Re: [exim] Security in Exim

Top Page
Delete this message
Reply to this message
Author: Jan Ingvoldstad
Date:  
To: Ajit Mhatre
CC: exim users
Subject: Re: [exim] Security in Exim
On Wed, May 6, 2015 at 12:07 PM, Ajit Mhatre <ajitmhatre.9@???> wrote:

>
> i am having a problem in *exim4* ,that is* /etc/exim4/password.client*
> file contain *email id* and *password* . The both email id and password in
> Plain text format. so anyone can acess the password.client file can get my
> password.
> So please help me out how to hide or encrypt that password field in
> *password.clien*t so no one can hack or know my password



This may not be the answer you want. Others have provided info on how to
avoid file permission mistakes, so this is a different take on your
question.

You appear to be using CRAM-MD5 or DIGEST-MD5 authentication, which
requires plaintext passwords to be stored on the server side.

If you're instead willing to use PLAIN and LOGIN authentication, you can
run saslauthd (a piece of Cyrus software), or even an IMAP-based
authentication, where only the hashed passwords are stored on disk or in a
database.

As saslauthd scales to at least a reasonable amount of users, I'll try to
show how that can be used for these authentication types.

To use saslauthd, you need the following Debian packages (as per wheezy,
the version numbers may be different in jessie):

libsasl2-2
libsasl2-modules
sasl2-bin

Here's what the exim config looks like, supporting both the PLAIN and LOGIN
options:

plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif


In Debian, /etc/default/saslauthd can e.g. be configured to use the
"shadow" mechanism to check passwords against the local shadow file, but as
you can see from its documentation, you have several options.
--
Jan