Re: [exim] Authentication for sending

Pàgina inicial
Delete this message
Reply to this message
Autor: Giuliano Gavazzi
Data:  
A: Michael Johnson, exim-users
CC: 
Assumpte: Re: [exim] Authentication for sending
At 2:56 pm -0400 2004/10/21, Michael Johnson wrote:
>On Oct 21, 2004, at 1:47 PM, Giuliano Gavazzi wrote:

[...]
>>In your case, if I recall correctly, you want to look up passwords
>>for cram-md5, but in this case, I repeat, you need clear text
>>passwords and I would NOT use netinfo to store those, as anyone who
>>can gain access to the database would be able to read them.
>
>So you're saying I can't use /etc/pam.d/exim to access the PAM functions? I


yes you can, but that will not return passwords in clear, it will
just validate passwords.

> thought the idea behind using PAM was so you could keep the
>encryption and have it be a translator as it were.
>
>It seems I'm stuck using the old method of having a file with "user
>: pass" and restricting it to chmod 400 with exim as the owner. Is
>there no way to get the pam lookups working on OS X right now?


yes, as I said, but it will only work for Login and Plain
authentication, where the password is passed in clear (over SSL
usually) by the client.

>What I have, and it's not working at the moment, is this:
>
>begin authenticators
>fixed_cram:
>         driver = cram_md5
>         public_name = CRAM-MD5
>         server_secret = ${if and        {\
>                         {!eq{$1}{}}\
>                         {!eq{$2}{}}\
>                         {pam{$1:${sg{$2}{:}{::}}}}\
>                                 }\
>                 {yes}{no}}

>
>        server_set_id = $1

>
>Is there something specific in this setup which keeps it from
>authenticating? This is basicaly the only PAM authenticator I've
>seen in Googling, regardless of platform with only changes from the
>$1 and $2 to being $2 and $3.


this I guess will only work if the password is 0... as the server
secret will always be the boolean result from the $if, that is going
to be the false value.
What stops you from using Login authentication (over SSL)?

login:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   server_condition=${if and     {\
                                         {!eq{$1}{}}\
                                         {!eq{$2}{}}\
                                         {pam{$1:${sg{$2}{:}{::}}}}\
                                 }\
                 {yes}{no}}


plain:
   driver = plaintext
   public_name = PLAIN
   server_prompts =  :
   server_condition=${if and     {\
                                         {!eq{$2}{}}\
                                         {!eq{$3}{}}\
                                         {pam{$2:${sg{$3}{:}{::}}}}\
                                 }\
                 {yes}{no}}



and enforce encryption (except locally):


acl_check_auth:
     accept hosts = 127.0.0.1


     accept encrypted = *
     accept condition = ${if eq{${uc:$smtp_command_argument}}\
                         {CRAM-MD5}{yes}{no}}
     deny   message   = TLS encryption or CRAM-MD5 required



Giuliano