functions (using the same salt). Have
mysql encrypt the password (pass) and have exim encrypt the password ($2)
and compare them.
It's probably safer to check the passwords in exim since they won't show.
If your passwords are already encrypted, you shouldn't have a problem
provided that the cleartext password is never sent to mysql.
--
Lab tests show that use of micro$oft causes cancer in lab animals
---
[This E-mail scanned for viruses]
---
[This E-mail scanned for viruses]
