Martin Strand writes:
On Fri, 12 Dec 2008 00:51:23 +0100, Sam Varshavchik <[email protected]> wrote:Martin Strand writes:Using courier-pop3d, is there any way to disable simple USER/PASS login so that only AUTH login with CRAM-SHA1 works? I tried setting POP3DAUTH="CRAM-SHA1" but USER/PASS still works...USER/PASS is always permitted. There is no toggle to turn it off.Thanks. Does anyone have any good tips on how to work around this at the moment? Is there perhaps a way to configure a set of "banned" commands? Maybe I could write a small pop3 proxy in Perl and intercept any USER/PASS commands? As someone pointed out, SSL would make more sense but unfortunately that's not an option in this case.
POP3 is actually a very simple protocol. Writing a POP3 proxy would actually be a fairly trivial excersize, especially for something like this.
Actually, one just option that occured to me. You can use the authuserdb module which optionally uses a separate field for pre-hashed CRAM passwords. Those fields are not used for user/pass authentication.
userdbpw -hmac-sha1 | userdb {username} set hmac-sha1pw
This would set the CRAM-SHA1 password for {username}. So, you would proceed
to set CRAM-SHA1 passwords for all accounts, and set a dummy, invalid
password (and NOT a blank password) otherwise, so that USER/PASS
authentication would not work, but CRAM-SHA1 authentication would work just
fine. This process is documented further in the man pages and the associated
INSTALL files. This only works when using the userdb module, it's one of its
quirks, in the way that it was written, originally.
pgpWzLyEhvIqC.pgp
Description: PGP signature
------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
