Exim+MySQL+POP3+IMAP Solution

From psi-jack@xxxxxxxxxxxxx Sun Nov 11 19:36:45 2001 Date: Sun, 11 Nov 2001 13:36:45 -0600 From: Eric Renfro psi-jack@xxxxxxxxxxxxx Subject: [Vmail-discuss] Exim+MySQL+POP3+IMAP Solution This is a multi-part message in MIME format. ------=_NextPart_000_0038_01C16AB5.E847F7E0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0039_01C16AB5.E84B0520" ------=_NextPart_001_0039_01C16AB5.E84B0520 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey guys. I was reading through past articles, and noticed a common question being Webmail and IMAP. For the guys interested, I've been working on a previous endeavor myself doing that, and originally, I started out using Postfix with MySQL, and Courier-IMAP. And since my discoveries of postfix and virtual not mixing well with combined functionality, I've since gone back to exim. I'm re-working my exim configurations now to use MySQL backends for data instead of using flatfiles, thanks to help from vmail-sql, and I'm re-doing some parts to use Maildir over mbox formatted mail, using /var/[spool/]/mail/virtual/$domain/$user/ as the Maildir_path, for the popboxes, and then, using Courier-IMAP to follow up and use MySQL for authentication reading similar information to get that same resolution of the Maildir_path. Though Courier-IMAP is slightly different in what it expects, it still will work, though is a bit of a redundancy hack. PS: I enclosed 'spool/' in []'s because my server model is being designed on FreeBSD, but will be used on Linux in production. 'virtual/' could also easily be deleted and just use $domain/$user instead for a cleaner heigharchy (Sp?). Courier-IMAP also has "soft" quotas. The only limiting factor of this, is if a real user of a virtual popbox has shell access in, and uses local MUA's, then it doesn't work for the quota. Else, it works fine over Webmail, such as SquirrelMail (which is what I plan to use, when this is all done and fixed up). Anyway, thought I'd spread my idea, and possibly get second opinions on the matter. - --- Eric Renfro - Myrddin Computers & Designs CEO/President (713) 595-2104 ext. 2261 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use Comment: -- Psi-Jack iQA/AwUBO+7TTLdZW96NGwakEQK6NQCg9GScyIs/st8tXP31yhM0a2mWjGEAoPvg uTd9KqttU+p1KXgQaEnb9Oe7 =+kZ0 -----END PGP SIGNATURE----- ------=_NextPart_001_0039_01C16AB5.E84B0520 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Exim+MySQL+POP3+IMAP Solution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey guys. I was reading through past articles, and noticed a common
question being Webmail and IMAP.

For the guys interested, I've been working on a previous endeavor
myself doing that, and originally, I started out using Postfix with
MySQL, and Courier-IMAP. And since my discoveries of postfix and
virtual not mixing well with combined functionality, I've since gone
back to exim. I'm re-working my exim configurations now to use MySQL
backends for data instead of using flatfiles, thanks to help from
vmail-sql, and I'm re-doing some parts to use Maildir over mbox
formatted mail, using /var/[spool/]/mail/virtual/$domain/$user/ as
the Maildir_path, for the popboxes, and then, using Courier-IMAP to
follow up and use MySQL for authentication reading similar
information to get that same resolution of the Maildir_path. Though
Courier-IMAP is slightly different in what it expects, it still will
work, though is a bit of a redundancy hack.

PS: I enclosed 'spool/' in []'s because my server model is being
designed on FreeBSD, but will be used on Linux in production.
'virtual/' could also easily be deleted and just use $domain/$user
instead for a cleaner heigharchy (Sp?).

Courier-IMAP also has "soft" quotas. The only limiting factor = of
this, is if a real user of a virtual popbox has shell access in, and
uses local MUA's, then it doesn't work for the quota. Else, it works
fine over Webmail, such as SquirrelMail (which is what I plan to = use,
when this is all done and fixed up).

Anyway, thought I'd spread my idea, and possibly get second opinions
on the matter.

- ---
Eric Renfro - Myrddin Computers & Designs
CEO/President
(713) 595-2104 ext. 2261

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: -- Psi-Jack <Encrypting the Net/Securely>

iQA/AwUBO+7TTLdZW96NGwakEQK6NQCg9GScyIs/st8tXP31yhM0a2mWjGEAoPvg
uTd9KqttU+p1KXgQaEnb9Oe7
=3D+kZ0
-----END PGP SIGNATURE-----

------=_NextPart_001_0039_01C16AB5.E84B0520-- ------=_NextPart_000_0038_01C16AB5.E847F7E0 Content-Type: text/x-vcard; name="Eric Renfro (psi-jack@myrddincd.com).vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Eric Renfro (psi-jack@myrddincd.com).vcf" BEGIN:VCARD VERSION:2.1 N:Renfro;Eric FN:Eric Renfro (psi-jack@myrddincd.com) ORG:Myrddin Computers & Designs TITLE:CEO/President TEL;WORK;VOICE:(713) 595-2104 X2261 TEL;HOME;VOICE:(936) 231-2895 TEL;WORK;FAX:(713) 595-2104 X2261 ADR;WORK:;;14324 Old Humble Pipeline Road;Conroe;TX;77302-4422;United = States of America LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:14324 Old Humble Pipeline = Road=3D0D=3D0AConroe, TX 77302-4422=3D0D=3D0AUnited States=3D of America EMAIL;PREF;INTERNET:psi-jack@myrddincd.com REV:20011030T164102Z END:VCARD ------=_NextPart_000_0038_01C16AB5.E847F7E0 Content-Type: application/octet-stream; name="PGPexch.rtf.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="PGPexch.rtf.asc" owHtWE2MI0cVHoFAaKU9oNyIFD1GId4g293+m9lhPBt5xl52pPHMsOMkWm2HqNxdbRdbXdVTVT0e s5pDuHFAQoITh+QCR06JhBQ4cEbcEDfEkSMHjogDr6rt2fFsW8lmdyUi7INlV796f/Xe977qn669 9dWvrW3/8y8Hv3vw8O8/e/Xrv/7mV77zj7WPfvjnv376h99//KdP/vibX336Sk3yR++8tvahv//L n/9nu/evVz/4xgf//tbDu6+98ou//Xb9J8M1+3kcKBPXAiI0c19hOqrVW/UgVjIZm4TXIIhoHPuP g1gKY4b85g386QexnjCtgzgcE6Wp8aGjGOHbF+5xLYgTGVElYE9milEFh3Qye4aqBeOXG+twMk2G cr6zMd95RfPTOppLzbvnoeRSoauBopEfjBSlwg+GPKP+9lNL9VbLKg2ysBakREVBygkTNmZDho0N H/Jg602wmr8b2JwYMqo3G9D+dvdob/DguAf3Bv0DOH5792B/D9YrnvduY8/zuoNu/qBZ9WGgbHIN k4Jwz+sdrt+5WNDXAGsdFhdrW9C2Gq7LNnG51+leW65tbkJ7sD846F17UG/WoE+1JiN6bcftFrS9 oi21QncKFzdq0O73Bh0IsT6oMDvr/RMX9kbV96v1Dfzy10GQhO58v3fYu98ZHN2/Zg39a3sFEdWL DLZ8aO8edR9ck/WLZLc2oN3df+fOhVvAQofH818+XJHbaBZKLOi6jVk/Oe4cQsiJ1juN5mZjo75R 26rU8FP3/dqdz9ZRa96G9t2jwwHEJKQ7rmZBsx/TnfrC7rgJtuYwpks99+gURtlUV2EfJkQv6m3O gleUREyMwIyVzEZjSIk2QJRhIae6DEREICT+oxEQPK8kkQJOM6ptXcKQ2q3v0mFCGHeyhTb2+53j 6mJULUyzZ8O6EsTFkhRs1VHW5rFY9orkZv1y3Vp+InTzxqJ5H0/GWzzmZda/vFXi/P58pfLSDud6 pG+IoU63n4gGJeKvjvIFNfxdqbCPqWv64k5kiLcKm5dGZdgvnVHsYCpgItUj28jY0QRSRc+YzDRQ EVFyhiqTqaY8hkjmOEFMeXmrS8VGDAcWn6IB0AaRBJFDZgYybbcfS21idg4TZsbQn5784CBXNhvY FQcV0MEVFA9psZFkChHToTyjuEeDjCGdqbWqzpgyGeYMYQsSdm6tTijnuUlEsCETdIn3cSbCfOAy M51lKPdjJAUmi4SPwEig5yxBUC0loGhlnjx0yq4XK8ZBF7NRpojVrtG1idWTaZrnwGnGfGuIMd8R MQSYwFMikQ0uz1zMCYboQLnQBB6MeKSt2jHlKVgyBmcWlyv6lOdJnnmcH6SWCUW0V0ZfuoLCEVNg 87ok8UN5bl1MiLHHarWXZ+55Z0R5D3UqJffe8+wTb3YQ3uuRxP/Cex2NKA9wEtkiLTQwc+H9lJhx 2SXDiqYyRcPzcYQrYm71atnYMGLJOeY2S5dX6JOkW/Uks+pwvrmTgfk01CxhHKWZyKO1z1D9iBrX AKCRmyybp1ryzG3Ao7PeX42pCoOxG7MLjjMNmrPR2HBb2HGMLSoM2i62MLEOMIPVltLQYFLwN45j V+H2C+uxjIadGdRMYIgC6AvB6KJMRESE02LNY6zC1ZxezenVnH65c/r45Hs4HKkIudTLRlEph9KS hYGH75U0TuqQWOzCOYMwaiHa3nq5bfGchkdUs5EdbQg9d/G2unvSLcMQJ6+DhUIjQ2qB3+04YCI7 t8ZSJaPMTcHqsxUFlOaAX8Ixm3G8MHCNw5JohriGptBbapbFa/H6R5k2bhItTIzLUejwGo+MEoGr Y4qISVQ4XgJmt07St95codkKzVZo9nLRbIHKuJZfQi40rGsZm3U4zaQh2nIhitCD4MCRbhlHcklo sMsdc2KW2mhgOXNBdxwYOCJTaGDO+3O2CNaeHlviT8KQalQkcv6IajRwGaJo/+1OSZcdo7QsKpJU i5JxFGrJBWHGSF0EVehxTR3/sjuQvOPNImfPs1ciZdBZOLaM9+Q0Y0pRbskg3JqMWejI2XKCtw8p J2JGzcswsS7anDhKh0FF9kJiw8FrD2Jqlq6w7qU2yApxVsNjdZQvfHh0xHRCpvP7KsJeaQk/1Km9 m1v2yyJKciRPpdZsiPPD3ss1DSWuyZQJ947F3tiXvWZw7y/UCjBX/f3/0N//swEikcEb6w6nsVmI 9ZTDF473ObCoUqksqqqhm7v3r2wLODK8mzdeRJE+b3v0FAvhPhWxklCB/lRFEV7e92SSZght+uki IMnVGnjjiSbouhcH+ssT+17vyDtW6HVEhXlWt29t1hpvQmurVanbOqbnpgp1BLdnCmeFCs8XYAsL wNs96j64sxhjfRPX7w36B9fWG7OEXPwX ------=_NextPart_000_0038_01C16AB5.E847F7E0-- From psi-jack@xxxxxxxxxxxxx Sun Nov 11 19:45:06 2001 Date: Sun, 11 Nov 2001 13:45:06 -0600 From: Eric Renfro psi-jack@xxxxxxxxxxxxx Subject: [Vmail-discuss] Security note for exim and MySQL This is a multi-part message in MIME format. ------=_NextPart_000_003D_01C16AB7.1360B970 Content-Type: multipart/alternative; boundary="----=_NextPart_001_003E_01C16AB7.136CEE70" ------=_NextPart_001_003E_01C16AB7.136CEE70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just in case, I noticed from the documentation of vmail-sql, and exim's setup: mysql_servers = host/user/pass This alone, is insecure, and should be prepended with the hide directive to look more like: hide mysql_servers = host/user/pass This will hide that from even just running exim -bP, which any user could normally run, regardless if they have read access to the conf file of exim. - --- Eric Renfro - Myrddin Computers & Designs CEO/President (713) 595-2104 ext. 2261 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use Comment: -- Psi-Jack iQA/AwUBO+7VQLdZW96NGwakEQL7UgCaAuS9JM92SI62Wgwt/YkQNZoCJjAAn02j 82maFoTAOU/zHGop+iydf9HN =gXnx -----END PGP SIGNATURE----- ------=_NextPart_001_003E_01C16AB7.136CEE70 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Security note for exim and MySQL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just in case, I noticed from the documentation of vmail-sql, and
exim's setup:

mysql_servers =3D host/user/pass

This alone, is insecure, and should be prepended with the hide
directive to look more like:

hide mysql_servers =3D host/user/pass

This will hide that from even just running exim -bP, which any user
could normally run, regardless if they have read access to the conf
file of exim.

- ---
Eric Renfro - Myrddin Computers & Designs
CEO/President
(713) 595-2104 ext. 2261

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: -- Psi-Jack <Encrypting the Net/Securely>

iQA/AwUBO+7VQLdZW96NGwakEQL7UgCaAuS9JM92SI62Wgwt/YkQNZoCJjAAn02j
82maFoTAOU/zHGop+iydf9HN
=3DgXnx
-----END PGP SIGNATURE-----

------=_NextPart_001_003E_01C16AB7.136CEE70-- ------=_NextPart_000_003D_01C16AB7.1360B970 Content-Type: text/x-vcard; name="Eric Renfro (psi-jack@myrddincd.com).vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Eric Renfro (psi-jack@myrddincd.com).vcf" BEGIN:VCARD VERSION:2.1 N:Renfro;Eric FN:Eric Renfro (psi-jack@myrddincd.com) ORG:Myrddin Computers & Designs TITLE:CEO/President TEL;WORK;VOICE:(713) 595-2104 X2261 TEL;HOME;VOICE:(936) 231-2895 TEL;WORK;FAX:(713) 595-2104 X2261 ADR;WORK:;;14324 Old Humble Pipeline Road;Conroe;TX;77302-4422;United = States of America LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:14324 Old Humble Pipeline = Road=3D0D=3D0AConroe, TX 77302-4422=3D0D=3D0AUnited States=3D of America EMAIL;PREF;INTERNET:psi-jack@myrddincd.com REV:20011030T164102Z END:VCARD ------=_NextPart_000_003D_01C16AB7.1360B970 Content-Type: application/octet-stream; name="PGPexch.rtf.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="PGPexch.rtf.asc" owHtWD1sI0UUjkAEKVKQ6OBo3qW4AxRnf7y2E2Lf4dgGghInSgynwEpovDvrHW521jczG5+JUtAg QURDgSgoUtBSgYQQNSUNAkoKoEAUiIaemU1ysZ2NxMEFEWldrFZv33zz3pv3zeeZd6duPvzI1PLv 3z//xc7rP77/1PQnjz/00YdThz/8+vWff/z09m+H3x4c/Dz9eeurb56Ynjr84OPvrr4mPrty5dHK e4/13rEOfpn/8tMnb3an9G/P5TKwXMQESR9ev2fZJdsNeByFMqIWuD4OAnPPDWImZZfOzqhX0w3E gAjhBl6IuMDShDoniC7vp58tN4hiH3MGjTjhBHNo48HxNwXNCL030IbtYdSNT0YWT0aOIJ/FcI6n P5k0tXoxjbkK0OXYN90ex5iZbpcm2Fw+Y7JLJQ3lJp7l9hH33T5FhOlMJeoWyyYcpWg7oJGfdXUl JOrZThGqV5sbjc7OZgte6qyvweYrK2urDZgrGMatYsMwmp3m0QdnwYQO1yWVJGaIGkarPXdjfwyv CHp2GDdaS1DVCJO+jjK36s0Js1WpQLWz2llrTXywHQvWsRCohydGLJagamQNsTLDyTSWLaiutzp1 8FRXYCZrc+vbadrlBdNcsMvqYc4BQxGuvdhqt7bqnY2tidlUfFUjIyM7a8KSCdWVjebOhK+Z5btU hmpz9dUb+6lBtTfsnbyZMOJXdjI9xhN1FqH6wka7AwHycC3tNxDkLVyzx/ADB3S/qHiycRbV6m1v 1tvgUSREza7YpukUraWCpX7q3cqO9uVESCAMPCTwPKyOYzrHybNYEg/7oCkLMsTgx14SqUVBuvMg DmA3QoQWxB06D4j5gO+S6LrIBlOMS/rPjdfTVgulgx+Jcf+8epVU8Q1dsGznEdeKfc+upz51mp0Z hzRV7YzxBT1v+svXD2m899cUF7Y4kxFeY13RXz51da8jM1/KB0TtaKj4+IbAfBdzAbVsNoaxkEai nIy+ws5ZmbMyZ+WFsrITEgGIxkzJLTlHIgkT2Es4PhJTEcYJ9aGLoc9xHzNfKfGAyDBV4pD4So4J x54kuxhkDDSOb0MUc5yNTcltnKtvzvOc5xfL85SYuQTn1Myp+b+U4AGh9IikMkQym5npeRfvYgZv 6mMyTxgjrJeebqHQ3ZyHQUi8UIn0EDR/wUuFmsU8QpQOtf88cNxD3KdYnKf1gdbxIYRIyTfHyAfk edpbSbkWeC9mAQSEYn3M1jMv5DvEJeSN+stHeqxGcSDHcr1D4R/n+y9oVCgUxqEsFebK1sgwlxKG Z2cexH6WGWdaqr8XbIsTD7YwU3SEAqwPue8TffEb9ROpdfVME6BotAeunSJBEwu1DOLy5N5obRib XEXtYybvN+ynK1bxGSgtlQq27mN8Vy6AbZetfFf4D3eFkmoAI+Nm2a7o2+mMa/jjguz/BQ== ------=_NextPart_000_003D_01C16AB7.1360B970-- From pdw@xxxxxxxxxxxxx Sun Nov 11 21:09:35 2001 Date: Sun, 11 Nov 2001 21:09:35 +0000 From: Paul Warren pdw@xxxxxxxxxxxxx Subject: [Vmail-discuss] Security note for exim and MySQL On Sun, Nov 11, 2001 at 01:45:06PM -0600, Eric Renfro wrote: > Just in case, I noticed from the documentation of vmail-sql, and > exim's setup: > > mysql_servers = host/user/pass > > This alone, is insecure, and should be prepended with the hide > directive to look more like: > > hide mysql_servers = host/user/pass > > This will hide that from even just running exim -bP, which any user > could normally run, regardless if they have read access to the conf > file of exim. Good point - thanks for that. Is this option a recent addition to exim? Our 3.13 installation doesn't seem to support it. Paul From psi-jack@xxxxxxxxxxxxx Sun Nov 11 21:27:37 2001 Date: Sun, 11 Nov 2001 15:27:37 -0600 From: Eric Renfro psi-jack@xxxxxxxxxxxxx Subject: [Vmail-discuss] Security note for exim and MySQL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |On Sun, Nov 11, 2001 at 01:45:06PM -0600, Eric Renfro wrote: |> Just in case, I noticed from the documentation of vmail-sql, and |> exim's setup: |> |> mysql_servers = host/user/pass |> |> This alone, is insecure, and should be prepended with the hide |> directive to look more like: |> |> hide mysql_servers = host/user/pass |> |> This will hide that from even just running exim -bP, which any |> user could normally run, regardless if they have read access to |> the conf file of exim. | |Good point - thanks for that. Is this option a recent |addition to exim? Our 3.13 installation doesn't seem to support it. | |Paul Yes, I do believe it is. It's in my exim-mysql 3.32. I just checked the Changelog in my source tree for it. The 'hide' pre-directive was added in exim 3.164, for security reasons. BTW, Paul. I must admit. This vmail-sql approach to using SQL queries GREATLY reduces the amount of configuration directives in my original flat-file system. I used to use several TRANSPORTS, and several DIRECTORS to do the same thing, but, so far, from what I'm seeing, and playing with by juggling the selects manually to test them out, it looks fairly solid and fully implemented. I never thought a MySQL approach could be so handy. And since exim's mysql backend approach allows you to literally set the entire query, it's the ultimate approach to doing it. I used to have /etc/virtual/$domain/[aliases|filter|passwd], and /etc/mail/[userdomains|virtualdomains] all used to do all that. I'm adding to vmail-sql, for allowing relaying through virtual-domains as well, and if you would like, I will submit my sketched changes so you, and everyone else interested, may scan through it, and look at it, and use it as desired. - --- Eric Renfro - Myrddin Computers & Designs CEO/President 713-595-2104 X2261 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use Comment: -- Psi-Jack iQA/AwUBO+7tSLdZW96NGwakEQJZ3gCgkeegJjED9d9X316salj3wGtJUZgAn2Sf hidSW4Sj191AZlo+GH5F97ek =Bg7Z -----END PGP SIGNATURE----- From psi-jack@xxxxxxxxxxxxx Sun Nov 11 21:46:13 2001 Date: Sun, 11 Nov 2001 15:46:13 -0600 From: Eric Renfro psi-jack@xxxxxxxxxxxxx Subject: [Vmail-discuss] Mailman and Autoresponders with vmail-sql. This is a multi-part message in MIME format. ------=_NextPart_000_0046_01C16AC7.FEC983A0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alright. The big question of all, for my current server model to work: How would I get Mailman to integrate into the vmail-sql system, as well as autoresponders (you send info@virtualdomain, and it emails back a templated email message to the emailee). So far, with the vmail-sql system, the two primaries worked. *@virtual-domain, and pop-accessible username@virtual-domain all work, including aliasing sales@virtual-domain to go to several virtual users. - --- Eric Renfro - Myrddin Computers & Designs CEO/President (713) 595-2104 ext. 2261 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use Comment: -- Psi-Jack iQA/AwUBO+7xpLdZW96NGwakEQKO0wCeK5S6jB36OmqVWtesb7gabVjqP6MAoIEC kkUFMQFQ9SKV+NZaKEGCBiAM =ga+i -----END PGP SIGNATURE----- ------=_NextPart_000_0046_01C16AC7.FEC983A0 Content-Type: text/x-vcard; name="Eric Renfro (psi-jack@myrddincd.com).vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Eric Renfro (psi-jack@myrddincd.com).vcf" BEGIN:VCARD VERSION:2.1 N:Renfro;Eric FN:Eric Renfro (psi-jack@myrddincd.com) ORG:Myrddin Computers & Designs TITLE:CEO/President TEL;WORK;VOICE:(713) 595-2104 X2261 TEL;HOME;VOICE:(936) 231-2895 TEL;WORK;FAX:(713) 595-2104 X2261 ADR;WORK:;;14324 Old Humble Pipeline Road;Conroe;TX;77302-4422;United = States of America LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:14324 Old Humble Pipeline = Road=3D0D=3D0AConroe, TX 77302-4422=3D0D=3D0AUnited States=3D of America EMAIL;PREF;INTERNET:psi-jack@myrddincd.com REV:20011030T164102Z END:VCARD ------=_NextPart_000_0046_01C16AC7.FEC983A0-- From lists@xxxxxxxxxxx Sun Nov 11 22:12:07 2001 Date: Sun, 11 Nov 2001 23:12:07 +0100 From: Franz Georg =?iso-8859-1?Q?K=F6hler?= lists@xxxxxxxxxxx Subject: [Vmail-discuss] smtp auth Hi, this question, in fact, is exim related, but I didn't get it answered on the exim mailing list, so I'm asking here again. Is there anyone who is running exim smtp auth with the vmail/sql data? (see http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010618/027082.html for my setup) From psi-jack@xxxxxxxxxxxxx Sun Nov 11 22:51:42 2001 Date: Sun, 11 Nov 2001 16:51:42 -0600 From: Eric Renfro psi-jack@xxxxxxxxxxxxx Subject: [Vmail-discuss] smtp auth =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |-----Original Message----- |From: vmail-discuss-admin@lists.beasts.org=20 |[mailto:vmail-discuss-admin@lists.beasts.org] On Behalf Of=20 |Franz Georg K=F6hler |Sent: Sunday, November 11, 2001 4:12 PM |To: vmail-discuss@lists.beasts.org |Subject: [Vmail-discuss] smtp auth | | |Hi, |this question, in fact, is exim related, but I didn't get it=20 |answered on the exim mailing list, so I'm asking here again. | |Is there anyone who is running exim smtp auth with the vmail/sql |data? =20 | | |(see=20 |http://www.exim.org/mailman/htdig/exim-|users/Week-of-Mon-200106 |18/027082.html |for my setup) | A BIG problem could be the password hash. In my case, a crypt-md5 has a preleading {crypt-md5} to it, which disrupts anything that doesn't know about that. Paul if you read this, take a note, please. :) Proper MD5 hashed passwords /always/ start with $1, to signify that it's MD5, and hashed. DES hashed passwords don't have that. I forget it's identifier, if it even has one. I personally dare not ever use plaintext passwords as much as I possibly can. Try an experiment, and remove that {} preleading blurb from the hashed_password, and see if that works. - --- Eric Renfro - Myrddin Computers & Designs CEO/President 713-595-2104 X2261 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use Comment: -- Psi-Jack iQA/AwUBO+8A/rdZW96NGwakEQKhlgCdHnkK1rUXbJGPTG3KOXdDSNMrS+8AoPR5 Su0X2HqNrQJvmrQi/oiM6FM2 =3Dg6JE -----END PGP SIGNATURE----- From psi-jack@xxxxxxxxxxxxxxxxxxxxx Sun Nov 11 23:06:36 2001 Date: Sun, 11 Nov 2001 17:06:36 -0600 From: Eric Renfro psi-jack@xxxxxxxxxxxxxxxxxxxxx Subject: [Vmail-discuss] exim 6 This is a multi-part message in MIME format. ------=_NextPart_000_006C_01C16AD3.39303970 Content-Type: multipart/alternative; boundary="----=_NextPart_001_006D_01C16AD3.393346B0" ------=_NextPart_001_006D_01C16AD3.393346B0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 exim test 6 - --- Eric Renfro - Myrddin Computers & Designs CEO/President (713) 595-2104 ext. 2261 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use Comment: -- Psi-Jack iQA/AwUBO+8EerdZW96NGwakEQLVDACg1RZL/Mc9aHKZYjnhKrmSEQMQjYEAoKyo ijXmEXppd57DxyglEb+gJPrJ =id2b -----END PGP SIGNATURE----- ------=_NextPart_001_006D_01C16AD3.393346B0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable exim 6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

exim test 6

- ---
Eric Renfro - Myrddin Computers & Designs
CEO/President
(713) 595-2104 ext. 2261

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: -- Psi-Jack <Encrypting the Net/Securely>

iQA/AwUBO+8EerdZW96NGwakEQLVDACg1RZL/Mc9aHKZYjnhKrmSEQMQjYEAoKyo
ijXmEXppd57DxyglEb+gJPrJ
=3Did2b
-----END PGP SIGNATURE-----

------=_NextPart_001_006D_01C16AD3.393346B0-- ------=_NextPart_000_006C_01C16AD3.39303970 Content-Type: text/x-vcard; name="Eric Renfro (psi-jack@myrddincd.com).vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Eric Renfro (psi-jack@myrddincd.com).vcf" BEGIN:VCARD VERSION:2.1 N:Renfro;Eric FN:Eric Renfro (psi-jack@myrddincd.com) ORG:Myrddin Computers & Designs TITLE:CEO/President TEL;WORK;VOICE:(713) 595-2104 X2261 TEL;HOME;VOICE:(936) 231-2895 TEL;WORK;FAX:(713) 595-2104 X2261 ADR;WORK:;;14324 Old Humble Pipeline Road;Conroe;TX;77302-4422;United = States of America LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:14324 Old Humble Pipeline = Road=3D0D=3D0AConroe, TX 77302-4422=3D0D=3D0AUnited States=3D of America EMAIL;PREF;INTERNET:psi-jack@myrddincd.com REV:20011030T164102Z END:VCARD ------=_NextPart_000_006C_01C16AD3.39303970 Content-Type: application/octet-stream; name="PGPexch.rtf.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="PGPexch.rtf.asc" owHtVTtv01AUjnhJVCoSQrDAcMhQHlLie29sp1WcojRxaaS8lLpAxR1wkuvUwnGC7agv5Qd06IDE ghi6MIAEMxtiZWVBLDDBwsDIynXatHHqCkolBBIeLOvcc77vfMef7tmI3Dh+MpL6dmLt1eLdj5sX Tz09e+zTRmRrrnBh9vyX5+/Nh/eNN4+8J6VnX99Fthbij2uX7n1/nb+zcu7tGSNz+/OHzZenX9Qi /rNOHc/AVLdds/+qd5qYSIQaTru15LUsDLTBDAOtU6Nte17NGh/jn4ga7rLputSoL+mOyzwEGcfU rVSvf4yp0Wo3mGNDtt11TOZAiS3vnHFo27R2CwnMr7Zq7UFlYlA5hLwfQ9yhH5D2o/W21XZ4g9Rh DUSbDmM2ojWry1BqX4hIkg9Fu3VMO7rToB1LN21fqafXEjKCbYlEBB/5OvUn4elNIiZAuZwrZ7XF igpzWrEAlYWZQj4L0Zgg3E5kBSGn5bYPxDgCzfFH6pltW7cEQS1Fp3sBvAT47BAM4ilQfITRXJGH 1UxuJIyTSVC0vFZQRw6IiKHIXFdvspGKSQkUIawEh7YTGpQxKEVVy0Cdu4LZXjpanO/LluMIxYnM XygKtt5i6ZtqSa1mtHJ1hI33pwghikgYoYRAmSnnFkdyUVjulAxKLn9rutcPcHvD+uALwVCeLIZm BLAm+dTnK5kS1C3dddMJgvEkkkkihvlDEMLTP8fA4iQos+WSBoZeZ+m+Z8E111iaBKoNEXzPcU27 OGzFbIHHXC+IKO7IloM8Ehcu+ERDsL0DmpoiPNdXFp47lJkku3GfdS9pfCxIj/ishODgD2L/E/9t wq65ndReKr2io79CIOiW2bTTFr9sAlofWPDbeo/gsVgsFoTCvM2Z6lAZtUyb8dvyAOrD2C60z/6o fq1Z1THrUGU2X08Qg+Kq02iY/pZpdboec9z9JtBbwx6Y2EOCHHP5b3D/He1ZtSxUHN51g1+4h237 ahInroE0JcWI72O24sWBEBkfSs7/W+FoAiVuACFkjZGkvwpDdv7OQHo/AA== ------=_NextPart_000_006C_01C16AD3.39303970-- From pdw@xxxxxxxxxxxxx Mon Nov 12 23:16:47 2001 Date: Mon, 12 Nov 2001 23:16:47 +0000 From: Paul Warren pdw@xxxxxxxxxxxxx Subject: [Vmail-discuss] smtp auth On Sun, Nov 11, 2001 at 04:51:42PM -0600, Eric Renfro wrote: > A BIG problem could be the password hash. In my case, a crypt-md5 has > a preleading {crypt-md5} to it, which disrupts anything that doesn't > know about that. > > Paul if you read this, take a note, please. :) > > Proper MD5 hashed passwords /always/ start with $1, to signify that > it's MD5, and hashed. > DES hashed passwords don't have that. I forget it's identifier, if it > even has one. The reason for this is so that we can support multiple hashing formats, beyond just MD5 and DES. In particular, APOP requires a plaintext copy of the password. With hindsight, it might have been more sensible to put the hash method into a separate column. We didn't invent the {crypt-md5} syntax - we copied it off anther project although I forget which one. > I personally dare not ever use plaintext passwords as much as I > possibly can. I'd prefer to have plaintext passwords in a database that I can secure, rather than passwords being sent in the clear over a network that I can't, hence support for plaintext passwords so that we can do APOP, and CRAM-MD5 SMTP AUTH. Paul From chris@xxxxxxxxxxxxx Mon Nov 12 23:26:15 2001 Date: Mon, 12 Nov 2001 23:26:15 +0000 From: Chris Lightfoot chris@xxxxxxxxxxxxx Subject: [Vmail-discuss] smtp auth On Mon, Nov 12, 2001 at 11:16:47PM +0000, Paul Warren wrote: > On Sun, Nov 11, 2001 at 04:51:42PM -0600, Eric Renfro wrote: > > A BIG problem could be the password hash. In my case, a crypt-md5 has > > a preleading {crypt-md5} to it, which disrupts anything that doesn't > > know about that. > > > > Paul if you read this, take a note, please. :) > > > > Proper MD5 hashed passwords /always/ start with $1, to signify that > > it's MD5, and hashed. > > DES hashed passwords don't have that. I forget it's identifier, if it > > even has one. DES don't. It's some sort of OpenBSDism, I think. The point is that the 1$ is not a valid crypt(3) salt value, so the system uses it as `magic' to call into crypt_md5. 2$ is some sort of Blowfish hash, I think, though I don't have an OpenBSD machine to hand to check.... > The reason for this is so that we can support multiple hashing formats, > beyond just MD5 and DES. In particular, APOP requires a plaintext copy > of the password. > > With hindsight, it might have been more sensible to put the hash method > into a separate column. > > > We didn't invent the {crypt-md5} syntax - we copied it off anther > project although I forget which one. > LDAP, I think. It's not an unreasonable syntax, though I suppose putting the information in a separate field might have been more sensible. Ho hum. > > I personally dare not ever use plaintext passwords as much as I > > possibly can. > > I'd prefer to have plaintext passwords in a database that I can secure, > rather than passwords being sent in the clear over a network that I > can't, hence support for plaintext passwords so that we can do APOP, and > CRAM-MD5 SMTP AUTH. Quite. -- The Clairvoyant Society of London will not meet Tuesday because of unforeseen circumstances (announcement in the Financial Times) From jh@xxxxxxxx Mon Nov 12 23:39:14 2001 Date: Tue, 13 Nov 2001 00:39:14 +0100 From: Jakob Hirsch jh@xxxxxxxx Subject: [Vmail-discuss] smtp auth ----- Original Message ----- From: "Franz Georg K�hler" Hi, > this question, in fact, is exim related, but I didn't get it answered on > the exim mailing list, so I'm asking here again. I'm not reading exim-users list regularly, too much traffic for me. :) > Is there anyone who is running exim smtp auth with the vmail/sql > data? Sure. I had to fiddle with this for a while since I found no real documentation for this, only parts of configs from others. We currently use the first part (plaintext passwords), but I'll add some older config lines with md5 which may work, but I don't know any more. It should not be to hard to change it to one of the other hash_methods and maybe it would be nice to have one for all, but I don't think it's worth the work. remarks: - Mac-Outlook is able to use AUTH only since v5.02 and if you _don't_ use @ as a user-domain seperator. This seems strange, since POP3-Login with user@domain works flawless. - valid seperators are "@%!". You can simple add more. # announce AUTH to hosts not in relay_networks host_auth_accept_relay = * ... ### AUTHENTICATION CONFIGURATION ### # PLAIN: user and pass as base64-coded string # used by: Netscape plain: driver = plaintext public_name = PLAIN server_condition = "${if and { \ {!eq {$2}{}} \ {!eq {$3}{}} \ {eq {\\{plaintext\\}$3}{${lookup mysql { \ select password_hash from popbox \ where local_part='${extract {1}{@%!}{$2}}' \ and domain_name='${extract {2}{@%!}{$2}}' \ }{$value}{*:*}}} \ }}{1}{0}}" server_set_id = $2 # LOGIN: challenge from server gets md5-encoded with pass, as hex # with user prepended sent as md5 # used by: Outlook Express login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if and { \ {!eq {$1}{}} \ {!eq {$2}{}} \ {eq {\\{plaintext\\}$2}{${lookup mysql { \ select password_hash from popbox \ where local_part='${extract {1}{@%!}{$1}}' \ and domain_name='${extract {2}{@%!}{$1}}' \ }{$value}{*:*}}} \ }}{1}{0}}" server_set_id = $1 end ### END AUTHENTICATION CONFIGURATION ### ### untested... ### plain: driver = plaintext public_name = PLAIN server_condition = "${if and { \ {!eq {$2}{}} \ {!eq {$3}{}} \ {eq {${md5:$3}}{${lookup mysql { \ select password_hash from popbox \ where local_part='${extract {1}{@%!}{$2}}' \ and domain_name='${extract {2}{@%!}{$2}}' \ }{$value}{*:*}}} \ }}{1}{0}}" server_set_id = $2 login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if and { \ {!eq {$1}{}} \ {!eq {$2}{}} \ {eq {${md5:$2}}{${lookup mysql { \ select password_hash from popbox \ where local_part='${extract {1}{@%!}{$1}}' \ and domain_name='${extract {2}{@%!}{$1}}' \ }{$value}{*:*}}} \ }}{1}{0}}" server_set_id = $1 end From pdw@xxxxxxxxxxxxx Mon Nov 12 23:40:52 2001 Date: Mon, 12 Nov 2001 23:40:52 +0000 From: Paul Warren pdw@xxxxxxxxxxxxx Subject: [Vmail-discuss] Security note for exim and MySQL On Sun, Nov 11, 2001 at 03:27:37PM -0600, Eric Renfro wrote: > BTW, Paul. I must admit. This vmail-sql approach to using SQL > queries GREATLY reduces the amount of configuration directives in my > original flat-file system. I used to use several TRANSPORTS, and > several DIRECTORS to do the same thing, but, so far, from what I'm > seeing, and playing with by juggling the selects manually to test > them out, it looks fairly solid and fully implemented. > I never thought a MySQL approach could be so handy. And since exim's > mysql backend approach allows you to literally set the entire query, > it's the ultimate approach to doing it. I used to have > /etc/virtual/$domain/[aliases|filter|passwd], and > /etc/mail/[userdomains|virtualdomains] all used to do all that. It's true - Exim does make this very easy, although I understand that the performance is pretty dismal, owing to the way that the MySQL support works in Exim. > I'm adding to vmail-sql, for allowing relaying through > virtual-domains as well, and if you would like, I will submit my > sketched changes so you, and everyone else interested, may scan > through it, and look at it, and use it as desired. On what basis to you intend to authenticate incoming requests? I think I will start to put together a file of contributed sample configurations - it was always intended that vmail-sql would be a starting point for a working Exim config, rather than a complete one-size-fits-all solution - it's good to see this happening :-) cheers, Paul From pdw@xxxxxxxxxxxxx Mon Nov 12 23:31:03 2001 Date: Mon, 12 Nov 2001 23:31:03 +0000 From: Paul Warren pdw@xxxxxxxxxxxxx Subject: [Vmail-discuss] smtp auth On Sun, Nov 11, 2001 at 11:12:07PM +0100, Franz Georg K�hler wrote: > Is there anyone who is running exim smtp auth with the vmail/sql > data? Yep, we're doing it. I think that Eric may have found the cause of your problems. We do it using Exim's Perl support (performance - we've heard of it...) I'll spare you a cut-and-paste of our config, as it's a little over complex (support various authentication sources and methods), but the PasswordCrypt module should make it fairly straightforward. Try: perl_at_startup = do '/path/to/exim.pl'; Where exim.pl is: use lib '/path/to/vmail-sql-lib/'; use PasswordCrypt; sub check_pw { $password = shift; $hash = shift; if (PasswordCrypt::authenticate($password,$hash)) { return "yes"; } else { return "no"; } } Then in your authenticator, something like: fixed_plain: driver = plaintext public_name = PLAIN server_condition = ${perl{check_pw}{$3} \ {${lookup mysql{select password_hash from domain \ where domain_name = '$2'}{$value}fail}}} server_set_id = $2 fixed_login: driver = plaintext public_name = LOGIN server_prompts = "User Name : Password" server_condition = ${perl{check_pw}{$2} \ {${lookup mysql{select password_hash from domain \ where domain_name = '$1'}{$value}fail}}} server_set_id = $1 Let us know if you're still having trouble. Paul From psi-jack@xxxxxxxxxxxxx Tue Nov 13 05:42:49 2001 Date: Mon, 12 Nov 2001 23:42:49 -0600 From: Eric Renfro psi-jack@xxxxxxxxxxxxx Subject: [Vmail-discuss] smtp auth -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |The reason for this is so that we can support multiple hashing |formats, beyond just MD5 and DES. In particular, APOP |requires a plaintext copy of the password. | |With hindsight, it might have been more sensible to put the |hash method into a separate column. Oh yes. That would definitely be a better plan, so that you could actually make use of those hashes in other things, such as an example: Courier-IMAP's authdaemon.mysql, which can either use plaintext, or automagically test against several crypt() methods, including DES and Crypt-MD5. |I'd prefer to have plaintext passwords in a database that I |can secure, rather than passwords being sent in the clear over |a network that I can't, hence support for plaintext passwords |so that we can do APOP, and CRAM-MD5 SMTP AUTH. | |Paul I don't quite understand this concept, myself. What's different about APOP, and CRAM-MD5 SMTP AUTH? I'm unfamiliar with this. I use SSL tunneled encryption, when security is an issue, still testing a plaintext password from the client, to a hashed password from the server. - --- Eric Renfro - Myrddin Computers & Designs CEO/President 713-595-2104 X2261 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use Comment: -- Psi-Jack iQA/AwUBO/Cy2LdZW96NGwakEQKKXQCgmzOdALvo1g/sYCB+V+Gco2qHqSAAoPOT VxL+6l/sbyOnwN/5PxyODC7U =32nh -----END PGP SIGNATURE----- From pdw@xxxxxxxxxxxxx Tue Nov 13 09:28:24 2001 Date: Tue, 13 Nov 2001 09:28:24 +0000 From: Paul Warren pdw@xxxxxxxxxxxxx Subject: [Vmail-discuss] smtp auth On Mon, Nov 12, 2001 at 11:42:49PM -0600, Eric Renfro wrote: > |The reason for this is so that we can support multiple hashing > |formats, beyond just MD5 and DES. In particular, APOP > |requires a plaintext copy of the password. > | > |With hindsight, it might have been more sensible to put the > |hash method into a separate column. > > Oh yes. That would definitely be a better plan, so that you could > actually make use of those hashes in other things, such as an > example: Courier-IMAP's authdaemon.mysql, which can either use > plaintext, or automagically test against several crypt() methods, > including DES and Crypt-MD5. OK. I'll consider it for the next release. > |I'd prefer to have plaintext passwords in a database that I > |can secure, rather than passwords being sent in the clear over > |a network that I can't, hence support for plaintext passwords > |so that we can do APOP, and CRAM-MD5 SMTP AUTH. > | > |Paul > > I don't quite understand this concept, myself. What's different about > APOP, and CRAM-MD5 SMTP AUTH? I'm unfamiliar with this. I use SSL > tunneled encryption, when security is an issue, still testing a > plaintext password from the client, to a hashed password from the > server. The difference with APOP (and I believe CRAM-MD5) is that it works using a shared secret. Both the server and client know what the password is, the server then issues a challenge to the client - a random string - which the client hashes with the password an returns. The server then performs the same hash and checks the result. The advantage is that the password never gets sent, this disadvantage is that the server needs a plaintext copy of the password. Paul From chris@xxxxxxxxxxxxx Tue Nov 13 10:39:10 2001 Date: Tue, 13 Nov 2001 10:39:10 +0000 From: Chris Lightfoot chris@xxxxxxxxxxxxx Subject: [Vmail-discuss] smtp auth On Tue, Nov 13, 2001 at 09:28:24AM +0000, Paul Warren wrote: > On Mon, Nov 12, 2001 at 11:42:49PM -0600, Eric Renfro wrote: > > |The reason for this is so that we can support multiple hashing > > |formats, beyond just MD5 and DES. In particular, APOP > > |requires a plaintext copy of the password. > > | > > |With hindsight, it might have been more sensible to put the > > |hash method into a separate column. > > > > Oh yes. That would definitely be a better plan, so that you could > > actually make use of those hashes in other things, such as an > > example: Courier-IMAP's authdaemon.mysql, which can either use > > plaintext, or automagically test against several crypt() methods, > > including DES and Crypt-MD5. > > OK. I'll consider it for the next release. Yeah. This may entail a nasty hack in tpop3d (counting the number of fields returned or similar to see what sort of schema it is, or, worse, much use of concat(...)) but it's going to acquire another nasty hack owing to a bug in the maildir code, so I suppose two is not much worse than one.... -- ``Knock hard. Life is deaf.'' (Arnold Wesker) From kuti@xxxxxx Tue Nov 13 17:22:34 2001 Date: Tue, 13 Nov 2001 18:22:34 +0100 From: Jens Kutilek kuti@xxxxxx Subject: [Vmail-discuss] smtp auth > Is there anyone who is running exim smtp auth with the vmail/sql > data? I'm not using plaintext passwords, but {crypt} passwords. My Auth configuration looks like this: fixed_login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if crypteq{$2} \ {${lookup mysql{SELECT password_hash \ FROM popbox \ WHERE local_part='${local_part:$1}' \ AND domain_name='${domain:$1}'}}} \ {yes}{no}}" server_set_id = $1 # End of Exim configuration file bye, Jens. From lists@xxxxxxxxxxx Fri Nov 16 20:31:30 2001 Date: Fri, 16 Nov 2001 21:31:30 +0100 From: Franz Georg =?iso-8859-1?Q?K=F6hler?= lists@xxxxxxxxxxx Subject: [Vmail-discuss] smtp auth On Tue, Nov 13, 2001 at 12:39:14AM +0100, Jakob Hirsch wrote: >> Is there anyone who is running exim smtp auth with the vmail/sql >> data? > > Sure. I had to fiddle with this for a while since I found no real > documentation for this, only parts of configs from others. We > currently use the first part (plaintext passwords), but I'll add some > older config lines with md5 which may work, but I don't know any more. > It should not be to hard to change it to one of the other hash_methods > and maybe it would be nice to have one for all, but I don't think it's > worth the work. > remarks: > - Mac-Outlook is able to use AUTH only since v5.02 and if you _don't_ > use @ as a user-domain seperator. This seems strange, since > POP3-Login with user@domain works flawless. > - valid seperators are "@%!". You can simple add more. > > > > # announce AUTH to hosts not in relay_networks > host_auth_accept_relay = * > ... > > ### AUTHENTICATION CONFIGURATION ### > > # PLAIN: user and pass as base64-coded string > # used by: Netscape > plain: > driver = plaintext > public_name = PLAIN > server_condition = "${if and { \ > {!eq {$2}{}} \ > {!eq {$3}{}} \ > {eq {\\{plaintext\\}$3}{${lookup mysql { \ > select password_hash from popbox \ > where local_part='${extract {1}{@%!}{$2}}' \ > and domain_name='${extract {2}{@%!}{$2}}' \ > }{$value}{*:*}}} \ > }}{1}{0}}" > server_set_id = $2 > > # LOGIN: challenge from server gets md5-encoded with pass, as hex > # with user prepended sent as md5 > # used by: Outlook Express > login: > driver = plaintext > public_name = LOGIN > server_prompts = "Username:: : Password::" > server_condition = "${if and { \ > {!eq {$1}{}} \ > {!eq {$2}{}} \ > {eq {\\{plaintext\\}$2}{${lookup mysql { \ > select password_hash from popbox \ > where local_part='${extract {1}{@%!}{$1}}' \ > and domain_name='${extract {2}{@%!}{$1}}' \ > }{$value}{*:*}}} \ > }}{1}{0}}" > server_set_id = $1 > > > end > > ### END AUTHENTICATION CONFIGURATION ### > > > ### untested... ### > > plain: > driver = plaintext > public_name = PLAIN > server_condition = "${if and { \ > {!eq {$2}{}} \ > {!eq {$3}{}} \ > {eq {${md5:$3}}{${lookup mysql { \ > select password_hash from popbox \ > where local_part='${extract {1}{@%!}{$2}}' \ > and domain_name='${extract {2}{@%!}{$2}}' \ > }{$value}{*:*}}} \ > }}{1}{0}}" > server_set_id = $2 > > login: > driver = plaintext > public_name = LOGIN > server_prompts = "Username:: : Password::" > server_condition = "${if and { \ > {!eq {$1}{}} \ > {!eq {$2}{}} \ > {eq {${md5:$2}}{${lookup mysql { \ > select password_hash from popbox \ > where local_part='${extract {1}{@%!}{$1}}' \ > and domain_name='${extract {2}{@%!}{$1}}' \ > }{$value}{*:*}}} \ > }}{1}{0}}" > server_set_id = $1 > > end This does work for me, however, as Eric Renfro pointed out, there is a problem with those {md5} hashes, I solved it by simply deleting the code which adds the {md5} thingies in line 90 of PasswordCrypt.pm , so everything works perfectly now. Any recommendation of an imap server, which works with this setup, anyone? -- +--------------------------------------------------------------------------+ | http://www.hanau.net/fgk/ When in doubt, tell the truth. | | 0x5E7A588D -- Mark Twain | +--------------------------------------------------------------------------+ From lists@xxxxxxxxxxx Sat Nov 17 19:30:17 2001 Date: Sat, 17 Nov 2001 20:30:17 +0100 From: Franz Georg =?iso-8859-1?Q?K=F6hler?= lists@xxxxxxxxxxx Subject: [Vmail-discuss] smtp auth On Fri, Nov 16, 2001 at 09:31:30PM +0100, Franz Georg K=F6hler wrote: > On Tue, Nov 13, 2001 at 12:39:14AM +0100, Jakob Hirsch wrot= e: > >> Is there anyone who is running exim smtp auth with the vmail/sql > >> data? > >=20 > > Sure. I had to fiddle with this for a while since I found no real > > documentation for this, only parts of configs from others. We > > currently use the first part (plaintext passwords), but I'll add some > > older config lines with md5 which may work, but I don't know any more. > > It should not be to hard to change it to one of the other hash_methods > > and maybe it would be nice to have one for all, but I don't think it's > > worth the work. > > remarks: > > - Mac-Outlook is able to use AUTH only since v5.02 and if you _don't_ > > use @ as a user-domain seperator. This seems strange, since > > POP3-Login with user@domain works flawless. > > - valid seperators are "@%!". You can simple add more. > >=20 > >=20 > >=20 > > # announce AUTH to hosts not in relay_networks > > host_auth_accept_relay =3D * > > ... > >=20 > > ### AUTHENTICATION CONFIGURATION ### > >=20 > > # PLAIN: user and pass as base64-coded string > > # used by: Netscape > > plain: > > driver =3D plaintext > > public_name =3D PLAIN > > server_condition =3D "${if and { \ > > {!eq {$2}{}} \ > > {!eq {$3}{}} \ > > {eq {\\{plaintext\\}$3}{${lookup mysql { \ > > select password_hash from popbox \ > > where local_part=3D'${extract {1}{@%!}{$2}}' \ > > and domain_name=3D'${extract {2}{@%!}{$2}}' \ > > }{$value}{*:*}}} \ > > }}{1}{0}}" > > server_set_id =3D $2 > >=20 > > # LOGIN: challenge from server gets md5-encoded with pass, as hex > > # with user prepended sent as md5 > > # used by: Outlook Express > > login: > > driver =3D plaintext > > public_name =3D LOGIN > > server_prompts =3D "Username:: : Password::" > > server_condition =3D "${if and { \ > > {!eq {$1}{}} \ > > {!eq {$2}{}} \ > > {eq {\\{plaintext\\}$2}{${lookup mysql { \ > > select password_hash from popbox \ > > where local_part=3D'${extract {1}{@%!}{$1}}' \ > > and domain_name=3D'${extract {2}{@%!}{$1}}' \ > > }{$value}{*:*}}} \ > > }}{1}{0}}" > > server_set_id =3D $1 > >=20 > >=20 > > end > >=20 > > ### END AUTHENTICATION CONFIGURATION ### > >=20 > >=20 > > ### untested... ### > >=20 > > plain: > > driver =3D plaintext > > public_name =3D PLAIN > > server_condition =3D "${if and { \ > > {!eq {$2}{}} \ > > {!eq {$3}{}} \ > > {eq {${md5:$3}}{${lookup mysql { \ > > select password_hash from popbox \ > > where local_part=3D'${extract {1}{@%!}{$2}}' \ > > and domain_name=3D'${extract {2}{@%!}{$2}}' \ > > }{$value}{*:*}}} \ > > }}{1}{0}}" > > server_set_id =3D $2 > >=20 > > login: > > driver =3D plaintext > > public_name =3D LOGIN > > server_prompts =3D "Username:: : Password::" > > server_condition =3D "${if and { \ > > {!eq {$1}{}} \ > > {!eq {$2}{}} \ > > {eq {${md5:$2}}{${lookup mysql { \ > > select password_hash from popbox \ > > where local_part=3D'${extract {1}{@%!}{$1}}' \ > > and domain_name=3D'${extract {2}{@%!}{$1}}' \ > > }{$value}{*:*}}} \ > > }}{1}{0}}" > > server_set_id =3D $1 > >=20 > > end >=20 > This does work for me, however, as Eric Renfro pointed out, there is a > problem with those {md5} hashes, I solved it by simply deleting the code > which adds the {md5} thingies in line 90 of PasswordCrypt.pm , so > everything works perfectly now. I'm wondering if it is a good idea to switch to plain text passwords and offer apop? What is the reason the passwords are md5 crypted, anyway? My database is supposed to be secure, just as the connection between the database and the mailserver...? --=20 +--------------------------------------------------------------------------+ | http://www.hanau.net/fgk/ When in doubt, tell the truth. | | 0x5E7A588D -- Mark Twain | +--------------------------------------------------------------------------+ From lists@xxxxxxxxxxx Sat Nov 17 23:26:22 2001 Date: Sun, 18 Nov 2001 00:26:22 +0100 From: Franz Georg =?iso-8859-1?Q?K=F6hler?= lists@xxxxxxxxxxx Subject: [Vmail-discuss] courier imap / sql authentificator Hi, is somebody out there who has successfully used courier with the data of vmail's mysql database? courier's mysql authentificator does expect some different data in the authentification table... -- +--------------------------------------------------------------------------+ | http://www.hanau.net/fgk/ When in doubt, tell the truth. | | 0x5E7A588D -- Mark Twain | +--------------------------------------------------------------------------+