Re: [Exim] SMTP auth, MySQL & passwords stored in clear

Top Page
Delete this message
Reply to this message
Author: Jez Hancock
Date:  
To: Konrad Michels
CC: Exim Mailing List
Subject: Re: [Exim] SMTP auth, MySQL & passwords stored in clear
On Wed, Jan 07, 2004 at 04:20:35PM +0000, Konrad Michels wrote:
> I've just setup a Exim 4.30 on a linux box, built with AUTH and MYSQL
> lookups enabled. I've done the configs, and have managed to get plain
> and login authentication working with the following authenticators:

<snip>
> This seems to work fine, except for one thing: the passwords in the
> database have to be stored in plain text, which is not entirely the best
> thing. I've been dredging the docs and Google to see if there's some
> built-in Exim functionality which will let me specify in the lookup that
> the passwd is encrypted but can't seem to find anything. Any pointers?

One idea could be to use the MySQL ENCODE() function to encode the
password strings submitted using a secret key which you'd store in the
exim config file. If the resulting encoded string matches that stored
in the db, accept the connection, otherwise deny.

This scheme would obviously require that you ENCODE() the password
strings in the first place when they're entered into the db originally
(or subsequently changed), but this would be the same for any other
hashing method of course :P

Using the MySQL ENCODE() function has the added benefit that you can
actually DECODE() password strings as well using the secret key -
a bonus for sending out forgotten passwords.

Just an idea.

The encode/decode functions are detailed here:

http://www.mysql.com/doc/en/Miscellaneous_functions.html

--
Jez Hancock
- System Administrator / PHP Developer

http://munk.nu/
http://jez.hancock-family.com/  - personal weblog
http://ipfwstats.sf.net/        - ipfw peruser traffic logging