David,
I appologize if this isn't properly threaded. I just joined the workers list,
and I'm pulling your last message from the archives.
Your message has been pasted below. Actual comments immediately below:
-----------------------
This seems odd to me. I don't understand why tmda-ofmipd wouldn't just copy
the authentication string that it receives and plug it into IMAP.
It shouldn't do any conversions. It should just regurgitate what it receives.
As you said, this would also make it an IMAP/POP proxy, but I think that
handling it any other way is just making tmda-ofmipd do more work.
Granted, I haven't had time to read the code yet. (I just got finished with a
major debug session on some buggy C code that made heavy use of uncommented
pointers.) But I hope to soon, since I have a commercial interest in getting
tmda-ofmipd to do some things that it currently doesn't do. (see tmda-ofmipd +
vpopmail/VMailMgr threads)
Are you SURE it doesn't just regurgitate login info from ESMTP to IMAP?
Thanks.
On Sat, 2002-12-14 at 19:54, Jesse Guardiani wrote:
> > Note that tmda-ofmipd is a SMTP proxy, not an authentication proxy (ie.
> > it doesn't pass over to IMAP the cram-md5 token), and it can only
> > authenticate with plain text password with IMAP, so even if we enable
> > cram-md5 in tmda-ofmipd, it's not gonna use it anyway with the remote
> > authentication host (or this is handled transparently by the underlying
> > libraries).
> >
> > Hope that's clear.
>
> Ok. So let me see if I have this straight:
>
> tmda-ofmipd does NOT 'pass' the authentication string on to IMAP. Why?
> What DOES it do then? I'm confused.
ok, let's detail this.
In the following discussion, I'll use IMAP as the authentication method,
although it applies as well to POP3, APOP and LDAP (with and without
SSL).
Here is a little ascii schema to better visualize the flux:
,-----. ,--------. ,--------.
| MUA |-----[1]--->| ofmipd | | SMTP |
| |=====[3]===>| proxy |======[4]=====>| server |
`-----' `--------' `--------'
|
[2]
|
V
,--------.
| IMAP |
| server |
`--------'
---> is the authentication data
===> is the message data
[1] the MUA sends authentication data (ie. username and password in
clear) to ofmipd acting as a SMTP server.
[2] ofmipd acts now as a IMAP client to authenticate against the IMAP
server.
[3] if the auth is OK, ofmipd accepts the message from the MUA.
[4] ofmipd tag the address(es) and act as a client to send the message
to the SMTP server.
The important point here is that ofmipd acts as a client to
authenticate, and since a client has the clear text password, then
ofmipd needs to get the clear text password from the actual MUA client.
Now, what if we wanted to implement CRAM-MD5 all the way down to the
IMAP server ?
Since we use the IMAP standard module to make the connection and
authenticate, we'd need to patch it to pass the CRAM-MD5 token instead
of the username/password pair.
Maybe this is feasible, maybe not. But if yes we'd need to do it with
POP3, APOP, LDAP... And this is impossible to do with the --authprog
method (using chkpassword).
So this is unfortunate, but when using remote or chkpasswd-like
authentication, we cannot do CRAM-MD5. All we can do to protect the
clear text password is to use stunnel or similar programs between the
MUA and the ofmipd proxy.
David
PS: maybe we could add this to the FAQ, or into the documentation.
_________________________________________________
tmda-workers mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-workers
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
We are actively looking for companies that do a lot of long
distance faxing and want to cut their long distance bill by
up to 50%. Contact [EMAIL PROTECTED] for more info.
_________________________________________________
tmda-workers mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-workers
