Re: [exim] SASL / Realm / Multiple Domains?

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Phil Pennock
Dátum:  
Címzett: Unique_User
CC: exim-users
Tárgy: Re: [exim] SASL / Realm / Multiple Domains?
On 2008-11-23 at 00:56 -0800, Unique_User wrote:
> Hi, I'm using Exim4 with SASL authentification. I use CRAM-MD5 and
> DIGEST-MD5. The latter to support Outlook users because Outlook tries a
> DIGEST-MD5 authentification by default and you can't tell it to use CRAM-MD5
> or so.


Not a great loss; I'm not a cryptanalyst but my understanding is that
CRAM-MD5 is more affected by the MD5 breaks than is DIGEST-MD5.
CRAM-MD5 is nice and simple, though. (I've written code that implements
both; the specification for DIGEST-MD5 leaves something to be desired,
but it does a lot more so it's not a fair comparison).

> 1. I don't think that I need "server_realm" for CRAM-MD5, correct? If not,
> what is it used for?


I believe that you're correct.

> 2. Is the realm stuff required for DIGEST-MD5?


Yes. The realm is used in the authentication protocol. The server
sends a challenge which includes the realm that it is in, so needs to
know the realm to tell the user before the user has supplied their
usercode.

> 3. I need to use two different calls to add user/passwords to the password
> database depending on the user using Outlook or not:
>
> a) Non Outlook users:saslpasswd2 -c usaer@???
> b) Outlook users: saslpasswd2 -u mydomain.com -c username
>
> But if the realm is hardcoded in the config file, how do I support Outlook
> users from different domains?


You don't, on the same port. Further, it's not (currently) an expanded
string. There's not currently a way for the client to tell the server,
ahead of time, what host it thinks it connected to, short of listening
on multiple IP addresses. You might want to file a feature request for
server_realm to be expanded to support that.

> The only change I see at the moment is, to make user names not based on the
> email address but use a realm that is the same for all users.


Yes, you need to go that route.

> Or am I missing something in the whole setup?


Older protocols rely on the server to know what it is, instead of
allowing virtual hosting, which makes things awkward for the people who
need to run the actual systems.

-Phil