Howdy again qpsmtpd folks...
I want to restrict my auth handlers for plain and login to secure
(SSL or TLS) connections, so that CRAM-MD5 is the only one that can
be used with plaintext. However, I'm not sure what the best way to do
this is. Before I had the tls plugin enabled, I was able to get by
with this:
sub register {
my ( $self, $qp ) = @_;
$self->register_hook("auth-cram-md5", "authuserdb");
#only make insecure mechanisms available if over SSL or localhost
if(($ENV{TCPLOCALPORT} == 465) || ($ENV{TCPREMOTEIP} eq
'127.0.0.1')) {
$self->register_hook("auth-plain", "authuserdb");
$self->register_hook("auth-login", "authuserdb");
}
}
But of course this winds up only offering the "secure" auth plugins
after starttls, which in my base (with versamail 3.X from a treo 650)
breaks things, since versamail only does auth plain and auth plain
only. I tried (naively) to add $self->connection->notes
('tls_enabled') in to that clause, but of course we don't know when
register() is called whether TLS will be enabled later or not.
Now, I could just register plain and login on port 25, but then
return DENY if tls_enabled isn't in the connection notes, but that
sucks for a number of reasons:
- A valid client can error out (AFTER shipping its credentials in
plaintext)
- It's an ugly hack anyway.
Since tls itself is a plugin, I don't suppose there are TLS hooks?
So, what is the best way to do this?
Ie, here's what I want to see:
[EMAIL PROTECTED]:~# swaks -tls --to [EMAIL PROTECTED] -a PLAIN --auth-
plaintext -au ski
Password: ******
=== Trying mailtest:25...
=== Connected to mailtest.
<- 220 mailtest ESMTP qpsmtpd 0.33-dev ready; send us your mail, but
not your spam.
-> EHLO localhost
<- 250-mailtest Hi localhost [127.0.0.1]
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-STARTTLS
<- 250 AUTH CRAM-MD5
-> STARTTLS
<- 220 Go ahead with TLS
=== TLS started w/ cipher AES256-SHA
~> EHLO localhost
<~ 250-mailtest Hi localhost [127.0.0.1]
<~ 250-PIPELINING
<~ 250-8BITMIME
<~ 250 AUTH PLAIN LOGIN CRAM-MD5
~> AUTH PLAIN \0ski\0pass
<~ 235 Authentication successful for ski - auth_userdb/plain
~> MAIL FROM:<[EMAIL PROTECTED]>
<~ 250 <[EMAIL PROTECTED]>, sender OK - how exciting to get mail from you!
~> RCPT TO:<[EMAIL PROTECTED]>
<~ 250 <[EMAIL PROTECTED]>, recipient ok
~> DATA
<~ 354 go ahead
~> Date: Mon, 02 Oct 2006 21:12:58 -0400
~> To: [EMAIL PROTECTED]
~> From: [EMAIL PROTECTED]
~> Subject: test Mon, 02 Oct 2006 21:12:58 -0400
~> X-Mailer: swaks v20060621.0 jetmore.org/john/code/#swaks
~>
~> This is a test mailing
~>
~> .
<~ 250 Queued! 1159837981 qp 7648 <>
~> QUIT
<~ 221 mailtest closing connection. Have a wonderful day.
=== Connection closed with remote host.
Any ideas?
---
Brian Szymanski
[EMAIL PROTECTED]
