Re: [Exim] auth check ok?

Góra strony
Delete this message
Reply to this message
Autor: Wakko Warner
Data:  
Dla: Simon Bell
CC: 'Exim Users Mailing List'
Temat: Re: [Exim] auth check ok?
> I just wanted to verify that the authenticators i am planning on using are
> secure. They are simply supposed to check a plain file for
> username/passwords:
>
> fixed_plain:
>   driver = plaintext
>   public_name = PLAIN
>   server_prompts = :
>   server_condition = "${if eq\
>                       {${lookup{$2}lsearch{/usr/exim/auth}}$value}fail}}\

                                                            ^
I assume that's a typo?


>                       {$3} {yes}{no}}"
>   server_set_id = $2

>
> login:
>   driver = plaintext
>   public_name = LOGIN
>   server_prompts = Username:: : Password::
>   server_condition = "${if eq\
>                       {${lookup{$1}lsearch{/usr/exim/auth}{$value}fail}}\
>                       {$2} {yes}{no}}"
>   server_set_id = $1

>
> they appear to work in use, but are they secure?


Define secure. Using plaintext w/o TLS is not secure. By the looks of it,
sending a random username and blank password doesn't appear like it'd work.
Howwever, if you prefer to force people to have a password, you could check
to see if $2 is empty or not.

Try it for yourself with a username that doesn't exist and a blank password.

--
Lab tests show that use of micro$oft causes cancer in lab animals