On Fri, Nov 12, 2010 at 11:30 AM, Andrew D <[email protected]> wrote: > Hi All, > > I need to set up a mail server that is able to allow users to relay > regardless of whether the authentication information valid or not. > > It needs to support SPA and cram-md5, I've already got plain to work.
I don't think that CRAM-MD5 or SPA will work using the native auth types (because in those types you provide the library w/ a plaintext version of the password and the library does the "is it correct" match for you. However, you can fake CRAM-MD5 using the plaintext driver: auth_cram: driver = plaintext public_name = CRAM-MD5 server_prompts = <[email protected]> server_condition = ${if eq {}{}{yes}{no}} server_set_id = $1 Here's an example of the SMTP transaction: ~> AUTH CRAM-MD5 <~ 334 PDI2NjA4LjEyODk1ODM5MjJAc2VydmVyLmV4YW1wbGUuY29tPg== ~> YXNkZiBjNjk2MTg1ZjYwZmJlNjY3NGQ2ZTRmNzBmMGFhNWRmOA== <~ 235 Authentication succeeded ~> QUIT It's possible that a client might complain about the hostname in the challenge string not matching but I doubt it. Oh, I just found that the method for setting up CRAM-SHA1 uses this trick also, and it gets around the varying challenge string by setting a per-connection value in the acls. So, put something like this in acl_check_auth: acl_check_auth: warn set acl_c9 = <$pid.$tod_ep...@$primary_hostname> accept and then set your authenticator to something like this: cram_md5: driver = plaintext public_name = CRAM-MD5 server_prompts = $acl_c9 server_set_id = ${sg {${extract {1}{ }{$1} }} {[^a-zA-Z0-9.-_]} {?}} server_condition = ${if eq {}{}{yes}{no}} And there you go, protocol-correct (I think) CRAM-MD5 that authenticates regardless of password. As for SPA, that seems harder because it's a multi-step transaction and I think there's intelligence about the strings on both the client side and the server side. I tried faking something together with this: auth_spa: driver = plaintext public_name = MSN server_prompts = NTLM supported:: : TlRMTVNTUAACAAAAAAAAAAAoAAABggAA8Nc/0gQFP4gAAAAAAAAAAAAAAAAAAAAA server_condition = ${if eq {}{}{yes}{no}} But the server never sent the second challenge string, it always said authentication succeeded after the initial sting, which isn't correct for the protocol. I don't have any more time to look at it but perhaps this is a foundation you could build on. Cheers! --John > > plain: > driver = plaintext > public_name = PLAIN > server_condition = \ > ${if and eq{}{}{1}{0}} > server_set_id = $2 > > login: > driver = plaintext > public_name = LOGIN > server_prompts = "Username:: : Password::" > server_condition = ${if and eq{}{}{1}{0}} > server_set_id = $1 > > cram_md5: > driver = cram_md5 > public_name = CRAM-MD5 > server_secret = > server_set_id = $1 > > SPA: > driver = spa > public_name = NTLM > server_password = > server_set_id = $1 > > > > This server is on an internal network and are using a firewall to > transparently redirect connections going out on port 25. > Any Suggestions greatly appreciated. > > Cheers > cya > Andrew > > -- > ## List details at http://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
