Re: Exim authentication

2002-06-21 Thread Vineet Kumar
* Mike Mimic ([EMAIL PROTECTED]) [020621 02:18]:
> I have used:
> 
> plain:
>   driver = plaintext
>   public_name = PLAIN
>   server_condition = "${if pam{$2:$3}{1}{0}}"
>   server_set_id = $2

my plain authenticator looks identical to the above, but my login is
different from the one below.

> login:
>   driver = plaintext
>   public_name = LOGIN
>   server_prompts = "Username:: : Password::"
>   server_condition = "${if pam{$2:$3}{1}{0}}"
>   server_set_id = $2

Mine looks like this:

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:::Password::"
  server_condition = ${if pam {$1:${sg{$2}{:}{::}}}{yes}{no}}
  server_set_id = $1

The sg bit is to double any colons in the password string (s/:/::/g).
That's just a quoting thing. The main difference I see is that you're
calling to pam with $2 and $3, where I'm using $1 and $2 (and
server_set_id = $1).


> as is written in Exim specifications. And I use
> MIME encoded '\0user\0password' (\0 are NULL).
> 
> Is this correct? Will mail clients use such line
> too?

Unfortunately, we can't count on client mailers to go by "the standard"
in this case, especially when the client uses MS mailers. Your best bet
for testing is to test with the mailers your clients will be using.

I believe you're on the right track for testing, though; you just need
to base64 encode "\0user\0password". Trying it with exim -d9 will let
you know if exim is interpreting the username and password as you expect
it should be.

> > 2) Is linux a system that requires root access to
> use
> > PAM?
> 
> As Vineet Kumar said it is.

Well, actually I said just the opposite: it can be done on linux without
running as root, but I think you understood that to be what I meant,
just said it wrong.

> So what is wrong? As I see exim uses correct strings
> for username and password and use PAM which returns
> that password isn't correct.

Still not sure exactly what's going wrong. Here's my pam.d/exim:

# PAM configurtion file for exim smtp auth

auth   required /lib/security/pam_pwdfile.so pwdfile /etc/imap.passwd
accountrequired /lib/security/pam_permit.so

That authenticates against a username:crypted_password file instead of
the regular unix authentication. This enables my imap users to relay
through the machine (and they don't have shell accounts).

I don't think you should need a session group in your pam file for smtp
auth, and I just use pam_permit for account since I manage the password
file manually. (Otherwise you could use pam_unix for auth and something
else for account to control whether the user should be allowed to use
exim for smtp auth).

I hope that helps. If not, I can post more details about why it's set up
the way it is -- just ask.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"[T]he ad skips It's theft  Any time you skip a commercial...
you're actually stealing the programming." - Turner CEO Jamie Kellner
Is fair use dead?   Help the EFF help you!   http://www.eff.org/


pgpgF9S6vkQjR.pgp
Description: PGP signature


Re: Exim authentication

2002-06-21 Thread Mark Roach
On Thu, 2002-06-20 at 04:08, Derrick 'dman' Hudson wrote:
> On Wed, Jun 19, 2002 at 11:16:04PM -0700, Paul Johnson wrote:
> | On Wed, Jun 19, 2002 at 03:20:48PM -0500, Mark Roach wrote:
> | 
> | > I believe that putting the following in the authentication configuration
> | > section will allow you to use PAM. You will just need to add a file
> | > named /etc/pam.d/exim with the appropriate PAM config options
> | 
> | For those of us not familiar with PAM, could we get an example of that,
> | as well?
> 
> It will look much like the other files in /etc/pam.d, but with any
> different options you may prefer.  For example :
> 
> authrequiredpam_unix.so
> account requiredpam_unix.so
> passwordrequiredpam_unix.so
> 
> If you use a different authentication source (eg ldap instead of
> /etc/passwd) you would include those options.  
> 
> (Actually, I'm not terribly familiar with PAM, but I've managed to
> convert a couple machines at work to use LDAP instead :-).  It's
> pretty cool.)

I am also using LDAP, and I am pretty sure that is why this works for us
but not Mike. Authentication against the shadow files can only ever be
done by root, but with LDAP, anyone can attempt to bind.

I am sure that someone out there has made an authentication process
which runs as root which can be authenticated against by a normal user.
If nothing else, writing a script which uses login or su to verify the
password, and using that instead of PAM in exim.conf, might be easier to
maintain (and more secure) than maintaining two copies of the shadow
files... just a thought

-Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-21 Thread Mike Mimic
Hi!

> I see two problems.
> 1) If you used the authenticator Mark supplied,
> then the data the client sent is wrong.  The client
> sent 3 strings -- the empty string, then the
> username, then the password.  The authenticator Mark
> supplied expects the username first and the
> password second.

I have used:

plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = "${if pam{$2:$3}{1}{0}}"
  server_set_id = $2

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if pam{$2:$3}{1}{0}}"
  server_set_id = $2

as is written in Exim specifications. And I use
MIME encoded '\0user\0password' (\0 are NULL).

Is this correct? Will mail clients use such line
too?

> 2) Is linux a system that requires root access to
use
> PAM?

As Vineet Kumar said it is.

So what is wrong? As I see exim uses correct strings
for username and password and use PAM which returns
that password isn't correct.

I use this pam.d/exim file:

#%PAM-1.0
auth   required pam_unix.so
accountrequired pam_unix.so
sessionrequired pam_unix.so

Mike

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-21 Thread Vineet Kumar
* Derrick 'dman' Hudson ([EMAIL PROTECTED]) [020620 20:43]:
> On Thu, Jun 20, 2002 at 07:57:17PM -0700, ben wrote:
> | On Thursday 20 June 2002 06:56 pm, Derrick 'dman' Hudson wrote:
> | > Is linux a system that requires root access to use PAM?  If so, then
> | > pam can't be used directly by exim.  You can, however, use a different
> | > lookup for users (eg look in a passwd file made just for exim, or use
> | > LDAP or SQL or something else).
> | >
> | > I hope PAM can be used on linux ... someone please tell me if root is
> | > required.
> The question is :
> Can exim, running as user mail (uid=8?), perform user
> authentication via PAM or must other methods be used?
> This is to provide SMTP AUTH service.  I know it won't affect other
> aspects of exim.

The answer is yes, exim can use pam with uid==8. I'm using SMTP auth
with the debian-packaged exim, running under the default uid and gid,
making use of pam authentication (with a separate user list via
pam_listfile instead of with regular user accounts, but that's below the
abstraction line as far as exim is concerned.)

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
http://www.anti-dmca.org/


pgpbQMIAT2HxK.pgp
Description: PGP signature


Re: Exim authentication

2002-06-20 Thread Derrick 'dman' Hudson
On Thu, Jun 20, 2002 at 08:48:35PM -0700, Paul Johnson wrote:
| -BEGIN PGP SIGNED MESSAGE-
| Hash: SHA1
| 
| On Thu, Jun 20, 2002 at 10:51:16PM -0500, Derrick 'dman' Hudson wrote:
| > | If you can't use PAM to do this, then is there a way to copy out PAM
| > | data to an exim-compatible file?
| > 
| > Yeah, make a file (eg /etc/exim/passwd) such as
| > 
| > 
| > user:{md5}4528e6a7bb9341c36c425faf40ef32c3
| 
| Is there a way to automate this?  Like a script I can throw into a
| nigtly cron job or something?

Of course :-).

Here's an example that presumes that md5 hashes are longer than 10
characters and other passwords are crypt()ed.  It omits users where
the password field contains a single character (system users) and the
'root' and 'sashroot' accounts.


# awk -F: '
/^(sash)?root:/ { next }
/^[^:]*:.[^:]/ {
if ( length($2) > 10 )  
 { print $1 ":{md5}" $2 }
else { print $1 ":"  $2 }
}   
' /etc/shadow


| > | 
| > 
| > I needed dict to figure this one out.  Definition #1 fits well, and is
| > amusing!
| 
| I woulda tried The Jargon File directly first, but then again
| http://ursine.dyndns.org/jargon/ is an official mirror...

Well, when using 'view' as mutt's pager, typing
:!dict AOL
is easier and faster than looking up the Jargon File.  Besides, dict
looks in the Jargon File -- that's where definintion #1 came from :-).

-D

-- 

He who spares the rod hates his son,
but he who loves him is careful to discipline him.
Proverbs 13:24
 
http://dman.ddts.net/~dman/



pgpOGMsrTjztu.pgp
Description: PGP signature


Re: Exim authentication

2002-06-20 Thread ben
On Thursday 20 June 2002 08:53 pm, Derrick 'dman' Hudson wrote:
> On Thu, Jun 20, 2002 at 07:57:17PM -0700, ben wrote:
[snip]
> | root is required for configuration. users get to use it but not to
> | manipulate it. i messed around with it a while back but couldn't see a
> | use for it on my dialup desktop. it allows you, as root, to determine
> | which users get to use what services, so, appropriately configured, it
> | shouldn't interfere with user access to exim.
>
> The question is :
> Can exim, running as user mail (uid=8?), perform user
> authentication via PAM or must other methods be used?
> This is to provide SMTP AUTH service.  I know it won't affect other
> aspects of exim.
>

though i don't have practical experience to back this up, given that, in this 
case, mail is a user and smtp is a service, then, at least ideally, exim 
should be able to perform as necessary. if mail, as user, is authorized 
access via pam, then, it shouldn't affect the smtp auth process. check out 

www.kernel.org/pub/linux/libs/pam/

ben




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Paul Johnson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jun 20, 2002 at 10:51:16PM -0500, Derrick 'dman' Hudson wrote:
> | If you can't use PAM to do this, then is there a way to copy out PAM
> | data to an exim-compatible file?
> 
> Yeah, make a file (eg /etc/exim/passwd) such as
> 
> 
> user:{md5}4528e6a7bb9341c36c425faf40ef32c3

Is there a way to automate this?  Like a script I can throw into a
nigtly cron job or something?

> | 
> 
> I needed dict to figure this one out.  Definition #1 fits well, and is
> amusing!

I woulda tried The Jargon File directly first, but then again
http://ursine.dyndns.org/jargon/ is an official mirror...

- -- 
Baloo


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9EqITNtWkM9Ny9xURAvZvAJ4605fLaBKoA06SrPb2XlN6xIiBOwCgmDlY
jM2+SXQf2jITKBAxBnwAgnc=
=AA8E
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Derrick 'dman' Hudson
On Thu, Jun 20, 2002 at 07:57:17PM -0700, ben wrote:
| On Thursday 20 June 2002 06:56 pm, Derrick 'dman' Hudson wrote:
| [snip]
| >
| > Is linux a system that requires root access to use PAM?  If so, then
| > pam can't be used directly by exim.  You can, however, use a different
| > lookup for users (eg look in a passwd file made just for exim, or use
| > LDAP or SQL or something else).
| >
| > I hope PAM can be used on linux ... someone please tell me if root is
| > required.
|
| root is required for configuration. users get to use it but not to manipulate 
| it. i messed around with it a while back but couldn't see a use for it on my 
| dialup desktop. it allows you, as root, to determine which users get to use 
| what services, so, appropriately configured, it shouldn't interfere with user 
| access to exim.

The question is :
Can exim, running as user mail (uid=8?), perform user
authentication via PAM or must other methods be used?
This is to provide SMTP AUTH service.  I know it won't affect other
aspects of exim.

-D

-- 

A man of many companions may come to ruin,
but there is a friend that sticks closer than a brother.
Proverbs 18:24
 
http://dman.ddts.net/~dman/



pgpI7W7LZBxYS.pgp
Description: PGP signature


Re: Exim authentication

2002-06-20 Thread Derrick 'dman' Hudson
On Thu, Jun 20, 2002 at 07:23:17PM -0700, Paul Johnson wrote:
| On Thu, Jun 20, 2002 at 08:56:22PM -0500, Derrick 'dman' Hudson wrote:
| 
| > Is linux a system that requires root access to use PAM?  If so, then
| > pam can't be used directly by exim.  You can, however, use a different
| > lookup for users (eg look in a passwd file made just for exim, or use
| > LDAP or SQL or something else).
| 
| If you can't use PAM to do this, then is there a way to copy out PAM
| data to an exim-compatible file?

Yeah, make a file (eg /etc/exim/passwd) such as


user:{md5}4528e6a7bb9341c36c425faf40ef32c3


(in this case, "user"'s password is "pass")

and use a variation on the sample authenticator created by eximconfig :

plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$2}{ 
${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*}} } {1}{0} }"
server_set_id = $1

(this one is untested, but I did test a simple 'eq' and it worked)


Of course, one could always put login info in LDAP and use that
directly :-).  I was hoping exim could get to LDAP via PAM instead.
(at work we're moving the authentication away from NIS and into LDAP)

| > I hope PAM can be used on linux ... someone please tell me if root is
| > required.
| 
| 

I needed dict to figure this one out.  Definition #1 fits well, and is
amusing!

-D

-- 

Windows, hmmm, does it come with a GUI interface that works or just
pretty blue screens?
 
http://dman.ddts.net/~dman/



pgpDTByfVvRhY.pgp
Description: PGP signature


Re: Exim authentication

2002-06-20 Thread ben
On Thursday 20 June 2002 06:56 pm, Derrick 'dman' Hudson wrote:
[snip]
>
> Is linux a system that requires root access to use PAM?  If so, then
> pam can't be used directly by exim.  You can, however, use a different
> lookup for users (eg look in a passwd file made just for exim, or use
> LDAP or SQL or something else).
>
> I hope PAM can be used on linux ... someone please tell me if root is
> required.
>
> -D

root is required for configuration. users get to use it but not to manipulate 
it. i messed around with it a while back but couldn't see a use for it on my 
dialup desktop. it allows you, as root, to determine which users get to use 
what services, so, appropriately configured, it shouldn't interfere with user 
access to exim.

ben


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Paul Johnson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jun 20, 2002 at 08:56:22PM -0500, Derrick 'dman' Hudson wrote:

> Is linux a system that requires root access to use PAM?  If so, then
> pam can't be used directly by exim.  You can, however, use a different
> lookup for users (eg look in a passwd file made just for exim, or use
> LDAP or SQL or something else).

If you can't use PAM to do this, then is there a way to copy out PAM
data to an exim-compatible file?

> I hope PAM can be used on linux ... someone please tell me if root is
> required.



- -- 
Baloo


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9Eo4VNtWkM9Ny9xURAs+oAJ9ESE5eYvltTBiF1JJF1vrz01XSOACcCLgp
cAQWJY9pwYZ6cLFLcP4dN+A=
=EBdN
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Derrick 'dman' Hudson
On Thu, Jun 20, 2002 at 09:43:41AM -0700, Mike Mimic wrote:
| Hi!
| 
| > Run exim from a shell with '-d9' and then try again.
| 
| I have tryed and I get (nothing helpful):
| 
| Running PAM authentication for user "[erased]"
| PAM error: Authentication failure
| plain authenticator:
|   $1 =
|   $2 = [erased]
|   $3 = [erased]

I see two problems.
1)  If you used the authenticator Mark supplied, then the data the
client sent is wrong.  The client sent 3 strings -- the empty
string, then the username, then the password.  The
authenticator Mark supplied expects the username first and the
password second.

2)  I'm not sure if this is a problem on linux, but this is from
exim's spec :
   
   In some operating systems, PAM authentication can be done only from a
   process running as root. Since Exim is running as the Exim user when
   receiving messages, this means that PAM cannot be used directly in those
   systems.
   

Is linux a system that requires root access to use PAM?  If so, then
pam can't be used directly by exim.  You can, however, use a different
lookup for users (eg look in a passwd file made just for exim, or use
LDAP or SQL or something else).

I hope PAM can be used on linux ... someone please tell me if root is
required.

-D

-- 

In my Father's house are many rooms; if it were not so, I would have
told you.  I am going there to prepare a place for you.  And if I go and
prepare a place for you, I will come and take you to be with me that you
also may be where I am.
John 14:2-3 
 
http://dman.ddts.net/~dman/



pgpN7Z8Zu1x9b.pgp
Description: PGP signature


Re: Exim authentication

2002-06-20 Thread Mike Mimic
Hi!

> Run exim from a shell with '-d9' and then try again.

I have tryed and I get (nothing helpful):

Running PAM authentication for user "[erased]"
PAM error: Authentication failure
plain authenticator:
  $1 =
  $2 = [erased]
  $3 = [erased]
expanded string: 0
SMTP>> 535 Incorrect authentication data
535 Incorrect authentication data
LOG: 0 MAIN REJECT

What should work. The problem is that PAM fails (with
correct username and password).


Mike


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Mike Mimic
Hi!

> Run exim from a shell with '-d9' and then try again.

I have tryed and I get (nothing helpful):

Running PAM authentication for user "[erased]"
PAM error: Authentication failure
plain authenticator:
  $1 =
  $2 = [erased]
  $3 = [erased]
expanded string: 0
SMTP>> 535 Incorrect authentication data
535 Incorrect authentication data
LOG: 0 MAIN REJECT

What should work. The problem is that PAM fails (with
correct username and password).


Mike


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Mike Mimic
Hi!

> Run exim from a shell with '-d9' and then try again.

I have tryed and I get (nothing helpful):

Running PAM authentication for user "[erased]"
PAM error: Authentication failure
plain authenticator:
  $1 =
  $2 = [erased]
  $3 = [erased]
expanded string: 0
SMTP>> 535 Incorrect authentication data
535 Incorrect authentication data
LOG: 0 MAIN REJECT

What should work. The problem is that PAM fails (with
correct username and password).


Mike


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Derrick 'dman' Hudson
On Wed, Jun 19, 2002 at 11:16:04PM -0700, Paul Johnson wrote:
| On Wed, Jun 19, 2002 at 03:20:48PM -0500, Mark Roach wrote:
| 
| > I believe that putting the following in the authentication configuration
| > section will allow you to use PAM. You will just need to add a file
| > named /etc/pam.d/exim with the appropriate PAM config options
| 
| For those of us not familiar with PAM, could we get an example of that,
| as well?

It will look much like the other files in /etc/pam.d, but with any
different options you may prefer.  For example :

authrequiredpam_unix.so
account requiredpam_unix.so
passwordrequiredpam_unix.so

If you use a different authentication source (eg ldap instead of
/etc/passwd) you would include those options.  

(Actually, I'm not terribly familiar with PAM, but I've managed to
convert a couple machines at work to use LDAP instead :-).  It's
pretty cool.)

-D

-- 

The way of a fool seems right to him,
but a wise man listens to advice.
Proverbs 12:15
 
http://dman.ddts.net/~dman/



pgpVwCjTPJlRs.pgp
Description: PGP signature


Re: Exim authentication

2002-06-20 Thread Paul Johnson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Jun 19, 2002 at 03:20:48PM -0500, Mark Roach wrote:

> I believe that putting the following in the authentication configuration
> section will allow you to use PAM. You will just need to add a file
> named /etc/pam.d/exim with the appropriate PAM config options

For those of us not familiar with PAM, could we get an example of that,
as well?

- -- 
Baloo "Cooking spray?" Ursidae
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9EXMkNtWkM9Ny9xURAtepAJ4qZwL6AaZ/9c63rzdIdzUwDTlNjwCeK9Rz
BH+GVot7Ekfi080PLhYrJw0=
=Hgyg
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-20 Thread Paul Johnson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Jun 19, 2002 at 01:18:46PM -0700, Mike Mimic wrote:

> Yes, I would like to implement that. The problem is
> that examples use plain text file, but I would like
> to use system accounts (I have shadow passwords).

Yeah, I'm in roughly the same position, myself and have yet to find a
solution for it (but I'm also long off actively looking for it at this
point, more at "Hey, Google accidently found this on a search for
toaster ovens" type stage at this point.

- -- 
Baloo


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9EXKlNtWkM9Ny9xURArHTAJ9LATZ7/i/oxWZJgGu3NP/pMPH+PwCgsEoP
NN8UuJl4+knHvkC1G4iaW/Y=
=/DWW
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-19 Thread Derrick 'dman' Hudson
On Wed, Jun 19, 2002 at 02:44:34PM -0700, Mike Mimic wrote:

| > I believe that putting the following in the authentication
| > configuration section will allow you to use PAM. You will just
| > need to add a file named /etc/pam.d/exim with the appropriate PAM
| > config options
| 
| I have made /etc/pam.d/exim with:
| 
| #%PAM-1.0
| auth   required pam_unix.so
| accountrequired pam_unix.so
| 
| But I (still) get 334 535 Incorrect authentication
| data.
| 
| Should I change anything more?

Run exim from a shell with '-d9' and then try again.  You'll get lots
of debug info in your shell, and that should tell you what exim is
trying to do and why it considers the authentication to have failed.

HTH,
-D

-- 

Thy Word is a lamp unto my feet
and a light unto my path.
Psalms 119:105
 
http://dman.ddts.net/~dman/



pgp3q6ov9XOy4.pgp
Description: PGP signature


Re: Exim authentication

2002-06-19 Thread Mike Mimic
Hi!

> I believe that putting the following in the
> authentication configuration
> section will allow you to use PAM. You will just
> need to add a file
> named /etc/pam.d/exim with the appropriate PAM
> config options

I have made /etc/pam.d/exim with:

#%PAM-1.0
auth   required pam_unix.so
accountrequired pam_unix.so

But I (still) get 334 535 Incorrect authentication
data.

Should I change anything more?

(I use Pegasus Mail and I add both PLAIN and LOGIN
sections)


Mike


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-19 Thread Mark Roach
On Wed, 2002-06-19 at 15:18, Mike Mimic wrote:
> Hi!
> 
> > | How can I set that user should login for SMTP the
> > same
> > | as for POP3? So he should use the same username
> > and
> > | password as for POP3 (that is the user linux
> > account
> > | username and password).
> > 
> > Instead, exim supports SMTP AUTH.
> 
> Yes, I would like to implement that. The problem is
> that examples use plain text file, but I would like
> to use system accounts (I have shadow passwords).
> 
> So what's the code for server_condition for that?
> 

I believe that putting the following in the authentication configuration
section will allow you to use PAM. You will just need to add a file
named /etc/pam.d/exim with the appropriate PAM config options

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if pam{$1:$2}{1}{0}}"
  server_set_id = $1


-Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-19 Thread Mike Mimic
Hi!

> | How can I set that user should login for SMTP the
> same
> | as for POP3? So he should use the same username
> and
> | password as for POP3 (that is the user linux
> account
> | username and password).
> 
> Instead, exim supports SMTP AUTH.

Yes, I would like to implement that. The problem is
that examples use plain text file, but I would like
to use system accounts (I have shadow passwords).

So what's the code for server_condition for that?


Mike


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Exim authentication

2002-06-18 Thread Derrick 'dman' Hudson
On Tue, Jun 18, 2002 at 03:44:57PM -0700, Mike Mimic wrote:

| How can I set that user should login for SMTP the same
| as for POP3? So he should use the same username and
| password as for POP3 (that is the user linux account
| username and password).

This is not easy to do directly, and is flaky at best.  The whole
POP-before-SMTP concept is based on
1)  the user does SMTP before the timeout after POPing
2)  the user keeping the same IP address until after the timeout
3)  no other (malicious) user obtaining the "authenticated" IP
during the window of opportunity.

Due to the inherent flaws in pop-before-smtp, Philip isn't about to
include direct support for it in exim.

Instead, exim supports SMTP AUTH.  That's what the authenticators are
for -- providing direct AUTHentication via the ESMTP protocol (see RFC
2554).  However, I have not dealt with that part of exim yet.  The
spec is very good (/usr/share/doc/exim/spec.txt) and you can get
support from the exim-users mailing list.

HTH,
-D

-- 

Dishonest money dwindles away,
but he who gathers money little by little makes it grow.
Proverbs 13:11
 
http://dman.ddts.net/~dman/



pgpEOWILgx6IT.pgp
Description: PGP signature