Re: [exim] Authentication for sending

Pàgina inicial
Delete this message
Reply to this message
Autor: Michael Johnson
Data:  
A: exim-users
Assumpte: Re: [exim] Authentication for sending
On Oct 21, 2004, at 3:22 PM, Giuliano Gavazzi wrote:

> At 2:56 pm -0400 2004/10/21, Michael Johnson wrote:
>> On Oct 21, 2004, at 1:47 PM, Giuliano Gavazzi wrote:
> [...]
>>> In your case, if I recall correctly, you want to look up passwords
>>> for cram-md5, but in this case, I repeat, you need clear text
>>> passwords and I would NOT use netinfo to store those, as anyone who
>>> can gain access to the database would be able to read them.
>>
>> So you're saying I can't use /etc/pam.d/exim to access the PAM
>> functions? I
>
> yes you can, but that will not return passwords in clear, it will just
> validate passwords.


Okay...sometimes I'm slow, but I eventually get it. I think...

>> thought the idea behind using PAM was so you could keep the
>> encryption and have it be a translator as it were.
>>
>> It seems I'm stuck using the old method of having a file with "user :
>> pass" and restricting it to chmod 400 with exim as the owner. Is
>> there no way to get the pam lookups working on OS X right now?
>
> yes, as I said, but it will only work for Login and Plain
> authentication, where the password is passed in clear (over SSL
> usually) by the client.


Basically, now I need to set up my server using SSL. I don't think
that should be too difficult. It's probably a better solution.

>> Is there something specific in this setup which keeps it from
>> authenticating? This is basicaly the only PAM authenticator I've
>> seen in Googling, regardless of platform with only changes from the
>> $1 and $2 to being $2 and $3.
>
> this I guess will only work if the password is 0... as the server
> secret will always be the boolean result from the $if, that is going
> to be the false value.


I recall reading something late the other night about how the value
starting with a 0 or 000. It's all a blur now.

> What stops you from using Login authentication (over SSL)?


Most likely stubbornness. I was set on doing it one way without
thinking of a different, possibly better way.

> and enforce encryption (except locally):
>
>
> acl_check_auth:
>     accept hosts = 127.0.0.1

>
>     accept encrypted = *
>     accept condition = ${if eq{${uc:$smtp_command_argument}}\
>                         {CRAM-MD5}{yes}{no}}
>     deny   message   = TLS encryption or CRAM-MD5 required


I don't have anything like this already in the configure file. Where
would this go? In the same section as the authenticators? In the ACL
section? In the main configuration settings?

-Michael

----------------------
English women don't pump gas naked!

                --Marge Simpson