Re: [exim] SASL / Realm / Multiple Domains?

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Robert M. Münch
CC: exim-users
Subject: Re: [exim] SASL / Realm / Multiple Domains?
On 2008-11-24 at 09:05 +0100, Robert M. Münch wrote:
> Am 24.11.2008, 07:31 Uhr, schrieb Phil Pennock <exim-users@???>:
> >> 2. Is the realm stuff required for DIGEST-MD5?
> > Yes. The realm is used in the authentication protocol. The server
> > sends a challenge which includes the realm that it is in, so needs to
> > know the realm to tell the user before the user has supplied their
> > usercode.
>
> Ok, I see. So there can be only one realm on the server side.
>
> What about the client? If Outlook uses DIGEST-MD5 is there a way to
> specify the realm it should use? Or is the realm always derived from
> the user-name/email adress being the domain part?


I don't know Outlook. What is supposed to happen is that the server's
realm is presented to the user so that they can enter their usercode and
password for that realm. The realm used is the realm presented by the
server. I don't believe many clients are very good on this score.

> And one other question: Is it possible to setup different
> authentification protocolls in Outlook? I didn't find a way to tell it
> to use CRAM-MD5.


Pass. Someone else who knows Outlook might comment.

> > You don't, on the same port. Further, it's not (currently) an expanded
> > string. There's not currently a way for the client to tell the server,
> > ahead of time, what host it thinks it connected to, short of listening
> > on multiple IP addresses. You might want to file a feature request for
> > server_realm to be expanded to support that.
>
> Just to be sure I understand this correct: If the client isn't sending
> anything upfront, the server can't know which realm to send to the
> client if it's the server being the first to send the realm
> information. How would your suggestion change this?


The client connects to an IP address; on a machine with multiple IP
addresses and a server process listening on multiple IP addresses (or
INADDR_ANY) the server can tell which IP the connection was accepted on
and present a different realm based on that.

This only helps you if you can get multiple IP addresses; it helps more
with either private addressing (RFC 1918 space) or IPv6. It also only
helps if server_realm is expanded; otherwise, you're stuck running a
different server instance on each IP.

> And, how and where can I file a feature request?


If you can get multiple IPs so that this matters, then:
http://bugs.exim.org/

> Are there are any newer protocolls that don't have this problem that I
> can use with Exim, SASL and Outlook users?


You can avoid needing to know a realm or anything like it and just have
the login ID be an email address and use something like PLAIN/LOGIN, as
Bill suggests. Otherwise, not that I know of.

Exim isn't the issue here, since Exim can use cyrus_sasl as a library,
so anything SASL supports is supported by Exim, so you're looking at
Cyrus SASL * Outlook.. There aren't many good authentication protocols
to choose from though, and my understanding is that Outlook ... does not
support a generous selection.

If you're interested in keeping an eye on what's coming, there's a new
auth protocol called SCRAM making its way through the IETF which might
become an RFC sometime soon and optimistically might be supported by
vendors of widely-deployed clients, I suppose. I also want a pony.

(In SCRAM, the client sends first, sending the usercode; it's designed
to be used inside of TLS)

Sorry I can't help further,
-Phil