On 2010-06-29 at 15:17 +0200, Leonardo wrote:
> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = User Name : Password
> server_condition = \
> ${if and {{eq{$1}{joe|jane|nick}}{eq{$2}{abcd1234}}}{yes}{no}}
> server_set_id = $1
You are allowing plaintext authentication without TLS. That is unwise.
eq{}{} does literal string comparison.
For the auth variables, if you use $auth1 instead of $1 then you'll also
avoid any problems with match{}{} *also* using $1 for capturing.
Doesn't look like this would affect your usage here, or with match{}{}
but it's better to move to clearly separate variables.
> This does not work either:
>
> ${if and {{match{$1}{joe|jane|nick}}{eq{$2}{abcd1234}}}{yes}{no}}
That should have "worked", but note that the matching is unanchored by
default, so you want {\N^joe|jane|nick$\N} instead.
I don't have time to check, but if you switch the $2 to $auth2 and it
then works, please file a bug -- $1,... are not supposed to be capturing
patterns until in the success branch.
> Only specifying a single name seems to work. However, I prefer not to
> have all users authenticate with a single login:
>
> ${if and {{eq{$1}{joe}}{eq{$2}{abcd1234}}}{yes}{no}} # this works
auth_plain:
driver = plaintext
public_name = PLAIN
server_advertise_condition = ${if def:tls_cipher}
server_prompts = :
server_condition = ${lookup{$auth2}lsearch{RUNAUTHDIR/mail-passwords}\
{${if eq{$value}{$auth3}{yes}{no}}}{no}}
server_set_id = ${quote:$auth2}
and similarly for LOGIN instead of PLAIN (but use $auth1/$auth2 instead
of $auth2/$auth3). Here, RUNAUTHDIR is a macro I've defined to point to
a directory, and mail-passwords contains the passwords in plaintext.
The mail-passwords file then looks like:
----------------------------8< cut here >8------------------------------
# *** IMPORTANT ***
# Dictionary attacks against SMTP servers to be able to send spam
# are a REAL problem; we do *NOT* allow users to set their own passwords.
# We generate random passwords and rely upon the passwords being put into
# the mail-program config. The user is permitted to keep the password
# written down, since it *MUST* *ONLY* be used to permit sending mail as
# that user, not for anything else (including shell login, mail reading
# access, whatever).
#
# Besides, we keep the passwords in plain-text in this file.
#
# Recommended password generation:
# openssl rand -base64 15
# and probably skip those with a '+' or '/' in, for now
joe: 5RajhsI6WqTYIsK4hr4p
----------------------------8< cut here >8------------------------------
and here, the 5R...4p stuff is the actual password. I have used just
this scheme and explained to users that it's *okay* to write *this*
password on a post-it note, or to tell their mail-program to remember it
(which they'll do anyway ...).
You can then also have:
auth_cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup{$auth1}lsearch{RUNAUTHDIR/mail-passwords}{$value}fail}
server_set_id = ${quote:$auth1}
to support better authentication protocols using the same password
store.
Bonus points for then restricting to ports 463/587 to keep auth off port
25.
-Phil
