See comments below. Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net
We are actively looking for companies that do a lot of long distance faxing and want to cut their long distance bill by up to 50%. Contact [EMAIL PROTECTED] for more info. ----- Original Message ----- From: "David Guerizec" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 13, 2002 7:37 PM Subject: Re: tmda-ofmipd + vpopmail CRAM-MD5 problem > On Sat, 2002-12-14 at 01:20, Jesse Guardiani wrote: > > Whoa... don't do that! > > > > Cram-MD5 *is* supported by some remote login servers. > > > > It's just not supported when used with vpopmail. > > > > Courier-IMAP supports Cram-MD5. Just not with vpopmail. > > Did I misunderstood what you asked ? This patch has nothing to do with > vpopmail or courier-imap. > > I made this patch to fix what some people (including me) would call a > misbehaviour. > ie. if the choosen authentication method fail, tmda-ofmipd tries to > authenticate with the authfile (default), and in some/most cases this is > wrong. > > I then added the -n switch to be strict about the authentication method, > and to not fall back to the default authfile method. > > No more, no less. Then how do you explain this: > > + if nofallback and (remoteauth['enable'] or authprog): > > + # CRAM-MD5 does not work with remote login or authprog > > + self.__sasl_types = ['login', 'plain'] > > + else: > > + self.__sasl_types = ['login', 'cram-md5', 'plain'] > > self.__auth_cram_md5_ticket = '<%s.%s@%s>' % > > (random.randrange(10000), If I'm reading that correctly, you're saying that when 'nofallback' is enabled, CRAM-MD5 is disabled. WHY? CRAM-MD5 **DOES** work with SOME remote login servers. Courier-IMAP is a prime example. CRAM-MD5 WILL work with Courier-IMAP. It just won't work when you are using Courier-IMAP + vpopmail. Don't do that. You're killing functionality that may be useful to someone. Solution ----------------- I suggest that we create a command line flag to fine tune which authentication methods tmda-ofmipd announces support for. For instance, if I use Courier-IMAP + vpopmail, I DON'T want tmda-ofmipd to announce support for CRAM-MD5. Why? Because CRAM-MD5 doesn't work with Courier-IMAP + vpopmail. And if tmda-ofmipd announces support for CRAM-MD5, then certain mail clients, like Pegasus Mail, will automatically try to use CRAM-MD5. So, I suggest a command line option similar to the following: --announce-auth=PLAIN,LOGIN,CRAM-MD5 This way, if I don't want CRAM-MD5, because something in my setup doesn't support it (vpopmail, in my particular case), I could use this: --announce-auth=PLAIN,LOGIN And tmda-ofmipd no longer announces support for CRAM-MD5. Pegasus Mail now chooses AUTH LOGIN instead of CRAM-MD5, and everyone is happy. > > David > > > > > > Jesse Guardiani, Systems Administrator > > WingNET Internet Services, > > P.O. Box 2605 // Cleveland, TN 37320-2605 > > 423-559-LINK (v) 423-559-5145 (f) > > http://www.wingnet.net > > > > We are actively looking for companies that do a lot of long > > distance faxing and want to cut their long distance bill by > > up to 50%. Contact [EMAIL PROTECTED] for more info. > > > > > > ----- Original Message ----- > > From: "David Guerizec" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, December 13, 2002 6:49 PM > > Subject: Re: tmda-ofmipd + vpopmail CRAM-MD5 problem > > > > > > > On Sat, 2002-12-14 at 00:10, Jesse Guardiani wrote: > > > > So, I simply removed the 'cram-md5' string in the capability > > > > announcement line. > > > > > > > > Is there a better way to disable this? Perhaps a config flag? > > > > > > Can you try the attached patch, then restarting your tmda-ofmipd with > > > the -n option ? > > > If it's ok, I'll commit it in the main branch, so you won't have to > > > patch it at each new version. > > > > > > > > > David > > > > > > PS: if you receive this message, then at least it works for me ;) > > > > > > > > > > > > > > > -------------------------------------------------------------------------- -- > > ---- > > > > > > Index: tmda-ofmipd > > =================================================================== > > RCS file: /cvsroot/tmda/tmda/bin/tmda-ofmipd,v > > retrieving revision 1.18 > > diff -u -r1.18 tmda-ofmipd > > --- tmda-ofmipd 21 Nov 2002 21:13:29 -0000 1.18 > > +++ tmda-ofmipd 13 Dec 2002 23:43:53 -0000 > > @@ -36,34 +36,34 @@ > > > > -V > > --version > > - Print TMDA version information and exit. > > + Print TMDA version information and exit. > > > > -d > > --debug > > - Turn on debugging prints. > > + Turn on debugging prints. > > > > -u <username> > > --username <username> > > - The username that this program should run under. The default > > - is to run as the user who starts the program unless that is > > - root, in which case an attempt to seteuid user `tofmipd' will be > > - made. Use this option to override these defaults. > > + The username that this program should run under. The default > > + is to run as the user who starts the program unless that is > > + root, in which case an attempt to seteuid user `tofmipd' will be > > + made. Use this option to override these defaults. > > > > -p <host:port> > > --proxyport <host:port> > > - The host:port to listen for incoming connections on. The > > - default is FQDN:8025 (i.e, port 8025 on the fully qualified > > - domain name for the local host). > > + The host:port to listen for incoming connections on. The > > + default is FQDN:8025 (i.e, port 8025 on the fully qualified > > + domain name for the local host). > > > > -R proto[://host[:port]] > > --remoteauth proto[://host[:port]][/dn] > > Host to connect to to check username and password. > > - proto can be one of the following: > > - `imap' (IMAP4 server) > > - 'imaps' (IMAP4 server over SSL) > > - `pop3' (POP3 server) > > - `apop' (POP3 server with APOP authentication) > > - `ldap' (LDAP server) > > + `imap' (IMAP4 server) > > + 'imaps' (IMAP4 server over SSL) > > + `pop3' (POP3 server) > > + `apop' (POP3 server with APOP authentication) > > + `ldap' (LDAP server) > > - host defaults to localhost > > - port defaults to 143 (imap), 993 (imaps), 110 (pop3/apop), 389 > > (ldap) > > - dn is mandatory for ldap and should contain a `%%s' identifying > > @@ -76,8 +76,8 @@ > > --authprog <program> > > checkpassword compatible command used to check username/password. > > e.g, > > `-A /usr/sbin/checkpassword-pam -s id --stdin -- /bin/true' > > - The program must be able to receive the username/password pair > > - on its stdin, and in the following format: > > + The program must be able to receive the username/password pair > > + on its stdin, and in the following format: > > `username\\0password\\0' > > > > -a <file> > > @@ -87,6 +87,15 @@ > > root/tofmipd, otherwise ~user/.tmda/tofmipd. Use this option > > to override these defaults. > > > > + -n > > + --nofallback > > + Use only the specified authentication method, do not fall back > > + to file authentification (/etc/tofmipd or -a argument). > > + If more than one method is given, priority order is: > > + - remoteauth (-R) > > + - authprog (-A) > > + - file (-a) > > + > > -C <n> > > --connections <n> > > Do not handle more than n simultaneous connections. If there > > @@ -132,6 +141,7 @@ > > program = sys.argv[0] > > configdir = None > > authprog = None > > +nofallback = None > > remoteauth = { 'proto': None, > > 'host': 'localhost', > > 'port': None, > > @@ -191,11 +201,12 @@ > > > > try: > > opts, args = getopt.getopt(sys.argv[1:], > > - 'p:u:R:A:a:c:C:dVh', ['proxyport=', > > + 'p:u:a:R:A:nc:C:dVh', ['proxyport=', > > 'username=', > > 'authfile=', > > 'remoteauth=', > > 'authprog=', > > + 'nofallback=', > > 'configdir=', > > 'connections=', > > 'debug', > > @@ -216,9 +227,11 @@ > > elif opt in ('-d', '--debug'): > > DEBUGSTREAM = sys.stderr > > elif opt in ('-p', '--proxyport'): > > - proxyport = arg > > + proxyport = arg > > + elif opt in ('-n', '--nofallback'): > > + nofallback = 1 > > elif opt in ('-u', '--username'): > > - username = arg > > + username = arg > > elif opt in ('-R', '--remoteauth'): > > # arg is like: imap://host:port > > try: > > @@ -250,13 +263,13 @@ > > remoteauth['port'], remoteauth['dn']) > > remoteauth['enable'] = 1 > > elif opt in ('-A', '--authprog'): > > - authprog = arg > > + authprog = arg > > elif opt in ('-a', '--authfile'): > > - authfile = arg > > + authfile = arg > > elif opt in ('-c', '--configdir'): > > - configdir = arg > > + configdir = arg > > elif opt in ('-C', '--connections'): > > - connections = arg > > + connections = arg > > > > > > import asynchat > > @@ -494,7 +507,11 @@ > > self.__auth_username = None > > self.__auth_password = None > > self.__auth_sasl = None > > - self.__sasl_types = ['login', 'cram-md5', 'plain'] > > + if nofallback and (remoteauth['enable'] or authprog): > > + # CRAM-MD5 does not work with remote login or authprog > > + self.__sasl_types = ['login', 'plain'] > > + else: > > + self.__sasl_types = ['login', 'cram-md5', 'plain'] > > self.__auth_cram_md5_ticket = '<%s.%s@%s>' % > > (random.randrange(10000), > > int(time.time()), > > FQDN) > > self.__server = server > > @@ -535,11 +552,15 @@ > > # Try first with the remote auth > > if run_remoteauth(username, password): > > return 1 > > + if nofallback: > > + return 0 > > if authprog: > > # Then with the authprog > > if run_authprog(username, password) == 0: > > return 1 > > - # Now we can fall back on the authfile > > + if nofallback: > > + return 0 > > + # Now we can fall back on the authfile > > authdict = authfile2dict(authfile) > > if authdict.get(username.lower(), 0) != password: > > return 0 > > @@ -562,11 +583,15 @@ > > # Try first with the remote auth > > if run_remoteauth(username, password): > > return 1 > > + if nofallback: > > + return 0 > > if authprog: > > # Then with the authprog > > if run_authprog(username, password) == 0: > > return 1 > > - # Now we can fall back on the authfile > > + if nofallback: > > + return 0 > > + # Now we can fall back on the authfile > > authdict = authfile2dict(authfile) > > if authdict.get(username.lower(), 0) != password: > > return 0 > > > > > > _____________________________________________ > tmda-users mailing list ([EMAIL PROTECTED]) > http://tmda.net/lists/listinfo/tmda-users > _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
