Hi Gilles,
like I said in the private mail I will go for the encrypted string in
the ldap dir so next question would be....
is it posible to decrypt the srting with smtpctl or do I need to use
some kind of other means for that?
regards
markus
Am 01.08.2017 um 14:33 schrieb Gilles Chehade:
On Tue, Aug 01, 2017 at 01:17:08PM +0200, Markus Rosjat wrote:
Hi there,
Hi,
this is my first post on here since I noticed the openbsd mailinglist isnt
the place to ask specific questions about opensmtpd.
so here we go ...
I basically have a working LDAP directory to authenticate with dovecot so
I'm sure the stuff in there is sane. I installed opensmtpd-extras from the
ports and now try to get my ldap dir to work with opensmtp.
I can lookup the accounts in the dir but get a 535 Auth failed when I try to
send a Mail from thunderbird. I use password, plain in thunderbird and my
userPassword in the ldap dir is also plain (so not stored encrypted).
What is the way to go from here to get opensmtpd to accept my credentials?
any hint is most appreciated
There lacks a few details, however I think my assumption will be right.
PLAIN auth means that the password is sent in plaintext during the SMTP
session, only obfuscated in base64. This is only true for transport and
smtpd will still assume the password to be encrypted on the host. It'll
fetch the password from the backend then use crypt() on the password it
received in the session to compare them.
In other words, if you stored your password in plain inside LDAP, which
we will all agree you shouldn't, then smtpd will not be able to perform
the comparison and you won't be able to auth.
Two exceptions:
- on OpenBSD, smtpd uses the bsd_auth(3) API, so credentials are passed
to that layer untouched. you can write a custom login(1) script which
will perform a plaintext comparison (beware timing attacks).
- on other systems, smtpd may be built to use PAM, so you can decide of
how it should authenticate you with the credentials you pass there.
The cleanest, safest and easier solution would be to store passwords in
encrypted form as both Dovecot and OpenSMTPD would be able to work with
it and because it's 2017 so plaintext passwords in a database is bad.
--
Markus Rosjat fon: +49 351 8107223 mail: [email protected]
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
