On 2015-07-01, Jonas Meurer <jonas@???> wrote:
> Hi again,
>
> Am 2015-06-29 22:29, schrieb Evgeniy Berdnikov:
>> On Mon, Jun 29, 2015 at 06:28:07PM +0200, Jonas Meurer wrote:
>>> Nope, I mean the domain part of provided username.
>>
>> Username is saved in $auth1. Clearly documented.
>
> True. My problem was about splitting the username and using part of it
> for the passwd file to look up.
>
>>> If somebody tries to
>>> authenticate as 'user@???', then the password file to lookup
>>> the
>>> credentials is '/etc/vmail/users/domain.org'. This is what I try to
>>> achieve. Is this possible at all?
>>
>> Just split the username string on '@', extract domain and use it.
>
> Ok, got that now. The following statement splits the username on '@'
> and looks up the password for user <LOCALPART> in password file
> /etc/vmail/users/<DOMAIN>:
>
> vmail_auth_cram:
> server_debug_print = "A: vmail-authenticator cram-md5 for $auth1"
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = \
> ${lookup{${extract{1}{@}{$auth1}}} \
> lsearch{VMAIL_USERS_DOMAINS/${extract{2}{@}{$auth1}}} \
> {$value} \
> fail \
> }
> server_set_id = ${extract{1}{@}{$auth1}}
>
> Problem is, that the password needs to be stored unencrypted in the
> password file for that authenticator. Is it possible to use encrypted
> password stores for cram-md5 authenticator, as it is for plain and
> login authenticators?
It's theorecically possible to use a partially hashed password for
checking CRAM authentication but AFAIK Exim does not support this.
AFAICT an attacker knowing the partially hashed password can use it to
authenticate, so only a little obscurity is gained.
--
umop apisdn
