On 01/07/15 09:55, Jonas Meurer wrote:
>
> Ok, got that now. The following statement splits the username on '@'
> and looks up the password for user <LOCALPART> in password file
> /etc/vmail/users/<DOMAIN>:
>
> vmail_auth_cram:
> server_debug_print = "A: vmail-authenticator cram-md5 for $auth1"
> driver = cram_md5
> public_name = CRAM-MD5
> server_secret = \
> ${lookup{${extract{1}{@}{$auth1}}} \
> lsearch{VMAIL_USERS_DOMAINS/${extract{2}{@}{$auth1}}} \
> {$value} \
> fail \
> }
> server_set_id = ${extract{1}{@}{$auth1}}
>
On the face of it, this looks a bit dangerous - attempting auth with a
contrived domain (e.g. with ../ or suchlike in it) could cause the
lsearch to happen against an unintended file - possibly one in a
location controlled by an attacker.
I think you should look up the domain part first to ensure that it is
one that you have set up.
Dominic
