Re: [exim] A question on SMTP AUTH MySQL and Conditional Syn…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: exim.ml@riotm.co.uk
Dátum:  
CC: exim-users
Tárgy: Re: [exim] A question on SMTP AUTH MySQL and Conditional Syntax
On Fri, 2010-04-23 at 15:15 +0200, Chris Wilson wrote:
> Hi Exim.Ml,
>
> On Fri, 23 Apr 2010, exim.ml@??? wrote:
>
> > plain:
> > driver                          = plaintext
> > public_name                     = PLAIN
> > #server_advertise_condition     = ${if eq{$tls_cipher}{}{no}{yes}}
> > server_condition                = ${if crypteq {$3}{\{sha1\}${lookup
> > mysql{ \
> > SELECT userpassword \
> > FROM mailusers \
> > WHERE email='${quote_mysql:$2}' \
> > AND outbound=1 \}}}{yes}{no}}
> > server_set_id= $2
> ...
> > That would be mighty fine if the password values in the backend MySQL
> > database were not one-way hashed with: MD5('password').

> >
> > Other than the option of storing the passwords in the clear (or sticking
> > with plan 'a' to use Dovecot), does anyone know how I could 'rephrase
> > the question' directly in the authenticator to get the desired result?
>
> Two ways, either use Exim's MD5 function:
>
>    http://www.exim-users.org/forums/showthread.php?p=211700

That is mighty fine and beautiful thing to see :-) Thank you.
>
> or let the database do it:
>
>    select 1 from mailusers where email='${quote_mysql:$2}' and userpassword
>      = md5('${quote_mysql:$3}') and outbound = 1

That's what I was hoping to be able to do. Where I am getting confused
(and you've picked it up) was this line:

crypteq {$3}{\{sha1\}
I can't honestly decipher that (yet) but a guess would be that it
results in the salted hash 1 of $3 - which you are quite right, I don't
want! (I suspect I've pinched this example from someone who has
passwords in a MySQL database al la SHA1).

My confusion stems from the test for {yes}{no} and crypteq{$3}. In my
logic I would assume that Exim is this testing the value of crypteq{$3}
against the database return??? But I think I wholly wrong on that
because your SELECT 1 WHERE .... example would break that theory. If it
worked the way I thought it worked I could probably do:

crypteq {$3}{\{md5\} ...

But I'm starting to think that if the database gets a hit - then ${s3}
gets the {yes} ELSE it gets the {no}. If I've got that bit right Chris
then I've finally 'got' something fundamental with Exim logic today and
I'm indebted to you - thanks!



>
>
> > Basically I need to translate into Exim:
> > If the MD5 value of the (base64) decrypted value of $3 is equal to the
> > database field 'userpassword' then the test succeeds (yes) - If not it
> > fails (no) - or some other way of achieving the same thing?
>
> By the way, base64 is not encryption, it's a very basic obfuscation at
> best. Calling it "encryption" will get you tied up in knots with crypteq,
> sha1 and md5.

Fully understand that - bad choice of words.
>
> Speaking of which, I really don't know what the call to "crypteq
> {$3}{\{sha1\}" is doing in your condition. I don't think it should be
> there.
>
> > Apologies if the question is stupid. This is all quite new to me, but
> > I'm clawing my way up the steep learning curve. Any useful comments or
> > advice is gratefully received.
>
> It's not a stupid question and you don't need to apologise for asking it.
> It's the right level of technical detail for this list.

I don't like to ask and put people out and I appreciate the time you
have taken to put me right. Thank you.
>
> Cheers, Chris.
> -- 
> _ ___ __     _
>   / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
> / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
> \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

>