problem with MD5 based authentication for postfix SMTP AUTH
Hi list. I'm setting up a mail server with all the bells and whistles, and I'm trying including support for authentication using DIGEST-MD5 and CRAM-MD5. I've setup postfix to auth using SASL2, and SASL to use PAM and PAM to use MySQL (long winded - I could use some hints on how to shorten this. I'm assuming postfix can't auth to MySQL directly). Now PLAIN and LOGIN work perfectly, but when I try DIGEST-MD5 or CRAM-MD5 I get this error: postfix/smtpd[30479]: warning: SASL authentication failure: no secret in database postfix/smtpd[30479]: warning: unknown[x.x.x.x]: SASL CRAM-MD5 authentication failed or postfix/smtpd[30479]: warning: SASL authentication failure: no secret in database postfix/smtpd[30479]: warning: unknown[x.x.x.x]: SASL DIGEST-MD5 authentication failed I tried to look on the net, but most I got was errors with the sasldb, but I'm not using sasldb - I'm using MySQL via PAM. If anyone has some experience with Postfix and SASL2, I'd welcome some hints. Thanks -- Oded ::.. If it weren't for physics and law enforcement, I'd be unstoppable = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: problem with MD5 based authentication for postfix SMTP AUTH
Hi, Both DIGEST-MD5 and CRAM-MD5 require the password to be stored on the server in clear text(!). The password is used as the key for authentication. On one side you have plain and login with encrypted store on the server but the password is sent unencrypted over the network and then you have the MD5s that never send the password over the wire but require it's storage in clear text on the server. You must create a different database for it, in /etc, if you are running postfix in chroot jail and put a clear text DB of user's passwords in the /etc of that chroot jail. The best and easy solution: use plain and login with SSL/TLS, with the added bonus of security to the E-mail itself and not only the login. Bye = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: problem with MD5 based authentication for postfix SMTP AUTH
On Sunday 14 September 2003 15:47, Gal Goldschmidt wrote: > Hi, > > Both DIGEST-MD5 and CRAM-MD5 require the password to be stored on the > server in clear text(!). As I understand, this is only required so that the authentication agent (be it sasl, pam or whatever) can encode the password in MD5. is it possible to store the password on the server already encoded in MD5 ? that would be the best solution IMO. > The best and easy solution: use plain and login with SSL/TLS, with the > added bonus of security to the E-mail itself and not only the login. Yes, but I want also to be able to support MD5 based auth for people who can't/won't use SSL/TLS. Thanks. -- Oded ::.. "Never let a sense of social ethics get in the way of doing what's right." -- Matthew Wallace = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Saving Screen
Hi Is there a way to save an X11 window and exporting it to an AVI or ogg. I want to take a graphical simulator and copy 15 seconds of it, and then burn it so i can send it on CD. any thoughts Erez = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: Saving Screen
Hi, Try this: streamer -h (part of the xawtv package) http://bytesex.org/xawtv/ Hope it helps. Another idea to run HyperCam with WINE or to run HyperCam on Windows machine and VNCviewer to the Linux machine and capture the VNC windows session. Thanks, Miki (Moshe) Barzilay > -Original Message- > From: Erez Kirson [SMTP:[EMAIL PROTECTED] > Sent: à 14 ñôèîáø 2003 16:59 > To: Linux-IL mailing list > Subject: Saving Screen > > Hi > > Is there a way to save an X11 window and exporting it to an AVI or ogg. > > I want to take a graphical simulator and copy 15 seconds of it, and then > burn it so i can send it on CD. > > any thoughts > > Erez > > > = > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: problem with MD5 based authentication for postfix SMTP AUTH
On Sun, Sep 14, 2003 at 04:23:09PM +0300, Oded Arbel wrote: > On Sunday 14 September 2003 15:47, Gal Goldschmidt wrote: > > Hi, > > > > Both DIGEST-MD5 and CRAM-MD5 require the password to be stored on the > > server in clear text(!). > > As I understand, this is only required so that the authentication agent (be it > sasl, pam or whatever) can encode the password in MD5. is it possible to > store the password on the server already encoded in MD5 ? that would be the > best solution IMO. The password is not "encoded" in MD5. It is hashed using MD5. MD5 takes a string and creates a "password image". If MD5 works well then you cannot tell anything about the reall password from tht "password image. The only thing you can do is take a different string and create its own MD5 signature. If they match then hopefully it was the original password. However, what good would it be if you would send the hashed password? MAybe you won't know the password, but you'll be able to use that hash recorded from the network transport. So the next logical step would be that the authentication would be of not exactly the hash of the passowrd itself, but of the password and "a litlle-bit more", say a number of junk bits made up by the server. If both client and server know the password they can both "encrypt" that similar value. Thus on the wire only the junk bits and the reply hash must go. The secret password never does. And nothing that can be directly used as its replacement. -- Tzafrir Cohen +---+ http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend| mailto:[EMAIL PROTECTED] +---+ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Saving Screen
On Sunday 14 September 2003 18:33, Linux Israel Net wrote: > Hi, > Try this: > streamer -h > (part of the xawtv package) > http://bytesex.org/xawtv/ > Hope it helps. > > Another idea to run HyperCam with WINE or to run HyperCam on Windows > machine and VNCviewer to the Linux machine and capture the VNC windows > session. Other options: - use vnc2swf to record a VNC session to a flash media file - use vncrec to record a VNC session (using vncrec's internal format) and then either play it with vncrec or convert it to any kind of video using transcode. The last one is probably the closest to what you originally requested, I suspect. -- Oded ::.. hAS ANYONE SEEN MY cAPSLOCK KEY? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Latest article on Linux + Open Source in local media
On topic article from Haaretz that discusses the state of OSS adoption in Israel (mainly in commercial organizations) No registration requried: http://computers.walla.co.il/ts.cgi?tsscript=item&path=4&id=440127 Boaz. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Latest article on Linux + Open Source in local media
Funny, at the end of the article it becomes extramsly unreadable (mixed sentences all over the place). Anyone else expereincing it? (knoqui 3.1.3) ביום ראשון, 14 בספטמבר 2003, 20:54, נכתב על ידי Boaz Rymland: > On topic article from Haaretz that discusses the state of OSS adoption > in Israel (mainly in commercial organizations) > > No registration requried: > > http://computers.walla.co.il/ts.cgi?tsscript=item&path=4&id=440127 > > Boaz. > > > = > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] -- - diego Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Latest article on Linux + Open Source in local media
I always dislike haaretz artical about opensource, they always sound like their computer guy is getting payed very well by MS, and even if there is some small pro opensource part it's only for the bigger anti opensource part to sound better this artical is no diffrent and it's mostly BS, from the high security cost compare to windows(yea right after the last few weeks I expected a bit more modasty) to the crap about needing to rewrite all the programs for linux how how horribly expensive it would be (never heard of wine?of portable code writing?of things like mozilla/openoffice which gain ground on windows computers and works as well on linux one?), and that quote about from the kalalit guy which just got a server from ms (which fell misrably during like virus and made their system almost unsuable for 3 freaking days!! my doctor couldn't ever get my test results!! so much for security!). persoanly I feel safer if my health would be depended on linux servers... Ely Levy System group Hebrew University Jerusalem Israel On Sun, 14 Sep 2003, Boaz Rymland wrote: > On topic article from Haaretz that discusses the state of OSS adoption > in Israel (mainly in commercial organizations) > > No registration requried: > > http://computers.walla.co.il/ts.cgi?tsscript=item&path=4&id=440127 > > Boaz. > > > = > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > > = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Latest article on Linux + Open Source in local media
All I can say is even if I disagree with some of the article claims too (which I do) - to make something productive of this one need to "file" those remarks first and foremost to the Haaretz reporter. Aside of steam-releasing activity here there's not much point in telling in Linux-IL how that article was baised, if this critisizm stays *only* here. This advice is not to "educate" you but rather based on positive experience I personally had with similar case with Captain Internet lately. This experience has not finished yet but have formed clean channels of communication to the captain through which I or we can convey our message. My suggestion is that if it's important to you to have enough time for it, I would have advised writing something that will contradict their' conclusions yet written in a language that will not arrise their "automatic defenses" against religious linux freaks like us. Boaz. Ely Levy wrote: I always dislike haaretz artical about opensource, they always sound like their computer guy is getting payed very well by MS, and even if there is some small pro opensource part it's only for the bigger anti opensource part to sound better this artical is no diffrent and it's mostly BS, from the high security cost compare to windows(yea right after the last few weeks I expected a bit more modasty) to the crap about needing to rewrite all the programs for linux how how horribly expensive it would be (never heard of wine?of portable code writing?of things like mozilla/openoffice which gain ground on windows computers and works as well on linux one?), and that quote about from the kalalit guy which just got a server from ms (which fell misrably during like virus and made their system almost unsuable for 3 freaking days!! my doctor couldn't ever get my test results!! so much for security!). persoanly I feel safer if my health would be depended on linux servers... Ely Levy System group Hebrew University Jerusalem Israel On Sun, 14 Sep 2003, Boaz Rymland wrote: On topic article from Haaretz that discusses the state of OSS adoption in Israel (mainly in commercial organizations) No registration requried: http://computers.walla.co.il/ts.cgi?tsscript=item&path=4&id=440127 Boaz. = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: problem with MD5 based authentication for postfix SMTP AUTH
On Sunday 14 September 2003 16:23, Oded Arbel wrote: > As I understand, this is only required so that the authentication agent (be it > sasl, pam or whatever) can encode the password in MD5. is it possible to > store the password on the server already encoded in MD5 ? that would be the > best solution IMO. Nope, the password is used as a common secret between the server and the client and it used for signing in the challenge response stage of the mechanisms, but CRAM-MD5 let you store a KEYED-MD5 inserted of the clear text. Both systems involves a separate user/password DB, the MD5 hashes stored in your MYSQL can't be used for it. >From the MD5-DIGEST RFC: "There are two important security consequences of this. First the password file must be protected as if it contained plain text passwords, because for the purpose of accessing documents in its realm, it effectively does." >From the CRAM-MD5 RFC: " While the saving, on the server, of the MD5 "context" is marginally better than saving the shared secrets in clear-text, it is not suf- ficient to protect the secrets if the server itself is compromised." For more info: http://www.ietf.org/internet-drafts/draft-ietf-sasl-rfc2831bis-02.txt http://www.ietf.org/internet-drafts/draft-ietf-sasl-crammd5-00.txt http://www.openldap.org/doc/admin21/sasl.html#DIGEST-MD5 > Yes, but I want also to be able to support MD5 based auth for people who > can't/won't use SSL/TLS. With the wide support for SSL in almost all the major clients, it should not be a problem, you can also use a web-mail solution with https to solve the problem for people who can't configure the E-mail client. Bye Gal = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
