Autor: Svein E. Seldal Data: A: list CC: exim-users Assumpte: [Exim] Re: SMTP auth, MySQL & passwords stored in clear
> Tim Jackson wrote: >
> If you are going to be using CRAM-MD5 at all, you are going to have to
> keep the passwords in plaintext on the server. (This is not a
> limitation of Exim; it's to do with the algorithm, which requires the
> plaintext password to be available at the server end in order to
> compute a hash)
I dont get it. I have a server with a sendmail MTA. It is able to use
CRAM-MD5 without using having the password available in cleartext. It
reads the /etc/shadow (which IFAIK is one-way hashed, right?). How is
that possible?
In all cases, what I want is not to use plain-text AUTH because I'm not
going to use encrypted connections, hence I want CRAM-MD5. At the same
time am I not particular happy about storing the pwd's in cleartext on
the server (because its readable by root). The MySQL ENCRYPT() DECRYPT()
scheme is better. However the mysql encrypt key must be stored in the
exim config file, leaving it possible for root to get the cleartext
passwords for the user if he wants to. /etc/shadow is just beautiful
that way -- the root cannot get the passwords without using brute force
methods.
But again, sendmail seems to be able to combine CRAM-MD5 and the hashed
passwords in /etc/shadow...