On Wed, Jan 29, 2003 at 08:48:17PM -0600, will trillich wrote: | On Wed, Jan 29, 2003 at 03:59:40PM -0500, Jeremy Gaddis wrote: | > SMTP Authentication sounds like a prime candidate. | | well it sounds good. isn't that what exim already does? (i guess | not. lead on, mcduff!) Yeah, once you configure it. Are you still using exim 3? (probably, the DD is behind on the releases) Something like this should work (for v3, untested but based on the example config file) : ## exim.conf plain: driver = plaintext public_name = PLAIN server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}" server_set_id = $1 First it allows exim to advertise "AUTH PLAIN" in response to an EHLO command. Secondly, it takes the user/pass pair from the client and looks it up in the file /etc/exim/passwd. The file should look like user:crypted-password Note, however, that AUTH PLAIN isn't very secure. You should only allow it if the client has first initiated a TLS connection. That requires first setting up TLS. I don't know if exim 3 can restrict it to a TLS session only, or how to do it. Either read the docs or upgrade to exim 4 (I know how to check that in exim4). An alternative to using exim's own lookup and crypt capabilities is to defer to pam. There are several advantages of this, for one you can use any backend (flat file, system account, LDAP, SQL, etc.) that pam supports. If you use shadow passwords for system accounts and want exim to use the same for SMTP AUTH you'll have to either run exim as the 'shadow' group, or make the shadow file readable by the exim group. To configure this method : ## exim.conf plain: driver = plaintext public_name = PLAIN server_condition = ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}} server_set_id = $1 Then configure pam in /etc/pam.d/exim. One way of doing that, to duplicate the above authenticator, is like this : ## /etc/pam.d/exim # Note: exim requires an account as well as auth! account required pam_permit.so auth required pam_pwdfile.so pwdfile /etc/exim/passwd Another alternative is to use the CRAM-MD5 authentication method. That, however, requires the password file to store the password in plain text. (note: pam can't work with cram-md5 because pam doesn't provide the cleartext password for use in generating the md5 challenge string) cram_md5: driver = cram_md5 public_name = CRAM-MD5 server_secret = ${lookup{$1}lsearch{/etc/exim/passwd}{$value}fail} server_set_id = $1 The script below will generate a password file on stdout (once you fill in the list of users and passwords) for use in the first examples. It also has the framework for using md5 instead of crypt, as long as you configure the software (exim or pam) to use md5 as well. ---- #!/usr/bin/python2.2 DATA = ( ('user1' , 'pass1') , ('user2', 'pass2') , ) import crypt #import md5 for user , pass_ in DATA : salt =user[:2] secret = crypt.crypt(pass_, salt) # use md5 ##phash = md5.new(pass_) ##secret = phash.hexdigest() print "%s:%s" % (user, secret) --- HTH, -D -- He who scorns instruction will pay for it, but he who respects a command is rewarded. Proverbs 13:13 http://dman.ddts.net/~dman/
Attachment:
pgpxk6BT2Fxw8.pgp
Description: PGP signature