hi there,
i'm using authenticated smtp for over a year now, and it works great. what
you should now is that there are three different authentication types:
PLAIN, LOGIN and CRAM-MD5.
here is a nice table on what clients and other mailservers are supporting
authenticated smtp:
http://members.elysium.pl/brush/smtp-auth/index.html
the author even has a patch for qmail that implements all three
authentication types, while using cmd5checkpwd (i guess) as an alternative
to djb's original checkpassword. like checkpassword it authenticates system
users (/etc/passwd /etc/shadow). if you want vpopmail authentication, you
have to use the vchkpw program which doesn't support CRAM-MD5... so there's
no real CRAM-MD5 authentication possible for vpopmail users yet.
ken - i'm not an md5 expert and don't now exactly how that works, but maybe
this would be a nice feature to implement in vchkpw.
personally, i'm happy with just the LOGIN mechanism because m$ outlook
express supports it, and this is the most used client that really has
problems with pop-before-smtp because it always does smtp-before-pop. both
pop-before-smtp and authenticated smtp can be used together, so you don't
have to choose - just use both.
CRAM-MD5 authentication would be best because no cleartext passwords would
be transferred over the net. but users already do so with pop3 and imap, so
i personally would prefer using stunnel to use smtp/pop/imap-over-ssl, then
you don't need to care for cleartext passwords as the complete
communication would be encrypted.
i'm using the following patch to qmail-smtpd.c:
http://www.cuni.cz/~vhor/qmail/smtpauth-en.html
this patch is based on the patch of mrs. brisby, but it features also a
workaround for buggy netscape clients and servers (they want to use
authenticated smtp even if there is no need to). for installation help look
here (at the bottom):
http://www.nimh.org/code.shtml
unfortunately, the author included a security patch that eliminates all
non-alphanumeric characters in usernames what breaks vpopmail as it uses at
least % and . in its usernames.
look for these lines:
/* vhor */
for(i=0;istrlen(smtpauthlogin);i++) {
if (! isalnum(smtpauthlogin[i]) ) {
smtpauthlogin[i] = 'X';
}
}
and just delete them to get back vpopmail compatibility.
as chris bolt correctly stated, vchkpw has to be suid, but suid vpopmail
unfortunately is not enough; it has to be suid root (ken jones told me that
long time ago), so please re-check the vchkpw code to be sure that you
don't open security holes through higher privileges. suid root is
especially needed in situations where vpopmail domains are not all owned by
vpopmail.vchkpw but by different users (using the command line switches on
vadddomain).
hope that helped... if you have any questions, let me know.
bye, jon
_
Jonas Pasche, RHCERheinstr. 3
webagentur Domke GmbH 64283 Darmstadt
Systemadministration / Systementwicklung Germany
Hotline: 0700 46637243 (24 Pf./Min.) mailto:[EMAIL PROTECTED]
Telefax: +49 (0)6151 293173 http://www.domke.de
_