Re: Secure Relaying -- a start

To: debian-user@lists.debian.org
Subject: Re: Secure Relaying -- a start
From: will trillich <will@serensoft.com>
Date: Sat, 1 Feb 2003 14:21:26 -0600
Message-id: <[🔎] 20030201202126.GB23200@mail.serensoft.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <3E3AED3A.60502@grizzy.com>
References: <20030129173035.GA17053@mail.serensoft.com> <CLEHINOMIJAANGNGCKFEMEACCAAA.jeremy@gaddis.org> <20030130024817.GA26588@mail.serensoft.com> <20030130053732.GB5636@dman.ddts.net> <20030130220910.GB8146@mail.serensoft.com> <20030131003550.GA2890@riva.ucam.org> <3E3A78BD.2090407@grizzy.com> <20030131183441.GA29658@mail.serensoft.com> <3E3AED3A.60502@grizzy.com>

On Fri, Jan 31, 2003 at 04:40:10PM -0500, Ed Lawson wrote:
> will trillich wrote:
> 
> >	auth_always_advertise
> >	
> >	Type: boolean
> >	Default: true
> >	
> >	This option is available only when Exim is compiled with
> >	authentication support. 
>
> Well, the stock Exim.conf file does not contain this option on
> my woody box.

the "compile-exim-from-source" options will not be in the
"configure-a-running-exim" config file, no.

> Therefore the question is whether the standard exim package was
> compiled with authentication enabled.  I don't know, but it
> seems the answer is no.  I am speaking of the plain Exim
> package here.

ah. you're as confused as i was a few days ago. (don't worry,
it'll probably get darker before the dawn...)

the out-of-the-bx debian/woody install of exim, which is what i'm
using, DOES have authentication capacity. note, CAPABILITY. but
if your exim.conf (look at the very bottom) doesn't ENABLE any of
the mechanisms, they're dormant, or unconfigured, so they're not
active and not advertised (and unable to be utilized).

at the bottom of your exim.conf there are commented-out examples
of several auth mechanisms. (first for exim-as-server, which is
probably what you want, then for exim-as-client, which may be
useful for you soon when you yank email from Out There to collect
onto your server.) TRY UNCOMMENTING THE SIMPLEST ONE, or make
your own for testing -- for example

	cheat:
	   driver = plaintext
	   public_name = FAKE
	   # accepts base64 encoded "id\0id\0"
	   # where id and password are identical
	   # (very insecure, testing only):
	   server_condition = "${if eq{$2}{$1}{1}{0}}"
	   server_set_id = $1

and then try

	# exim -bh 192.168.1.2
	(or pick an ip you'd like to test)

to get a base64-encoded string, you can try this perl snippet
which take one command-line arg, otherwise it reads one single
line of input for encoding:

$perl -MMIME::Base64 -e 'chomp($v=shift||<>);print encode_base64(eval qq{"$v"})'
this\0this\0
dGhpcwB0aGlzAA==

then just tell "exim -bh some.ip.goes.here"

	auth fake dGhpcwB0aGlzAA==
	>>> cheat authenticator:
	>>>   $1 = one
	>>>   $2 = one
	>>> expanded string: 1
	235 Authentication succeeded

voila!

> >so before exim advertises that it's ABLE to do the authentication
> >dialog, the compiled exim must have had certain flags set, which
> >THE STANDARD DEBIAN/WOODY EXIM DOES; then if the compile flags
> >have been set properly
{then it will be able to authenticate, which you need to enable
using exim.conf, at the bottom.}

[emhpasis added above]

> This is the question.  I have not gone an added the advertize option 
> manually and I guess I need to try it, but the fact it is not in the 
> conf file suggests support was not compiled in and therefore it doesn't 
> matter what you put in the conf file, it will not authenticate.

the conf file is large and has lots of words in it, but it
doesn't imply that support is NOT set up, it says that you need
to configure it to make it work--

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################

# Look in the documentation (in package exim-doc or exim-doc-html for 
# information on how to set up authenticated connections.

it'd be silly to include comments like that if you weren't able
to use them. these debian folks seem to know what they're doing.
:)

> >	# exim -bh 192.168.1.2
> >	<snip>
> >	220 server ESMTP Exim 3.35 #1 Fri, 31 Jan 2003 12:24:32 -0600
> >	ehlo somewhere.there
> >	250-server Hello duo [192.168.1.2]
> >	250-SIZE
> >	250-PIPELINING
> >	250-AUTH BASIC LOGIN
> >	250 HELP
> >	quit
> >	221 server closing connection
>
> All I get is SIZE, PIPELINING, and HELP.  
> 
> In what section does the advertize authen option go...in the last 
> section with the authn options I assume?

yep. try uncommenting one of them (if it happens to refer to
/etc/exim/passwd then you need to set that up properly to match)
or try something simple, like the one hobbled together, above.

note -- i am not an exim expert, i'm only about three days ahead
of you. :)

-- 
I use Debian/GNU Linux version 3.0;
Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown

DEBIAN NEWBIE TIP #24 from Will Trillich <will@serensoft.com>
:
Curious about DISK PARTITIONING schemes? That's a frequent topic
at debian-user -- look for it in the archives at lists.debian.org
or read Karsten's approach at
	http://kmself.home.netcom.com/Linux/FAQs/partition.html

Also see http://newbieDoc.sourceForge.net/ ...

Reply to:

Follow-Ups:
- Re: Secure Relaying -- a start
  - From: Ed Lawson <elawson@grizzy.com>

Prev by Date: Re: apm -s with vim open -> lockup
Next by Date: CD Burner and ide-scsi emulation
Previous by thread: Re: Desktop environment---what am I missing?
Next by thread: Re: Secure Relaying -- a start
Index(es):
- Date
- Thread