|
List Info
Thread: Re: sendmail auth and password types
|
|
| Re: sendmail auth and password types |
 
United States |
2007-07-11 14:11:28 |
The client may send an either in plaintext or in exactly the
format you
are using in the database -- in which case Sendmail needs to
understand
it is retrieving a pre-hashed password and should not try to
re-hash it
before comparing with the client's password or password
hash. I am not
actually sure if there's an option to let Sendmail know to
do this,
however.
Aaron
On Wed, 2007-07-11 at 12:58 -0500, Stephen Loeckle wrote:
> ooooook I understand now  I was
thinking that the client could send
> plaintext and i could have the password encrypted in
the database. The
> reason I was trying this to begin with was a little
script I wrote to
> convert a passwd/shadow file into dbmail users for a
server conversion
> so I wouldn't have to know the user's passwords. I
guess I'll need to
> know these passwords because I'm not willing to brute
force the md5
> shadow salts.
>
> Thanks!
>
> Stephen
>
> Quoting Aaron Stone <aaron serendipity.cx>:
>
> > Ah, right - ok, so either you need plaintext in
DBMail and Sendmail will
> > retrieve the raw password and hash it as necessary
in order to compare
> > it with the hashes received from the client, or
you need to restrict
> > Sendmail down to a single hash mechanism that
matched exactly with the
> > hashed passwords in DBMail. Remember that password
hashed are one-way --
> > if the database contains a hash, and the client
sends some other hash,
> > there's no way to convert between them in order to
authenticate.
> >
> > Aaron
> >
> > On Wed, 2007-07-11 at 10:41 -0500, Stephen Loeckle
wrote:
> >> Oh BTW, these are the types supported by my
sendmail install
> >>
> >> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
> >>
> >> define(`confAUTH_MECHANISMS', `DIGEST-MD5
CRAM-MD5 LOGIN PLAIN')
> >> TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')
> >>
> >> Stephen
> >>
> >>
> >> Quoting Stephen Loeckle <sloecklelucidnetworks.net>:
> >>
> >> > None of them worked. plaintext is the
only one that works. Any ideas?
> >> >
> >> > Thanks,
> >> >
> >> > Stephen
> >> >
> >> > Quoting Aaron Stone <aaronserendipity.cx>:
> >> >
> >> >> On Tue, 2007-07-10 at 00:50 -0500,
Stephen Loeckle wrote:
> >> >>
> >> >>> This may be more of a sendmail
issue but it's odd nonetheless. I have
> >> >>> the sendmail auth to dbmail users
table as per:
> >> >>>
> >> >>> http://www.dbmail.org/dokuwiki/doku.php?id=sendmail_how
to
> >> >>>
> >> >>> It works fine but only when the
passwd is in plaintext. I cannot get
> >> >>> the user to auth to sendmail if
the passwd is in md5 and
> >> >>> encryption_type is md5.
> >> >>>
> >> >>> Anyone run into this?
> >> >>
> >> >> We have a couple of md5 options:
md5-hash, md5-digest, md5-base64. Have
> >> >> you tried them all to see if one
matches sendmail's expected lookup
> >> >> format?
> >> >>
> >> >> Aaron
> >> >>
> >> >>
_______________________________________________
> >> >> DBmail mailing list
> >> >> DBmaildbmail.org
> >> >> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
> >> >>
> >> >
> >> >
> >> >
_______________________________________________
> >> > DBmail mailing list
> >> > DBmaildbmail.org
> >> > htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
> >>
> >>
> >>
_______________________________________________
> >> DBmail mailing list
> >> DBmaildbmail.org
> >> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
> >
> > _______________________________________________
> > DBmail mailing list
> > DBmaildbmail.org
> > htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
> >
>
>
> _______________________________________________
> DBmail mailing list
> DBmaildbmail.org
> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
_______________________________________________
DBmail mailing list
DBmaildbmail.org
htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
|
|
| Re: sendmail auth and password types |
United States |
2007-07-12 03:33:02 |
The limitation comes in with what SASL can work with. I was
able to
migrate all of my users passwords that were in md5 format to
dbmail and
setting the encryption_type to 'crypt'. I believe that I
could only get
plain/login methods to work, but I did not need to reset any
passwords.
This will only work if your passwords are md5's with 12
character salts.
-Jon
Aaron Stone wrote:
> The client may send an either in plaintext or in
exactly the format you
> are using in the database -- in which case Sendmail
needs to understand
> it is retrieving a pre-hashed password and should not
try to re-hash it
> before comparing with the client's password or password
hash. I am not
> actually sure if there's an option to let Sendmail know
to do this,
> however.
>
> Aaron
>
> On Wed, 2007-07-11 at 12:58 -0500, Stephen Loeckle
wrote:
>
>> ooooook I understand now I was
thinking that the client could send
>> plaintext and i could have the password encrypted
in the database. The
>> reason I was trying this to begin with was a little
script I wrote to
>> convert a passwd/shadow file into dbmail users for
a server conversion
>> so I wouldn't have to know the user's passwords. I
guess I'll need to
>> know these passwords because I'm not willing to
brute force the md5
>> shadow salts.
>>
>> Thanks!
>>
>> Stephen
>>
>> Quoting Aaron Stone <aaronserendipity.cx>:
>>
>>
>>> Ah, right - ok, so either you need plaintext in
DBMail and Sendmail will
>>> retrieve the raw password and hash it as
necessary in order to compare
>>> it with the hashes received from the client, or
you need to restrict
>>> Sendmail down to a single hash mechanism that
matched exactly with the
>>> hashed passwords in DBMail. Remember that
password hashed are one-way --
>>> if the database contains a hash, and the client
sends some other hash,
>>> there's no way to convert between them in order
to authenticate.
>>>
>>> Aaron
>>>
>>> On Wed, 2007-07-11 at 10:41 -0500, Stephen
Loeckle wrote:
>>>
>>>> Oh BTW, these are the types supported by my
sendmail install
>>>>
>>>> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
>>>>
>>>> define(`confAUTH_MECHANISMS', `DIGEST-MD5
CRAM-MD5 LOGIN PLAIN')
>>>> TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')
>>>>
>>>> Stephen
>>>>
>>>>
>>>> Quoting Stephen Loeckle <sloecklelucidnetworks.net>:
>>>>
>>>>
>>>>> None of them worked. plaintext is the
only one that works. Any ideas?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Stephen
>>>>>
>>>>> Quoting Aaron Stone <aaronserendipity.cx>:
>>>>>
>>>>>
>>>>>> On Tue, 2007-07-10 at 00:50 -0500,
Stephen Loeckle wrote:
>>>>>>
>>>>>>
>>>>>>> This may be more of a sendmail
issue but it's odd nonetheless. I have
>>>>>>> the sendmail auth to dbmail
users table as per:
>>>>>>>
>>>>>>> http://www.dbmail.org/dokuwiki/doku.php?id=sendmail_how
to
>>>>>>>
>>>>>>> It works fine but only when the
passwd is in plaintext. I cannot get
>>>>>>> the user to auth to sendmail if
the passwd is in md5 and
>>>>>>> encryption_type is md5.
>>>>>>>
>>>>>>> Anyone run into this?
>>>>>>>
>>>>>> We have a couple of md5 options:
md5-hash, md5-digest, md5-base64. Have
>>>>>> you tried them all to see if one
matches sendmail's expected lookup
>>>>>> format?
>>>>>>
>>>>>> Aaron
>>>>>>
>>>>>>
_______________________________________________
>>>>>> DBmail mailing list
>>>>>> DBmaildbmail.org
>>>>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>>>>
>>>>>>
>>>>>
_______________________________________________
>>>>> DBmail mailing list
>>>>> DBmaildbmail.org
>>>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>>>
>>>>
_______________________________________________
>>>> DBmail mailing list
>>>> DBmaildbmail.org
>>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>>
>>>
_______________________________________________
>>> DBmail mailing list
>>> DBmaildbmail.org
>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>
>>>
>> _______________________________________________
>> DBmail mailing list
>> DBmaildbmail.org
>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>
>
> _______________________________________________
> DBmail mailing list
> DBmaildbmail.org
> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>
>
>
_______________________________________________
DBmail mailing list
DBmaildbmail.org
htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
|
|
| Re: sendmail auth and password types |
United States |
2007-07-12 12:40:23 |
Oh duh, I use SASL-MySQL with Postfix. I believe Sendmail
can do the same.
Search for "SASL" on the wiki and you'll get a
couple of howto's. Sorry I
didn't remember that earlier.
My passwords are in plaintext. I never tried getting SASL to
read hashed
passwords and/or I tried and failed. It was a few years ago
that I got it
working and I haven't changed the configs since nor do I
remember all of
the details, except that my sasl configs are full of
unpleasant words
about the lack of documentation about sasl configs :-P
Aaron
On Thu, Jul 12, 2007, Jonathan Fealy <vulturenetvulture.com> said:
> The limitation comes in with what SASL can work with. I
was able to
> migrate all of my users passwords that were in md5
format to dbmail and
> setting the encryption_type to 'crypt'. I believe that
I could only get
> plain/login methods to work, but I did not need to
reset any passwords.
> This will only work if your passwords are md5's with 12
character salts.
>
> -Jon
>
> Aaron Stone wrote:
>> The client may send an either in plaintext or in
exactly the format you
>> are using in the database -- in which case Sendmail
needs to understand
>> it is retrieving a pre-hashed password and should
not try to re-hash it
>> before comparing with the client's password or
password hash. I am not
>> actually sure if there's an option to let Sendmail
know to do this,
>> however.
>>
>> Aaron
>>
>> On Wed, 2007-07-11 at 12:58 -0500, Stephen Loeckle
wrote:
>>
>>> ooooook I understand now I was
thinking that the client could send
>>> plaintext and i could have the password
encrypted in the database. The
>>> reason I was trying this to begin with was a
little script I wrote to
>>> convert a passwd/shadow file into dbmail users
for a server conversion
>>> so I wouldn't have to know the user's
passwords. I guess I'll need to
>>> know these passwords because I'm not willing to
brute force the md5
>>> shadow salts.
>>>
>>> Thanks!
>>>
>>> Stephen
>>>
>>> Quoting Aaron Stone <aaronserendipity.cx>:
>>>
>>>
>>>> Ah, right - ok, so either you need
plaintext in DBMail and Sendmail will
>>>> retrieve the raw password and hash it as
necessary in order to compare
>>>> it with the hashes received from the
client, or you need to restrict
>>>> Sendmail down to a single hash mechanism
that matched exactly with the
>>>> hashed passwords in DBMail. Remember that
password hashed are one-way --
>>>> if the database contains a hash, and the
client sends some other hash,
>>>> there's no way to convert between them in
order to authenticate.
>>>>
>>>> Aaron
>>>>
>>>> On Wed, 2007-07-11 at 10:41 -0500, Stephen
Loeckle wrote:
>>>>
>>>>> Oh BTW, these are the types supported
by my sendmail install
>>>>>
>>>>> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN
>>>>>
>>>>> define(`confAUTH_MECHANISMS',
`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
>>>>> TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')
>>>>>
>>>>> Stephen
>>>>>
>>>>>
>>>>> Quoting Stephen Loeckle
<sloecklelucidnetworks.net>:
>>>>>
>>>>>
>>>>>> None of them worked. plaintext is
the only one that works. Any ideas?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Stephen
>>>>>>
>>>>>> Quoting Aaron Stone <aaronserendipity.cx>:
>>>>>>
>>>>>>
>>>>>>> On Tue, 2007-07-10 at 00:50
-0500, Stephen Loeckle wrote:
>>>>>>>
>>>>>>>
>>>>>>>> This may be more of a
sendmail issue but it's odd nonetheless. I have
>>>>>>>> the sendmail auth to dbmail
users table as per:
>>>>>>>>
>>>>>>>> http://www.dbmail.org/dokuwiki/doku.php?id=sendmail_how
to
>>>>>>>>
>>>>>>>> It works fine but only when
the passwd is in plaintext. I cannot get
>>>>>>>> the user to auth to
sendmail if the passwd is in md5 and
>>>>>>>> encryption_type is md5.
>>>>>>>>
>>>>>>>> Anyone run into this?
>>>>>>>>
>>>>>>> We have a couple of md5
options: md5-hash, md5-digest, md5-base64. Have
>>>>>>> you tried them all to see if
one matches sendmail's expected lookup
>>>>>>> format?
>>>>>>>
>>>>>>> Aaron
>>>>>>>
>>>>>>>
_______________________________________________
>>>>>>> DBmail mailing list
>>>>>>> DBmaildbmail.org
>>>>>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>>>>>
>>>>>>>
>>>>>>
_______________________________________________
>>>>>> DBmail mailing list
>>>>>> DBmaildbmail.org
>>>>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>>>>
>>>>>
_______________________________________________
>>>>> DBmail mailing list
>>>>> DBmaildbmail.org
>>>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>>>
>>>>
_______________________________________________
>>>> DBmail mailing list
>>>> DBmaildbmail.org
>>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>>
>>>>
>>>
_______________________________________________
>>> DBmail mailing list
>>> DBmaildbmail.org
>>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>>
>>
>> _______________________________________________
>> DBmail mailing list
>> DBmaildbmail.org
>> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>>
>>
>>
>
>
>
> _______________________________________________
> DBmail mailing list
> DBmaildbmail.org
> htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
>
--
_______________________________________________
DBmail mailing list
DBmaildbmail.org
htt
ps://mailman.fastxs.nl/mailman/listinfo/dbmail
|
|
[1-3]
|
|