On Tue, Aug 01, 2017 at 01:17:08PM +0200, Markus Rosjat wrote: > Hi there, >
Hi, > this is my first post on here since I noticed the openbsd mailinglist isnt > the place to ask specific questions about opensmtpd. > > so here we go ... > > I basically have a working LDAP directory to authenticate with dovecot so > I'm sure the stuff in there is sane. I installed opensmtpd-extras from the > ports and now try to get my ldap dir to work with opensmtp. > > I can lookup the accounts in the dir but get a 535 Auth failed when I try to > send a Mail from thunderbird. I use password, plain in thunderbird and my > userPassword in the ldap dir is also plain (so not stored encrypted). > > What is the way to go from here to get opensmtpd to accept my credentials? > > any hint is most appreciated > There lacks a few details, however I think my assumption will be right. PLAIN auth means that the password is sent in plaintext during the SMTP session, only obfuscated in base64. This is only true for transport and smtpd will still assume the password to be encrypted on the host. It'll fetch the password from the backend then use crypt() on the password it received in the session to compare them. In other words, if you stored your password in plain inside LDAP, which we will all agree you shouldn't, then smtpd will not be able to perform the comparison and you won't be able to auth. Two exceptions: - on OpenBSD, smtpd uses the bsd_auth(3) API, so credentials are passed to that layer untouched. you can write a custom login(1) script which will perform a plaintext comparison (beware timing attacks). - on other systems, smtpd may be built to use PAM, so you can decide of how it should authenticate you with the credentials you pass there. The cleanest, safest and easier solution would be to store passwords in encrypted form as both Dovecot and OpenSMTPD would be able to work with it and because it's 2017 so plaintext passwords in a database is bad. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
