Re: [exim] Setup Authentication to pass regardless of whethe…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: John Jetmore
Dátum:  
Címzett: Andrew D
CC: Exim Users List
Tárgy: Re: [exim] Setup Authentication to pass regardless of whether the auth info is correct or not
On Fri, Nov 12, 2010 at 11:30 AM, Andrew D <awd-exim@???> wrote:
> Hi All,
>
> I need to set up a mail server that is able to allow users to relay
> regardless of whether the authentication information valid or not.
>
> It needs to support SPA and cram-md5, I've already got plain to work.


I don't think that CRAM-MD5 or SPA will work using the native auth
types (because in those types you provide the library w/ a plaintext
version of the password and the library does the "is it correct" match
for you. However, you can fake CRAM-MD5 using the plaintext driver:

auth_cram:
driver = plaintext
public_name = CRAM-MD5
server_prompts = <26608.1289583922@???>
server_condition = ${if eq {}{}{yes}{no}}
server_set_id = $1

Here's an example of the SMTP transaction:

~> AUTH CRAM-MD5
<~ 334 PDI2NjA4LjEyODk1ODM5MjJAc2VydmVyLmV4YW1wbGUuY29tPg==
~> YXNkZiBjNjk2MTg1ZjYwZmJlNjY3NGQ2ZTRmNzBmMGFhNWRmOA==
<~ 235 Authentication succeeded
~> QUIT

It's possible that a client might complain about the hostname in the
challenge string not matching but I doubt it. Oh, I just found that
the method for setting up CRAM-SHA1 uses this trick also, and it gets
around the varying challenge string by setting a per-connection value
in the acls. So, put something like this in acl_check_auth:

acl_check_auth:
warn set acl_c9 = <$pid.$tod_epoch@$primary_hostname>
accept

and then set your authenticator to something like this:

cram_md5:
driver = plaintext
public_name = CRAM-MD5
server_prompts = $acl_c9
server_set_id = ${sg {${extract {1}{ }{$1} }} {[^a-zA-Z0-9.-_]} {?}}
server_condition = ${if eq {}{}{yes}{no}}

And there you go, protocol-correct (I think) CRAM-MD5 that
authenticates regardless of password.

As for SPA, that seems harder because it's a multi-step transaction
and I think there's intelligence about the strings on both the client
side and the server side. I tried faking something together with
this:

auth_spa:
driver = plaintext
public_name = MSN
server_prompts = NTLM supported:: :
TlRMTVNTUAACAAAAAAAAAAAoAAABggAA8Nc/0gQFP4gAAAAAAAAAAAAAAAAAAAAA
server_condition = ${if eq {}{}{yes}{no}}

But the server never sent the second challenge string, it always said
authentication succeeded after the initial sting, which isn't correct
for the protocol. I don't have any more time to look at it but
perhaps this is a foundation you could build on.

Cheers!
--John

>
> plain:
>  driver = plaintext
>  public_name = PLAIN
>  server_condition = \
>  ${if and eq{}{}{1}{0}}
>  server_set_id = $2
>
> login:
>  driver = plaintext
>  public_name = LOGIN
>  server_prompts = "Username:: : Password::"
>  server_condition = ${if and eq{}{}{1}{0}}
>  server_set_id = $1
>
>  cram_md5:
>    driver = cram_md5
>    public_name = CRAM-MD5
>    server_secret =
>    server_set_id = $1
>
> SPA:
>    driver = spa
>    public_name = NTLM
>    server_password =
>    server_set_id = $1
>
>
>
> This server is on an internal network and are using a firewall to
> transparently redirect connections going out on port 25.
> Any Suggestions greatly appreciated.
>
> Cheers
> cya
> Andrew
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>