On Wed, Jan 29, 2003 at 08:48:17PM -0600, will trillich wrote:
| On Wed, Jan 29, 2003 at 03:59:40PM -0500, Jeremy Gaddis wrote:
| > SMTP Authentication sounds like a prime candidate.
|
| well it sounds good. isn't that what exim already does? (i guess
| not. lead on, mcduff!)
Yeah, once you configure it.
Are you still using exim 3? (probably, the DD is behind on the releases)
Something like this should work (for v3, untested but based on the
example config file) :
## exim.conf
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $1
First it allows exim to advertise "AUTH PLAIN" in response to an EHLO
command. Secondly, it takes the user/pass pair from the client and
looks it up in the file /etc/exim/passwd. The file should look like
user:crypted-password
Note, however, that AUTH PLAIN isn't very secure. You should only
allow it if the client has first initiated a TLS connection. That
requires first setting up TLS. I don't know if exim 3 can restrict it
to a TLS session only, or how to do it. Either read the docs or
upgrade to exim 4 (I know how to check that in exim4).
An alternative to using exim's own lookup and crypt capabilities is to
defer to pam. There are several advantages of this, for one you can
use any backend (flat file, system account, LDAP, SQL, etc.) that pam
supports. If you use shadow passwords for system accounts and want
exim to use the same for SMTP AUTH you'll have to either run exim as
the 'shadow' group, or make the shadow file readable by the exim
group. To configure this method :
## exim.conf
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
server_set_id = $1
Then configure pam in /etc/pam.d/exim. One way of doing that, to
duplicate the above authenticator, is like this :
## /etc/pam.d/exim
# Note: exim requires an account as well as auth!
account required pam_permit.so
auth required pam_pwdfile.so pwdfile /etc/exim/passwd
Another alternative is to use the CRAM-MD5 authentication method.
That, however, requires the password file to store the password in
plain text. (note: pam can't work with cram-md5 because pam doesn't
provide the cleartext password for use in generating the md5
challenge string)
cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup{$1}lsearch{/etc/exim/passwd}{$value}fail}
server_set_id = $1
The script below will generate a password file on stdout (once you
fill in the list of users and passwords) for use in the first
examples. It also has the framework for using md5 instead of crypt,
as long as you configure the software (exim or pam) to use md5 as
well.
----
#!/usr/bin/python2.2
DATA = (
('user1' , 'pass1') ,
('user2', 'pass2') ,
)
import crypt
#import md5
for user , pass_ in DATA :
salt =user[:2]
secret = crypt.crypt(pass_, salt)
# use md5
##phash = md5.new(pass_)
##secret = phash.hexdigest()
print "%s:%s" % (user, secret)
---
HTH,
-D
--
He who scorns instruction will pay for it,
but he who respects a command is rewarded.
Proverbs 13:13
http://dman.ddts.net/~dman/
Attachment:
pgpxk6BT2Fxw8.pgp
Description: PGP signature