* Peter Stuge <[EMAIL PROTECTED]> wrote, on 2004-05-04 06:33:
> On Tue, May 04, 2004 at 02:00:20AM -0400, Henry Baragar wrote:
> > Hello all,
> >
> > This is going to be a long message that maybe should be placed on the
> > Life with Binc IMAP wiki.
> > Given that the interface to qmail-pop3d is not likely going to change in
> > the near future, a design decision needs to be revisited for Binc IMAP,
> > namely:
> > - Should bincimapd's interface be changed to align it better with
> > qmail-pop3d; or,
> > - Should bincimapd's interface be left alone and the differences with
> > qmail-pop3d be better documented.
> > Its not clear to me which of these two alternatives is the better one.
>
> I'd like to slap checkvpw around
Hello all,
Regarding virtual users and the various authenticators:
I wanted to use Binc, and I needed to support virtual users and
multiple virtual hosts. I looked at vmailmgr et al, and wasn't
particularly impressed. They also did not seem to be able to do
what I wanted, which was to determine the virtual host based on the
IP address the user connected to. (I use IMAP SSL only, and thus
have a separate IP address for each virtual host).
To make a long story short, I wrote my own Binc authenticator which
uses the checkpassword interface, with an extension. The docs for
the checkpassword interface say:
The information supplied on descriptor 3 is a login name terminated
by \0, a password terminated by \0, a timestamp terminated by \0,
and possibly more data.
My extension takes advantage of the "and possibly more data"
aspect of the checkpassword interface. I wrote a small patch for
Binc's authenticate.cc to pass my IP address to my authenticator
as a fourth item in the information passed via file descriptor 3.
>From this IP address I can determine which virtual host the user is
desiring to authenticate against.
Although I have not tried any other checkpassword authenticators
with my patched Binc, they should not be bothered by the extra token,
as it is entirely within the specification of the protocol.
For those who need to support virtual users for Binc, my authenticator
may be of interest even if you don't need multiple virtual hosts, as
IMO vmailmgr is rather obese for simply authenticating virtual users.
(I don't use qmail.) My authenticator is written in C++, is small and
comprehensible, and doesn't use autoconf. ;-)
The authentication database for the virtual users is currently a
flat file. The user's maildir location is also kept in this database.
Each virtual host has a separate file, which is useful to allow each
virtual host admin to domain to manage their own users.
If my authenticator is of interest to anyone here, let me know
and I will make it available. Be aware that unless Andy decides
to incorporate my patch into Binc, every time you upgrade to
a new release of Binc, you will have to reapply my patch, and
possibly modify it slightly if Binc's authenticate.cc has changed
substantially.
Just for reference, here is the patch for Binc 1.2.5 to append the IP
address as the fourth item in the checkpassword protocol. The patch
will also apply to 1.2.7final:
cd bincimap-1.2.7final/src
patch -p2 < bincimap-1.2.5_authenticate.cc.diff
--- bincimap-1.2.5/src/authenticate.cc 2004-01-08 12:20:19.000000000 -0600
+++ bincimap-1.2.5-mm/src/authenticate.cc 2004-01-11 22:15:50.000000000 -0600
@@ -40,6 +40,9 @@
#include <signal.h>
#include <sys/wait.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
#include "authenticate.h"
#include "io.h"
#include "session.h"
@@ -156,6 +159,27 @@
else
timestamp = "unknown timestamp";
+ // get the IP address of myself
+ //
+ char ip_addr_str[INET_ADDRSTRLEN];
+
+ ip_addr_str[0] = 0;
+
+ struct sockaddr_in me;
+ socklen_t sa_len;
+ sa_len = sizeof me;
+ if (0 == getsockname(0, reinterpret_cast<struct sockaddr*>(&me), &sa_len))
+ {
+ const char* addr = inet_ntop(AF_INET, &me.sin_addr,
+ ip_addr_str, sizeof ip_addr_str);
+ }
+ else
+ {
+ logger << "[auth module] An error occured getting my IP address: "
+ << strerror(errno) << endl;
+ }
+
+
// execute authentication module
int result;
int childspid = fork();
@@ -245,6 +269,16 @@
if (!error && write(authintercom[1], "", 1) != 1)
error = true;
+ // write my IP address
+ if (!error && write(authintercom[1],
+ ip_addr_str,
+ strlen(ip_addr_str)) != (int) strlen(ip_addr_str))
+ error = true;
+
+ // terminate with a \0
+ if (!error && write(authintercom[1], "", 1) != 1)
+ error = true;
+
if (error) {
logger << "error writing to authenticator "
<< session.unparsedArgs[0] << ": "
