On Sat, 2002-12-14 at 19:54, Jesse Guardiani wrote:
> > Note that tmda-ofmipd is a SMTP proxy, not an authentication proxy (ie.
> > it doesn't pass over to IMAP the cram-md5 token), and it can only
> > authenticate with plain text password with IMAP, so even if we enable
> > cram-md5 in tmda-ofmipd, it's not gonna use it anyway with the remote
> > authentication host (or this is handled transparently by the underlying
> > libraries).
> >
> > Hope that's clear.
>
> Ok. So let me see if I have this straight:
>
> tmda-ofmipd does NOT 'pass' the authentication string on to IMAP. Why?
> What DOES it do then? I'm confused.
ok, let's detail this.
In the following discussion, I'll use IMAP as the authentication method,
although it applies as well to POP3, APOP and LDAP (with and without
SSL).
Here is a little ascii schema to better visualize the flux:
,-----. ,--------. ,--------.
| MUA |-----[1]--->| ofmipd | | SMTP |
| |=====[3]===>| proxy |======[4]=====>| server |
`-----' `--------' `--------'
|
[2]
|
V
,--------.
| IMAP |
| server |
`--------'
---> is the authentication data
===> is the message data
[1] the MUA sends authentication data (ie. username and password in
clear) to ofmipd acting as a SMTP server.
[2] ofmipd acts now as a IMAP client to authenticate against the IMAP
server.
[3] if the auth is OK, ofmipd accepts the message from the MUA.
[4] ofmipd tag the address(es) and act as a client to send the message
to the SMTP server.
The important point here is that ofmipd acts as a client to
authenticate, and since a client has the clear text password, then
ofmipd needs to get the clear text password from the actual MUA client.
Now, what if we wanted to implement CRAM-MD5 all the way down to the
IMAP server ?
Since we use the IMAP standard module to make the connection and
authenticate, we'd need to patch it to pass the CRAM-MD5 token instead
of the username/password pair.
Maybe this is feasible, maybe not. But if yes we'd need to do it with
POP3, APOP, LDAP... And this is impossible to do with the --authprog
method (using chkpassword).
So this is unfortunate, but when using remote or chkpasswd-like
authentication, we cannot do CRAM-MD5. All we can do to protect the
clear text password is to use stunnel or similar programs between the
MUA and the ofmipd proxy.
David
PS: maybe we could add this to the FAQ, or into the documentation.
_________________________________________________
tmda-workers mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-workers
