[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Message submission via authenticated SMTP

On Fri, Aug 27, 1999 at 02:34:47PM +0200, Artur Urbanowicz wrote:
>   3. Easy and flexible authentication mechanism through an external
>      program, pointed by the PIPEAUTHPATH variable in zmailer.conf.
>      The program (or script) should read the user name from command
>      line and the password from the standard input. Exit status 0
>      means successfull authentication. The message directed to the
>      standard output or standard error is logged via syslogd
>      (facility=auth, priority=info). The authentication mechanism can
>      be dangerous when used without care (pipeauth-0.55/zpwmatch.c).

	Comments in that file are asking for why the   zpwmatch()  can't
	return error reports.

	Well, theory is roughly, that for Security reasons your average
	(ab)user should not hear if account really exists, or not.
	That is, beside of IO-errors in DB engine (ok to tell ?),
	reply should either be that: Password does check, or does not check.
	(If account does not exist, reply is: "pw does not check")

	I will allow returning a char * to an error string -- or
	returning NULL for success.

>   4. Script for client authenticatication against POP3/IMAP servers
>      (rauth-0.56/rauth). User name passed to the script must be combined
>      from the user identifier, "%" and his POP3/IMAP server name:
>      The password is read from the standard input. The script returns
>      exit status 0 if the USER can enter HOST.DOMAIN with "fetchmail
>      -c" and the password. Possible POP3/IMAP servers are restricted
>      to the hosts (or domains) listed in $MAILVAR/rauth.hosts.
>      To avoid autodetection, you can specify there an authentication
>      protocol to be used with particular host or domain. Use "pop3"
>      and "imap" or the secure incarnations of them: "spop3" and "simap"
>      when your fetchmail accepts "--plugin" paremeter and openssl suite
>      is available (see rauth-0.56/rauth-ssl-plugin).
>      The script can be easily extended to handle protocols other than
>      POP3/IMAP.


> Regards,
> Artur Urbanowicz

/Matti Aarnio	<mea@nic.funet.fi>