Re: Secure Relaying -- a start
On Mon, Feb 03, 2003 at 03:09:22AM +0100, Hendrik Sattler wrote: > will trillich wrote: > > > now if you get PAM to cooperate, let me know. > > > > plain: > > driver = plaintext > > public_name = BASIC > > # $3 =~ s/:/::/g > > # if pam($2:$3) {yes} else {no} > > server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}} > > server_set_id = $2 > > > > when i do the interactive tests, it works like a champ; when i > > try it from a remote client, nothing doing. still working on > > it... > > For PAM, either run exim daemon as root or search at google for "pam_exim". looks like andreas added a 'forbid when user <= someval' which gives it more opportunities to fail. i'm looking to get it to succeed first, *then* i'll pull back the reins a bit. :) > BTW: For plain auth it should be "public_name = PLAIN". aha. maybe this is significant... well it may be significant, but not for my problem. pam: driver = plaintext public_name = PLAIN server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}} server_set_id = $2 login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{/etc/exim/passwd}{$value}{*:*}{1}{0}}" server_set_id = $2 with "exim -bh 192.168.1.2" this fails: auth plain [base64data] 535 Incorrect authentication data and this doesn't: auth login [same-exact-base64data,same session] 235 Authentication succeeded the $1, $2, $3 all are correct, but the expansion (something, anyhow) never works with pam. i'll stick with the crypteq for now. (it dislikes me less.) === i'm not sure i've got the patience left to apply to TLS or SSL or tld or asap or fyi or pdq or whatever the hell we're calling it this month. i fear that if pam outfoxes me, then tls is sure to unwind my scalp down to the medulla oblongata. X <= here's me here's encouraging => X pooh. maybe later, after i unravel apache-perl vs mod_ssl, and after i implement a remote backup scheme from scratch, and after i craft two enterprise database applications from the ground up, and after i deploy two HTML::Mason websites, all in the sea-of- microso~1 here in the midwest, i may try securing exim's smtp stuff again. in august. 2007. (i know, a day in the life of a sysadmin. but are all sysadmins in the middle of a technological desert like s.w. indiana? is there anybody in the area who'd like to share some info and feel smart? :) -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #19 from Dave Sherohman <[EMAIL PROTECTED]> and Will Trillich <[EMAIL PROTECTED]> : How do you determine WHICH NETWORK SERVICES ARE OPEN (active)? Try "netstat -a | grep LISTEN". To see numeric values (instead of the common names for services using a particular port) then try "netstat -na" instead. For more info, look at "man netstat". Also try "lsof -i" as root. "man lsof" for details. Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Relaying -- a start
will trillich wrote: > now if you get PAM to cooperate, let me know. > > plain: > driver = plaintext > public_name = BASIC > # $3 =~ s/:/::/g > # if pam($2:$3) {yes} else {no} > server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}} > server_set_id = $2 > > when i do the interactive tests, it works like a champ; when i > try it from a remote client, nothing doing. still working on > it... For PAM, either run exim daemon as root or search at google for "pam_exim". BTW: For plain auth it should be "public_name = PLAIN". HS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Relaying -- a start
On Sun, Feb 02, 2003 at 02:14:28PM +, Ed Lawson wrote: > >will trillich wrote: > > > >> > >>yep. try uncommenting one of them (if it happens to refer to > >>/etc/exim/passwd then you need to set that up properly to > >>match) > >> > One more question...or two or three. i know how you feel. :) > Can the /etc/exim/passwd file be created with htpassd? That > would seem the easiest way and whst I used. What permissions > are required on the passwd file? note: i am not an expert. an expert, according to my dad, is a sonofabitch fifty miles from home. i'm home, so i certainly don't qualify. htpasswd it probably fine for this purpose. > I now have Exim looking to authenticate before relaying and I > have a passwd file created by htpassed which is readable only > by root...but still not go. Permission problem? i made the password file "chmod 600" and then of course it couldn't read it at all, since i make the file as root. to fix that i did "chown mail.mail" and it's been happy ever since. your situation may be the same. try it out. (if you add group 'mail' to your personal username, you might make it chmod 640 with chown youruser.mail -- but there may be security issues there i'm not aware of.) now if you get PAM to cooperate, let me know. plain: driver = plaintext public_name = BASIC # $3 =~ s/:/::/g # if pam($2:$3) {yes} else {no} server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}} server_set_id = $2 when i do the interactive tests, it works like a champ; when i try it from a remote client, nothing doing. still working on it... -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #133 from nate <[EMAIL PROTECTED]> : Looking to MOVE A PARTITION TO A NEW DISK DRIVE? 1) install the new disk, partition & format it as you like 2) mount the disk somewhere on the root filesystem (I use /usr.new) 3) go to single user mode ('telinit 1') 4) cd /usr ; cp -a * /usr.new/ 5) cd / ; mv usr usr.old ; mkdir /usr 5) edit /etc/fstab to reflect the new location (/usr.old) and new partition (/usr) 6) go back to runlevel 2 (logout, or 'telinit 2' or whatever runlevel you use) 7) run the system for a few days and make sure everything is good, once this is done erase /usr.old if you want. Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Relaying -- a start
will trillich wrote: yep. try uncommenting one of them (if it happens to refer to /etc/exim/passwd then you need to set that up properly to match) One more question...or two or three. Can the /etc/exim/passwd file be created with htpassd? That would seem the easiest way and whst I used. What permissions are required on the passwd file? I now have Exim looking to authenticate before relaying and I have a passwd file created by htpassed which is readable only by root...but still not go. Permission problem? Ed Lawson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Relaying -- a start
will trillich wrote: yep. try uncommenting one of them (if it happens to refer to /etc/exim/passwd then you need to set that up properly to match) OK. I now get the right responses from the EHLO command to show authentication. Must have uncommented the client set before. Duh. Now to set up the process of authenticating properly. Thanks. Ed Lawson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Relaying -- a start
On Fri, Jan 31, 2003 at 04:40:10PM -0500, Ed Lawson wrote: > will trillich wrote: > > > auth_always_advertise > > > > Type: boolean > > Default: true > > > > This option is available only when Exim is compiled with > > authentication support. > > Well, the stock Exim.conf file does not contain this option on > my woody box. the "compile-exim-from-source" options will not be in the "configure-a-running-exim" config file, no. > Therefore the question is whether the standard exim package was > compiled with authentication enabled. I don't know, but it > seems the answer is no. I am speaking of the plain Exim > package here. ah. you're as confused as i was a few days ago. (don't worry, it'll probably get darker before the dawn...) the out-of-the-bx debian/woody install of exim, which is what i'm using, DOES have authentication capacity. note, CAPABILITY. but if your exim.conf (look at the very bottom) doesn't ENABLE any of the mechanisms, they're dormant, or unconfigured, so they're not active and not advertised (and unable to be utilized). at the bottom of your exim.conf there are commented-out examples of several auth mechanisms. (first for exim-as-server, which is probably what you want, then for exim-as-client, which may be useful for you soon when you yank email from Out There to collect onto your server.) TRY UNCOMMENTING THE SIMPLEST ONE, or make your own for testing -- for example cheat: driver = plaintext public_name = FAKE # accepts base64 encoded "id\0id\0" # where id and password are identical # (very insecure, testing only): server_condition = "${if eq{$2}{$1}{1}{0}}" server_set_id = $1 and then try # exim -bh 192.168.1.2 (or pick an ip you'd like to test) to get a base64-encoded string, you can try this perl snippet which take one command-line arg, otherwise it reads one single line of input for encoding: $perl -MMIME::Base64 -e 'chomp($v=shift||<>);print encode_base64(eval qq{"$v"})' this\0this\0 dGhpcwB0aGlzAA== then just tell "exim -bh some.ip.goes.here" auth fake dGhpcwB0aGlzAA== >>> cheat authenticator: >>> $1 = one >>> $2 = one >>> expanded string: 1 235 Authentication succeeded voila! > >so before exim advertises that it's ABLE to do the authentication > >dialog, the compiled exim must have had certain flags set, which > >THE STANDARD DEBIAN/WOODY EXIM DOES; then if the compile flags > >have been set properly {then it will be able to authenticate, which you need to enable using exim.conf, at the bottom.} [emhpasis added above] > This is the question. I have not gone an added the advertize option > manually and I guess I need to try it, but the fact it is not in the > conf file suggests support was not compiled in and therefore it doesn't > matter what you put in the conf file, it will not authenticate. the conf file is large and has lots of words in it, but it doesn't imply that support is NOT set up, it says that you need to configure it to make it work-- ## # AUTHENTICATION CONFIGURATION # ## # Look in the documentation (in package exim-doc or exim-doc-html for # information on how to set up authenticated connections. it'd be silly to include comments like that if you weren't able to use them. these debian folks seem to know what they're doing. :) > > # exim -bh 192.168.1.2 > > > > 220 server ESMTP Exim 3.35 #1 Fri, 31 Jan 2003 12:24:32 -0600 > > ehlo somewhere.there > > 250-server Hello duo [192.168.1.2] > > 250-SIZE > > 250-PIPELINING > > 250-AUTH BASIC LOGIN > > 250 HELP > > quit > > 221 server closing connection > > All I get is SIZE, PIPELINING, and HELP. > > In what section does the advertize authen option go...in the last > section with the authn options I assume? yep. try uncommenting one of them (if it happens to refer to /etc/exim/passwd then you need to set that up properly to match) or try something simple, like the one hobbled together, above. note -- i am not an exim expert, i'm only about three days ahead of you. :) -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #24 from Will Trillich <[EMAIL PROTECTED]> : Curious about DISK PARTITIONING schemes? That's a frequent topic at debian-user -- look for it in the archives at lists.debian.org or read Karsten's approach at http://kmself.home.netcom.com/Linux/FAQs/partition.html Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Relaying -- a start
will trillich wrote: auth_always_advertise Type: boolean Default: true This option is available only when Exim is compiled with authentication support. Well, the stock Exim.conf file does not contain this option on my woody box. Therefore the question is whether the standard exim package was compiled with authentication enabled. I don't know, but it seems the answer is no. I am speaking of the plain Exim package here. so before exim advertises that it's able to do the authentication dialog, the compiled exim must have had certain flags set, which the standard debian/woody exim does; then if the compile flags have been set properly This is the question. I have not gone an added the advertize option manually and I guess I need to try it, but the fact it is not in the conf file suggests support was not compiled in and therefore it doesn't matter what you put in the conf file, it will not authenticate. # exim -bh 192.168.1.2 220 server ESMTP Exim 3.35 #1 Fri, 31 Jan 2003 12:24:32 -0600 ehlo somewhere.there 250-server Hello duo [192.168.1.2] 250-SIZE 250-PIPELINING 250-AUTH BASIC LOGIN 250 HELP quit 221 server closing connection All I get is SIZE, PIPELINING, and HELP. In what section does the advertize authen option go...in the last section with the authn options I assume? Ed Lawson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]