Hi, From: "Jason R. Mastaler" Subject: Re: tmda-ofmipd: patch for imap[s] and pop3 remote auth Date: Wed, 04 Sep 2002 10:37:44 -0600
> [EMAIL PROTECTED] writes: > > > Unless I can use CRAM-MD5, it doesn't seem like a good idea -- it > > seems to me that the whole point of using APOP is being defeated > > (prevention of leakage of a secret in transit across a network) -- > > especially if LOGIN or PLAIN must be used for SMTP AUTH. Does that > > sound right? > > True. Although the loss of an APOP "shared secret" is less damaging > than losing your server password as in the case of regular pop3. IIUC it really depends on the pop daemon you use and how you have it set up -- for instance, I know it is possible to have separate authentication information for pop than for user accounts if you are running qmail-pop3d w/ checkpw. I haven't used other pop systems in a long time, but I have this fuzzy recollection that some of them don't have to be linked to user passwords either. Perhaps someone more in the know can comment on this. So, my understanding is that "it depends", at least for some pop daemons. [ In my case, since I don't typically allow non-APOP authentication for pop users, it is a moot point currently. ] > BTW, do you allow only CRAM-MD5 on your network? This would prevent > use of all Microsoft clients for example. Somehow I have managed to convince my users to stay away from the dreaded Outlook clan. [ It helps that my most of my users have been using mail since before the existence of Outlook so they are already entrenched in using other software. New users are steered away from Outlook (-; ] > > it isn't currently possible to use CRAM-MD5 w/ tmda-ofmipd+APOP. Is > > that correct? If so, why might that be? > > Due to how CRAM-MD5 works (see rfc 2195). During SMTP auth, the > client password is converted into a hexdigest before transmission. > Thus, tmda-ofmipd never receives the password in clear text, and thus > can't verify it against an external source like a pop3 server. Thanks for the reference again (-; I understand that CRAM-MD5 is very similar to APOP from a conceptual standpoint, and I understand the point you make here. > However, given the username and a local password file (like > /etc/tofmipd), tmda-ofmipd can lookup the users password, recalculate > the hexdigest, and then compare that to the digest it received from > the client. Exactly [1]. So IIUC the following should be theoretically possible: 0) tmda-ofmipd is used in personal mode w/ ~user/.tmda/tofmipd 1) Client uses CRAM-MD5 to interface w/ tmda-ofmipd 2) tmda-ofmipd uses APOP to interface w/ pop server I had the impression that it was not currently possible. I'd be happy to hear that it is (-; If no, will you consider the CRAM-MD5 + tmda-ofmipd + APOP combination? If support is already there, does the following script look like it might do it? #! /bin/sh # start tmda-ofmipd for this user TMDA_OFMIPD=/usr/local/src/tmda/bin/tmda-ofmipd AUTH_FILE=/home/$USER/.tmda/tofmipd HOST=127.0.0.1 PORT=8025 POP_PORT=110 $TMDA_OFMIPD -d -u $USER -a $AUTH_FILE -p $HOST:$PORT \ -R apop://$HOST:$POP_PORT On a separate note, as far as the ssh port-forwarding option you mentioned in: From: "Jason R. Mastaler" Date: Wed, 04 Sep 2002 11:04:27 -0600 Subject: Re: tmda-ofmipd: patch for imap[s] and pop3 remote auth > I'd just use /etc/tofmipd+CRAM-MD5, or setup some SSH port-forwarding > between the MUA and tmda-ofmipd. This is much harder to convince all my users to adopt (not only behavioral change, but changes are required to client settings). For reference, I've been using ssh port-forwarding w/ APOP for quite some time now -- and for users that I can convince, I have them using ssh port-forwarding in combination w/ APOP. Sadly, others use APOP only [2]. Slightly different topic: I got the impression from the 0.62 release info that for certain things Python 2.2 is required. When I do: tmda-ofmipd -h (this is actually w/ the cvs version just updated), I get: ********************************************************************** Python 2.2 or greater is required to run ./bin/tmda-ofmipd -- Visit http://python.org/download/ to upgrade. ********************************************************************** Is it the case that Python 2.2 is now required for tmda-ofmipd itself? Thanks for bearing w/ me! [1] I had looked into the CRAM-MD5 RFC before posting as well as reviewed the format used by tmda-ofmipd and come to the conclusion you had, but I didn't want to make my previous post too long, so I cut out the portion of my reply for later use (-; Hmm, this reply has gotten pretty long... [2] Sadly, not many mail clients have support for setting up a tunnel w/ ssh before sending/receiving mail. _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
