On Sat, 2002-12-14 at 01:20, Jesse Guardiani wrote: > Whoa... don't do that! > > Cram-MD5 *is* supported by some remote login servers. > > It's just not supported when used with vpopmail. > > Courier-IMAP supports Cram-MD5. Just not with vpopmail.
Did I misunderstood what you asked ? This patch has nothing to do with vpopmail or courier-imap. I made this patch to fix what some people (including me) would call a misbehaviour. ie. if the choosen authentication method fail, tmda-ofmipd tries to authenticate with the authfile (default), and in some/most cases this is wrong. I then added the -n switch to be strict about the authentication method, and to not fall back to the default authfile method. No more, no less. David > Jesse Guardiani, Systems Administrator > WingNET Internet Services, > P.O. Box 2605 // Cleveland, TN 37320-2605 > 423-559-LINK (v) 423-559-5145 (f) > http://www.wingnet.net > > We are actively looking for companies that do a lot of long > distance faxing and want to cut their long distance bill by > up to 50%. Contact [EMAIL PROTECTED] for more info. > > > ----- Original Message ----- > From: "David Guerizec" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, December 13, 2002 6:49 PM > Subject: Re: tmda-ofmipd + vpopmail CRAM-MD5 problem > > > > On Sat, 2002-12-14 at 00:10, Jesse Guardiani wrote: > > > So, I simply removed the 'cram-md5' string in the capability > > > announcement line. > > > > > > Is there a better way to disable this? Perhaps a config flag? > > > > Can you try the attached patch, then restarting your tmda-ofmipd with > > the -n option ? > > If it's ok, I'll commit it in the main branch, so you won't have to > > patch it at each new version. > > > > > > David > > > > PS: if you receive this message, then at least it works for me ;) > > > > > > > > > ---------------------------------------------------------------------------- > ---- > > > Index: tmda-ofmipd > =================================================================== > RCS file: /cvsroot/tmda/tmda/bin/tmda-ofmipd,v > retrieving revision 1.18 > diff -u -r1.18 tmda-ofmipd > --- tmda-ofmipd 21 Nov 2002 21:13:29 -0000 1.18 > +++ tmda-ofmipd 13 Dec 2002 23:43:53 -0000 > @@ -36,34 +36,34 @@ > > -V > --version > - Print TMDA version information and exit. > + Print TMDA version information and exit. > > -d > --debug > - Turn on debugging prints. > + Turn on debugging prints. > > -u <username> > --username <username> > - The username that this program should run under. The default > - is to run as the user who starts the program unless that is > - root, in which case an attempt to seteuid user `tofmipd' will be > - made. Use this option to override these defaults. > + The username that this program should run under. The default > + is to run as the user who starts the program unless that is > + root, in which case an attempt to seteuid user `tofmipd' will be > + made. Use this option to override these defaults. > > -p <host:port> > --proxyport <host:port> > - The host:port to listen for incoming connections on. The > - default is FQDN:8025 (i.e, port 8025 on the fully qualified > - domain name for the local host). > + The host:port to listen for incoming connections on. The > + default is FQDN:8025 (i.e, port 8025 on the fully qualified > + domain name for the local host). > > -R proto[://host[:port]] > --remoteauth proto[://host[:port]][/dn] > Host to connect to to check username and password. > - proto can be one of the following: > - `imap' (IMAP4 server) > - 'imaps' (IMAP4 server over SSL) > - `pop3' (POP3 server) > - `apop' (POP3 server with APOP authentication) > - `ldap' (LDAP server) > + `imap' (IMAP4 server) > + 'imaps' (IMAP4 server over SSL) > + `pop3' (POP3 server) > + `apop' (POP3 server with APOP authentication) > + `ldap' (LDAP server) > - host defaults to localhost > - port defaults to 143 (imap), 993 (imaps), 110 (pop3/apop), 389 > (ldap) > - dn is mandatory for ldap and should contain a `%%s' identifying > @@ -76,8 +76,8 @@ > --authprog <program> > checkpassword compatible command used to check username/password. > e.g, > `-A /usr/sbin/checkpassword-pam -s id --stdin -- /bin/true' > - The program must be able to receive the username/password pair > - on its stdin, and in the following format: > + The program must be able to receive the username/password pair > + on its stdin, and in the following format: > `username\\0password\\0' > > -a <file> > @@ -87,6 +87,15 @@ > root/tofmipd, otherwise ~user/.tmda/tofmipd. Use this option > to override these defaults. > > + -n > + --nofallback > + Use only the specified authentication method, do not fall back > + to file authentification (/etc/tofmipd or -a argument). > + If more than one method is given, priority order is: > + - remoteauth (-R) > + - authprog (-A) > + - file (-a) > + > -C <n> > --connections <n> > Do not handle more than n simultaneous connections. If there > @@ -132,6 +141,7 @@ > program = sys.argv[0] > configdir = None > authprog = None > +nofallback = None > remoteauth = { 'proto': None, > 'host': 'localhost', > 'port': None, > @@ -191,11 +201,12 @@ > > try: > opts, args = getopt.getopt(sys.argv[1:], > - 'p:u:R:A:a:c:C:dVh', ['proxyport=', > + 'p:u:a:R:A:nc:C:dVh', ['proxyport=', > 'username=', > 'authfile=', > 'remoteauth=', > 'authprog=', > + 'nofallback=', > 'configdir=', > 'connections=', > 'debug', > @@ -216,9 +227,11 @@ > elif opt in ('-d', '--debug'): > DEBUGSTREAM = sys.stderr > elif opt in ('-p', '--proxyport'): > - proxyport = arg > + proxyport = arg > + elif opt in ('-n', '--nofallback'): > + nofallback = 1 > elif opt in ('-u', '--username'): > - username = arg > + username = arg > elif opt in ('-R', '--remoteauth'): > # arg is like: imap://host:port > try: > @@ -250,13 +263,13 @@ > remoteauth['port'], remoteauth['dn']) > remoteauth['enable'] = 1 > elif opt in ('-A', '--authprog'): > - authprog = arg > + authprog = arg > elif opt in ('-a', '--authfile'): > - authfile = arg > + authfile = arg > elif opt in ('-c', '--configdir'): > - configdir = arg > + configdir = arg > elif opt in ('-C', '--connections'): > - connections = arg > + connections = arg > > > import asynchat > @@ -494,7 +507,11 @@ > self.__auth_username = None > self.__auth_password = None > self.__auth_sasl = None > - self.__sasl_types = ['login', 'cram-md5', 'plain'] > + if nofallback and (remoteauth['enable'] or authprog): > + # CRAM-MD5 does not work with remote login or authprog > + self.__sasl_types = ['login', 'plain'] > + else: > + self.__sasl_types = ['login', 'cram-md5', 'plain'] > self.__auth_cram_md5_ticket = '<%s.%s@%s>' % > (random.randrange(10000), > int(time.time()), > FQDN) > self.__server = server > @@ -535,11 +552,15 @@ > # Try first with the remote auth > if run_remoteauth(username, password): > return 1 > + if nofallback: > + return 0 > if authprog: > # Then with the authprog > if run_authprog(username, password) == 0: > return 1 > - # Now we can fall back on the authfile > + if nofallback: > + return 0 > + # Now we can fall back on the authfile > authdict = authfile2dict(authfile) > if authdict.get(username.lower(), 0) != password: > return 0 > @@ -562,11 +583,15 @@ > # Try first with the remote auth > if run_remoteauth(username, password): > return 1 > + if nofallback: > + return 0 > if authprog: > # Then with the authprog > if run_authprog(username, password) == 0: > return 1 > - # Now we can fall back on the authfile > + if nofallback: > + return 0 > + # Now we can fall back on the authfile > authdict = authfile2dict(authfile) > if authdict.get(username.lower(), 0) != password: > return 0 > > _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
