On Fri, Nov 12, 2010 at 11:30 AM, Andrew D <awd-exim@???> wrote:
> Hi All,
>
> I need to set up a mail server that is able to allow users to relay
> regardless of whether the authentication information valid or not.
>
> It needs to support SPA and cram-md5, I've already got plain to work.
I don't think that CRAM-MD5 or SPA will work using the native auth
types (because in those types you provide the library w/ a plaintext
version of the password and the library does the "is it correct" match
for you. However, you can fake CRAM-MD5 using the plaintext driver:
auth_cram:
driver = plaintext
public_name = CRAM-MD5
server_prompts = <26608.1289583922@???>
server_condition = ${if eq {}{}{yes}{no}}
server_set_id = $1
Here's an example of the SMTP transaction:
~> AUTH CRAM-MD5
<~ 334 PDI2NjA4LjEyODk1ODM5MjJAc2VydmVyLmV4YW1wbGUuY29tPg==
~> YXNkZiBjNjk2MTg1ZjYwZmJlNjY3NGQ2ZTRmNzBmMGFhNWRmOA==
<~ 235 Authentication succeeded
~> QUIT
It's possible that a client might complain about the hostname in the
challenge string not matching but I doubt it. Oh, I just found that
the method for setting up CRAM-SHA1 uses this trick also, and it gets
around the varying challenge string by setting a per-connection value
in the acls. So, put something like this in acl_check_auth:
acl_check_auth:
warn set acl_c9 = <$pid.$tod_epoch@$primary_hostname>
accept
and then set your authenticator to something like this:
cram_md5:
driver = plaintext
public_name = CRAM-MD5
server_prompts = $acl_c9
server_set_id = ${sg {${extract {1}{ }{$1} }} {[^a-zA-Z0-9.-_]} {?}}
server_condition = ${if eq {}{}{yes}{no}}
And there you go, protocol-correct (I think) CRAM-MD5 that
authenticates regardless of password.
As for SPA, that seems harder because it's a multi-step transaction
and I think there's intelligence about the strings on both the client
side and the server side. I tried faking something together with
this:
auth_spa:
driver = plaintext
public_name = MSN
server_prompts = NTLM supported:: :
TlRMTVNTUAACAAAAAAAAAAAoAAABggAA8Nc/0gQFP4gAAAAAAAAAAAAAAAAAAAAA
server_condition = ${if eq {}{}{yes}{no}}
But the server never sent the second challenge string, it always said
authentication succeeded after the initial sting, which isn't correct
for the protocol. I don't have any more time to look at it but
perhaps this is a foundation you could build on.
Cheers!
--John
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_condition = \
> ${if and eq{}{}{1}{0}}
> server_set_id = $2
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${if and eq{}{}{1}{0}}
> server_set_id = $1
>
> cram_md5:
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret =
> server_set_id = $1
>
> SPA:
> driver = spa
> public_name = NTLM
> server_password =
> server_set_id = $1
>
>
>
> This server is on an internal network and are using a firewall to
> transparently redirect connections going out on port 25.
> Any Suggestions greatly appreciated.
>
> Cheers
> cya
> Andrew
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
