[Exim] SMTP auth, MySQL & passwords stored in clear

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Konrad Michels
Date:  
À: Exim Mailing List
Sujet: [Exim] SMTP auth, MySQL & passwords stored in clear
Hi Folks
Someone has probably asked this before (can't recall seeing anything
about it in the last couple of thousand mails!), so apologies if this is
covering old ground again.

I've just setup a Exim 4.30 on a linux box, built with AUTH and MYSQL
lookups enabled. I've done the configs, and have managed to get plain
and login authentication working with the following authenticators:

mysql_plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if eq{$3} \
{${lookup mysql{SELECT passwd FROM smtpauth \
WHERE login='${local_part:$2}'}{$value}{false}}}{1}{0}}"
server_prompts= "Login::"
server_set_id=$2

mysql_login:
driver = plaintext
public_name = LOGIN
server_condition = "${if eq{$2} \
{${lookup mysql{SELECT passwd FROM smtpauth \
WHERE login='${local_part:$1}'}{$value}{false}}}{1}{0}}"
server_prompts= "Username:: : Password:: "
server_set_id=$1

This seems to work fine, except for one thing: the passwords in the
database have to be stored in plain text, which is not entirely the best
thing. I've been dredging the docs and Google to see if there's some
built-in Exim functionality which will let me specify in the lookup that
the passwd is encrypted but can't seem to find anything. Any pointers?

The other thing that has got me flummoxed is getting the same
authenticator working for cram_md5 - I just can't seem to get the mysql
lookup syntax right. If I can get cram_md5 working, I'll be less fussed
about the plaintext passwords, but it would still be nice to get both
fixed.

Thanks in advance for your valuable time!

Konrad


--
***********************************************************
* Konrad Michels
* IT Manager
* Surfkitchen Limited
* +441189298079
***********************************************************

The information contained in this message is confidential. It is
intended solely for the use of the individual or entity to whom it is
addressed and other authorised to receive it. If the reader of this
message is not the intended recipient, you are hereby notified that any
use, copying, dissemination or disclosure of this information is
strictly prohibited. If you are not the intended recipient, please
delete it immediately and contact the sender by e-mail or telephone.
Internet e-mails are not necessarily secure. SurfKitchen accepts no
responsibility either for breaches of confidence that may arise through
the use of this medium or for changes to any e-mail which occur after
the e-mail has been sent.