> I just wanted to verify that the authenticators i am planning on using are
> secure. They are simply supposed to check a plain file for
> username/passwords:
>
> fixed_plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_condition = "${if eq\
> {${lookup{$2}lsearch{/usr/exim/auth}}$value}fail}}\
^
I assume that's a typo?
> {$3} {yes}{no}}"
> server_set_id = $2
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = Username:: : Password::
> server_condition = "${if eq\
> {${lookup{$1}lsearch{/usr/exim/auth}{$value}fail}}\
> {$2} {yes}{no}}"
> server_set_id = $1
>
> they appear to work in use, but are they secure?
Define secure. Using plaintext w/o TLS is not secure. By the looks of it,
sending a random username and blank password doesn't appear like it'd work.
Howwever, if you prefer to force people to have a password, you could check
to see if $2 is empty or not.
Try it for yourself with a username that doesn't exist and a blank password.
--
Lab tests show that use of micro$oft causes cancer in lab animals
