[Exim] Re: SMTP auth, MySQL & passwords stored in clear

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MKonrad Michels at <-
MNigel Metheringham at ->
Delete this message
Reply to this message
Author: Svein E. Seldal
Date:  
To: list
CC: exim-users
Subject: [Exim] Re: SMTP auth, MySQL & passwords stored in clear
> Tim Jackson wrote:
>
> If you are going to be using CRAM-MD5 at all, you are going to have to
> keep the passwords in plaintext on the server. (This is not a
> limitation of Exim; it's to do with the algorithm, which requires the
> plaintext password to be available at the server end in order to
> compute a hash)

I dont get it. I have a server with a sendmail MTA. It is able to use
CRAM-MD5 without using having the password available in cleartext. It
reads the /etc/shadow (which IFAIK is one-way hashed, right?). How is
that possible?

In all cases, what I want is not to use plain-text AUTH because I'm not
going to use encrypted connections, hence I want CRAM-MD5. At the same
time am I not particular happy about storing the pwd's in cleartext on
the server (because its readable by root). The MySQL ENCRYPT() DECRYPT()
scheme is better. However the mysql encrypt key must be stored in the
exim config file, leaving it possible for root to get the cleartext
passwords for the user if he wants to. /etc/shadow is just beautiful
that way -- the root cannot get the passwords without using brute force
methods.

But again, sendmail seems to be able to combine CRAM-MD5 and the hashed
passwords in /etc/shadow...

Regards,
Svein


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Whitelisting in Exim?[Exim] .forward filters and added headers->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)