RE: [Exim] SMTP authentication

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Eli
Dátum:  
Címzett: 'Wakko Warner'
CC: 'ODHIAMBO Washington', exim-users
Tárgy: RE: [Exim] SMTP authentication
I have logging turned off for MySQL, and I believe that even if it was
enabled that no normal system user would be able to access that information
as MySQL runs as separate user/group entirely than users, and users get only
specific database access anyways. Oh and users don't have access to
/var/log, so they couldn't snoop in any error logfiles stored anywhere in
there :)

Eli

-----Original Message-----
From: Wakko Warner [mailto:wakko@animx.eu.org]
Sent: Friday, June 20, 2003 12:39 PM
To: Eli
Cc: 'ODHIAMBO Washington'; exim-users@???
Subject: Re: [Exim] SMTP authentication


> begin authenticators
>
> plain_login:
>         driver                  = plaintext
>         public_name             = PLAIN
>         server_condition        = ${lookup mysql{SELECT '1' FROM users

WHERE
> CONCAT(user, '@', host) = '${quote_mysql:$2}' AND
>  pass = '${quote_mysql:$3}'} {yes}{no}}
>         server_set_id           = $2

>
> fixed_login:
>         driver                  = plaintext
>         public_name             = LOGIN
>         server_prompts          = "Username:: : Password::"
>         server_condition        = ${lookup mysql{SELECT '1' FROM users

WHERE
> CONCAT(user, '@', host) = '${quote_mysql:$1}' AND
>  pass = '${quote_mysql:$2}'} {yes}{no}}
>         server_set_id           = $1


I wouldn't do this because the password may be logged in the SQL log file.

You could try this using the encrypt functions (using the same salt). Have
mysql encrypt the password (pass) and have exim encrypt the password ($2)
and compare them.

It's probably safer to check the passwords in exim since they won't show.

If your passwords are already encrypted, you shouldn't have a problem
provided that the cleartext password is never sent to mysql.

--
Lab tests show that use of micro$oft causes cancer in lab animals
---
[This E-mail scanned for viruses]


---
[This E-mail scanned for viruses]