[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SMTP_AUTH



On Wed, Dec 11, 2002 at 07:33:23PM -0000, Ayitey Bulley wrote:
> fixed_login:
>   driver = plaintext
>    public_name = LOGIN
>    server_prompts = "Username:: : Password::"
>    server_condition = ${if and{{eq{$1}{bulley}}{eq{$2}{password}}}{yes}{no}}
>    server_set_id = $1
> ----------------------
> 
> And this seems to work with my outlook express MUA, however it does not
> scale well. How do I get it to use the /etc/passwd file to authenticate or
> some other file (/usr/exim/smtp_auth_users)
...
>    server_condition = ${if crypteq{$3}\
> 
> {${extract{1}{:}{${lookup{$2}lsearch{/usr/exim/smtp_auth_users}{$value}}}}\
>        }{yes}{no}}

In the above, I think you've got $3 and $2 where you should have $2 and $1

The LOGIN (Microsoft specific) authentication mechanism uses $1 for username
and $2 for password. The PLAIN (RFC2595) mechanism uses $1 for authorisation
ID which is normally null, $2 for username, $3 for password.

Apart from that, and valid encrypted passwords, I think it will work... the
reply I had started to compose is below but you can ignore it :-)

Cheers,

Brian.


To find a password for a user in a flat text file (easiest for testing), you
would use ${lookup{$1}lsearch{/usr/exim/smtp_auth_users}{$value}fail}

where the third expression ({$value} in this case) is evaluated if the item
is found, and the fourth expression (the special value 'fail') if it isn't.
So one way of writing that is:

  server_condition = ${lookup{$1}lsearch{/usr/exim/smtp_auth_users}  \
		{${if eq{$value}{$2}{1}fail}}   \
		fail}

For faster lookups change 'lsearch' to 'dbm', and then convert the file into
DBM format:

  exim_dbmbuild /usr/exim/smtp_auth_users /usr/exim/smtp_auth_users.db

Something extremely useful is the -be (expression testing) mode of exim. For
example, on the command line you can type:

$ echo "ayitey mypasswd" >/tmp/testfile
$ exim -be '${lookup{ayitey}lsearch{/tmp/testfile}{${if eq{$value}{mypasswd}{1}fail}}fail}'

and keep playing with the expression until it does what you want.

The problem with using the Unix passwd file is that most Unixes keep the
actual password in a shadow file (master.passwd and spwd.db under FreeBSD)
which is only readable by root, and yet for security reasons exim runs as an
unprivileged user (usually 'exim') while receiving an incoming SMTP
connection.

You should be able to use the cyrus pwcheck daemon to get round this (exim
talks to a separate daemon which runs as root but whose sole purpose is to
check passwords) but I've never tried this myself.

http://www.exim.org/exim-html-4.10/doc/html/spec_11.html#IX654

If your passwords are kept in a separate database (LDAP, mysql etc) then
this isn't an issue.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org