On 2015-07-01, Jonas Meurer <[email protected]> wrote: > Hi again, > > Am 2015-06-29 22:29, schrieb Evgeniy Berdnikov: >> On Mon, Jun 29, 2015 at 06:28:07PM +0200, Jonas Meurer wrote: >>> Nope, I mean the domain part of provided username. >> >> Username is saved in $auth1. Clearly documented. > > True. My problem was about splitting the username and using part of it > for the passwd file to look up. > >>> If somebody tries to >>> authenticate as '[email protected]', then the password file to lookup >>> the >>> credentials is '/etc/vmail/users/domain.org'. This is what I try to >>> achieve. Is this possible at all? >> >> Just split the username string on '@', extract domain and use it. > > Ok, got that now. The following statement splits the username on '@' > and looks up the password for user <LOCALPART> in password file > /etc/vmail/users/<DOMAIN>: > > vmail_auth_cram: > server_debug_print = "A: vmail-authenticator cram-md5 for $auth1" > driver = cram_md5 > public_name = CRAM-MD5 > server_secret = \ > ${lookup{${extract{1}{@}{$auth1}}} \ > lsearch{VMAIL_USERS_DOMAINS/${extract{2}{@}{$auth1}}} \ > {$value} \ > fail \ > } > server_set_id = ${extract{1}{@}{$auth1}} > > Problem is, that the password needs to be stored unencrypted in the > password file for that authenticator. Is it possible to use encrypted > password stores for cram-md5 authenticator, as it is for plain and > login authenticators?
It's theorecically possible to use a partially hashed password for checking CRAM authentication but AFAIK Exim does not support this. AFAICT an attacker knowing the partially hashed password can use it to authenticate, so only a little obscurity is gained. -- umop apisdn -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
