[Dovecot] request to have dovecot authenticator driver 'officially' included/supported
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi all,
per the exim docs @:
http://exim.org/exim-html-4.62/doc/html/spec_html/ch36.htmla cyrus_sasl authenticator driveer is 'included' in exim core.
given that Dovecot has become a very attractive alternative for an increasing number of folks, and there's a patch against exim 4.43 here:
http://www.exim.org/eximwiki/AuthenticatedSmtpUsingDovecotthat allows use of Dovecot's native sasl implementation as an authenticator, and that is _seems_ to apply against 4.63 ok, might it be possible to get this integrated into exim core, and have it become 'official'?
thanks,
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUC+eIACgkQlffdvTZxCMbG4wCgnczsi9zX6Xkg5MLi6JTez5d+ a+YAn0MIYI7gHW//8N5bxani1CoEAcJm =ZN2w -----END PGP SIGNATURE-----
On Sat, 9 Sep 2006, OpenMacNews wrote:
given that Dovecot has become a very attractive alternative for an increasing number of folks, and there's a patch against exim 4.43 here:
http://www.exim.org/eximwiki/AuthenticatedSmtpUsingDovecot
that allows use of Dovecot's native sasl implementation as an authenticator, and that is _seems_ to apply against 4.63 ok, might it be possible to get this integrated into exim core, and have it become 'official'?
I will take a look at this in due course.
-- Philip Hazel University of Cambridge Computing Service Get the Exim 4 book: http://www.uit.co.uk/exim-book
On Tue, 2006-09-12 at 10:20 +0100, Philip Hazel wrote:
On Sat, 9 Sep 2006, OpenMacNews wrote:
given that Dovecot has become a very attractive alternative for an increasing number of folks, and there's a patch against exim 4.43 here:
Can data parameter contain tabs? If it can, the IP parameters can be faked. Maybe a check/comment should be there in any case..
On Sat, 9 Sep 2006, OpenMacNews wrote:
http://exim.org/exim-html-4.62/doc/html/spec_html/ch36.html
a cyrus_sasl authenticator driveer is 'included' in exim core.
given that Dovecot has become a very attractive alternative for an increasing number of folks, and there's a patch against exim 4.43 here:
http://www.exim.org/eximwiki/AuthenticatedSmtpUsingDovecot
that allows use of Dovecot's native sasl implementation as an authenticator, and that is _seems_ to apply against 4.63 ok, might it be possible to get this integrated into exim core, and have it become 'official'?
I have integrated this patch (it needed a little work - see ChangeLog). I have done extremely preliminary testing against Dovecot 1.0_beta8 and I think it is OK. The code will be in tonight's snapshot. If anybody who is actually running Dovecot would like to do some more serious testing, that would be good.
Philip
-- Philip Hazel, University of Cambridge Computing Service.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi philip,
- -- On October 2, 2006 2:41:26 PM +0100 Philip Hazel <ph10@hermes.cam.ac.uk> wrote:
I have integrated this patch (it needed a little work - see ChangeLog).
thank you.
I have done extremely preliminary testing against Dovecot 1.0_beta8 and I think it is OK. The code will be in tonight's snapshot. If anybody who is actually running Dovecot would like to do some more serious testing, that would be good.
i don't know how 'serious' it'll manage to be :-) but i'll do as much testing as i can ...
thanks again,
richard
/"
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
[GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin)
iEYEARECAAYFAkUhGesACgkQlffdvTZxCMaW0gCgmsF0+Xid5Zamdf2xHGBBpV3A eQUAn3HtAju4SYf40LsRdxLO9YfBFMPj =PJnr -----END PGP SIGNATURE-----
I have integrated this patch (it needed a little work - see ChangeLog). I have done extremely preliminary testing against Dovecot 1.0_beta8 and I think it is OK.
Just curious... why would you patch/test against such an old version? Unless, is there an rc8 available (haven't seen a notice) and is that what you meant?
--
Best regards,
Charles
On Mon, 2006-10-02 at 14:41 +0100, Philip Hazel wrote:
http://www.exim.org/eximwiki/AuthenticatedSmtpUsingDovecot
that allows use of Dovecot's native sasl implementation as an authenticator, and that is _seems_ to apply against 4.63 ok, might it be possible to get this integrated into exim core, and have it become 'official'?
I have integrated this patch (it needed a little work - see ChangeLog). I have done extremely preliminary testing against Dovecot 1.0_beta8 and I think it is OK. The code will be in tonight's snapshot. If anybody who is actually running Dovecot would like to do some more serious testing, that would be good.
I mentioned this before too, but in case you didn't notice:
int auth_dovecot_server(auth_instance *ablock, uschar *data) .. fprintf(f, "VERSION\t%d\t%d\nCPID\t%d\n" "AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n", VERSION_MAJOR, VERSION_MINOR, getpid(), cuid, ablock->public_name, sender_host_address, interface_address, data ? (char *) data : "");
Can data parameter contain tab characters? If it can, you should prevent them from going to dovecot-auth.
On Sun, 8 Oct 2006, Timo Sirainen wrote:
I mentioned this before too, but in case you didn't notice:
I didn't. :-) Thanks.
int auth_dovecot_server(auth_instance *ablock, uschar *data) .. fprintf(f, "VERSION\t%d\t%d\nCPID\t%d\n" "AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n", VERSION_MAJOR, VERSION_MINOR, getpid(), cuid, ablock->public_name, sender_host_address, interface_address, data ? (char *) data : "");
Can data parameter contain tab characters? If it can, you should prevent them from going to dovecot-auth.
Indeed. However, the only one of those fields that might contain tabs is "data", but it is supposed to be base-64 encoded, so it shouldn't. However, some evil person might send an illegal tab in there I suppose. Exim can trivially check for tabs or that the data is valid base-64, but shouldn't Dovecot also do that? The Dovecot home page says "Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind." I would hope, therefore, that whatever junk was passed to it would be rigorously checked.
I'll put in a test for tabs. I am disappointed that new software should be using tabs as separators, however. They are confusing and lead to no end of trouble in other places where they are used like this (Makefiles, Sendmail configs, for example). See, for example, discussion in
http://www.cs.umd.edu/class/spring2002/cmsc214/Tutorial/makefile.html
(which I found with a quick Google). I personally think that all whitespace characters should be treated as equal. You can't distinguish tabs from spaces when they are displayed, and if you cut and paste text, tabs can get lost.
-- Philip Hazel University of Cambridge Computing Service Get the Exim 4 book: http://www.uit.co.uk/exim-book
On Mon, 2006-10-09 at 10:03 +0100, Philip Hazel wrote:
fprintf(f, "VERSION\t%d\t%d\nCPID\t%d\n" "AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n", VERSION_MAJOR, VERSION_MINOR, getpid(), cuid, ablock->public_name, sender_host_address, interface_address, data ? (char *) data : "");Can data parameter contain tab characters? If it can, you should prevent them from going to dovecot-auth.
Indeed. However, the only one of those fields that might contain tabs is "data", but it is supposed to be base-64 encoded, so it shouldn't. However, some evil person might send an illegal tab in there I suppose. Exim can trivially check for tabs or that the data is valid base-64, but shouldn't Dovecot also do that? The Dovecot home page says "Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind." I would hope, therefore, that whatever junk was passed to it would be rigorously checked.
Since tab is the field separator in the protocol and the fprintf() above just places all of them into same string, it isn't really possible to differentiate between legitimate separator and user-given tab..
I guess I should add checks that the same field isn't given twice, but that doesn't prevent user from giving fields that just weren't given normally.
BTW. There are also two more fields that the Exim code doesn't currently support, but which might be useful for some people:
"secured": Set if SSL/TLS is used, or if remote IP == local IP
"valid-client-cert": Set if client certificate was received and it was verified to be trusted
I'll put in a test for tabs. I am disappointed that new software should be using tabs as separators, however. They are confusing and lead to no end of trouble in other places where they are used like this (Makefiles, Sendmail configs, for example).
It's an internal protocol, not supposed to be user-writable and it needs to be user-readable only up to the point that debugging is possible. :) I think tabs make it pretty easy to read for users and easy to write the parser code.
I personally think that all whitespace characters should be treated as equal. You can't distinguish tabs from spaces when they are displayed, and if you cut and paste text, tabs can get lost.
In that case the spaces would have to be escaped in some way and it'd be more difficult to read the debugging messages..
Well, another protocol that I recently wrote uses ';' as separator and escapes them using "\.". Still pretty human readable and writable, and simple to write parsers for. I guess that could have been a better choice for Dovecot auth protocol also, but it's now a bit too late to change it.
On Mon, 9 Oct 2006, Timo Sirainen wrote:
BTW. There are also two more fields that the Exim code doesn't currently support, but which might be useful for some people:
"secured": Set if SSL/TLS is used, or if remote IP == local IP
"valid-client-cert": Set if client certificate was received and it was verified to be trusted
I think I could add those (I didn't write the original code, but it looks easy enough to alter). Should they be added to the AUTH line, or given separately? Presumably tab-separated and without any =data added. I don't really have any way of testing any of this.
Well, another protocol that I recently wrote uses ';' as separator and escapes them using "\.". Still pretty human readable and writable, and simple to write parsers for. I guess that could have been a better choice for Dovecot auth protocol also, but it's now a bit too late to change it.
Indeed.
-- Philip Hazel University of Cambridge Computing Service Get the Exim 4 book: http://www.uit.co.uk/exim-book
On Mon, 2006-10-09 at 11:01 +0100, Philip Hazel wrote:
On Mon, 9 Oct 2006, Timo Sirainen wrote:
BTW. There are also two more fields that the Exim code doesn't currently support, but which might be useful for some people:
"secured": Set if SSL/TLS is used, or if remote IP == local IP
"valid-client-cert": Set if client certificate was received and it was verified to be trusted
I think I could add those (I didn't write the original code, but it looks easy enough to alter). Should they be added to the AUTH line, or given separately? Presumably tab-separated and without any =data added. I don't really have any way of testing any of this.
Right, to AUTH line, tab-separated and without =data.
Le Mon, 2 Oct 2006 14:41:26 +0100 (BST), Philip Hazel <ph10@hermes.cam.ac.uk> a écrit :
On Sat, 9 Sep 2006, OpenMacNews wrote:
http://exim.org/exim-html-4.62/doc/html/spec_html/ch36.html
a cyrus_sasl authenticator driveer is 'included' in exim core.
given that Dovecot has become a very attractive alternative for an increasing number of folks, and there's a patch against exim 4.43 here:
http://www.exim.org/eximwiki/AuthenticatedSmtpUsingDovecot
that allows use of Dovecot's native sasl implementation as an authenticator, and that is _seems_ to apply against 4.63 ok, might it be possible to get this integrated into exim core, and have it become 'official'?
I have integrated this patch (it needed a little work - see ChangeLog). I have done extremely preliminary testing against Dovecot 1.0_beta8 and I think it is OK. The code will be in tonight's snapshot. If anybody who is actually running Dovecot would like to do some more serious testing, that would be good.
Philip
Hi,
I'm just testing it for PLAIN and LOGIN auth, and I always get :
exim : 2006-10-12 19:15:16 login authenticator failed for meathook.meleeweb.net [82.230.172.234]: 435 Unable to authenticate at present: authentication socket read error or premature eof
dovecot : Oct 12 19:14:42 [dovecot] auth(default): BUG: Authentication client 5518 didn't specify service in request
did I miss something ?
-- Beber - E-Mail / Jabber (+GMail) : beber_AT_meleeweb.net http://www.meleeweb.net
On Thu, 12 Oct 2006, Beber wrote:
I have integrated this patch (it needed a little work - see ChangeLog). I have done extremely preliminary testing against Dovecot 1.0_beta8 and I think it is OK. The code will be in tonight's snapshot. If anybody who is actually running Dovecot would like to do some more serious testing, that would be good.
I'm just testing it for PLAIN and LOGIN auth, and I always get :
exim : 2006-10-12 19:15:16 login authenticator failed for meathook.meleeweb.net [82.230.172.234]: 435 Unable to authenticate at present: authentication socket read error or premature eof
dovecot : Oct 12 19:14:42 [dovecot] auth(default): BUG: Authentication client 5518 didn't specify service in request
did I miss something ?
Which release of Dovecot? When I installed the patch I had to make a small change because the Dovecot interface seemed to have changed. Let's make sure it isn't that before we look further. Looking at the code, I see that indeed, the change was concerned with "service". If you take a look at the code in auths/dovecot.c you will find, around line 189, an fprintf() statement and some comments about how it replaces another one, which I've left as a comment. You might like to try the alternative statement and see if it works for you.
Thanks for testing!
Philip
-- Philip Hazel University of Cambridge Computing Service Get the Exim 4 book: http://www.uit.co.uk/exim-book
Le Fri, 13 Oct 2006 09:12:13 +0100 (BST), Philip Hazel <ph10@hermes.cam.ac.uk> a écrit :
On Thu, 12 Oct 2006, Beber wrote:
I have integrated this patch (it needed a little work - see ChangeLog). I have done extremely preliminary testing against Dovecot 1.0_beta8 and I think it is OK. The code will be in tonight's snapshot. If anybody who is actually running Dovecot would like to do some more serious testing, that would be good.
I'm just testing it for PLAIN and LOGIN auth, and I always get :
exim : 2006-10-12 19:15:16 login authenticator failed for meathook.meleeweb.net [82.230.172.234]: 435 Unable to authenticate at present: authentication socket read error or premature eof
dovecot : Oct 12 19:14:42 [dovecot] auth(default): BUG: Authentication client 5518 didn't specify service in request
did I miss something ?
Which release of Dovecot?
I use dovecot 1.0_beta8
Any chance to make it work with ? Maybe you recommanded a newer release ?
When I installed the patch I had to make a small change because the Dovecot interface seemed to have changed. Let's make sure it isn't that before we look further. Looking at the code, I see that indeed, the change was concerned with "service". If you take a look at the code in auths/dovecot.c you will find, around line 189, an fprintf() statement and some comments about how it replaces another one, which I've left as a comment. You might like to try the alternative statement and see if it works for you.
Thanks for testing!
-- Beber - E-Mail / Jabber (+GMail) : beber_AT_meleeweb.net http://www.meleeweb.net
On Fri, 13 Oct 2006, Beber wrote:
Which release of Dovecot?
I use dovecot 1.0_beta8
That's the same release I used.
Any chance to make it work with ? Maybe you recommanded a newer release ?
I just installed the current Gentoo release, which is 1.0_beta8 to test that it was plausibly working. I don't actually *run* Dovecot (about which I know nothing).
My advice for trying to make it work is what I wrote before:
When I installed the patch I had to make a small change because the Dovecot interface seemed to have changed. Let's make sure it isn't that before we look further. Looking at the code, I see that indeed, the change was concerned with "service".
If you take a look at the code in auths/dovecot.c you will find, around line 189, an fprintf() statement and some comments about how it replaces another one, which I've left as a comment. You might like to try the alternative statement and see if it works for you.
-- Philip Hazel University of Cambridge Computing Service Get the Exim 4 book: http://www.uit.co.uk/exim-book
Le Fri, 13 Oct 2006 19:36:53 +0100 (BST), Philip Hazel <ph10@hermes.cam.ac.uk> a écrit :
On Fri, 13 Oct 2006, Beber wrote:
Which release of Dovecot?
I use dovecot 1.0_beta8
That's the same release I used.
Any chance to make it work with ? Maybe you recommanded a newer release ?
I just installed the current Gentoo release, which is 1.0_beta8 to test that it was plausibly working. I don't actually *run* Dovecot (about which I know nothing).
My advice for trying to make it work is what I wrote before:
Yep ok, I looked at code, but don't really known what replace which what :(
Maybe you've got a patch ?
When I installed the patch I had to make a small change because the Dovecot interface seemed to have changed. Let's make sure it isn't that before we look further. Looking at the code, I see that indeed, the change was concerned with "service".
If you take a look at the code in auths/dovecot.c you will find, around line 189, an fprintf() statement and some comments about how it replaces another one, which I've left as a comment. You might like to try the alternative statement and see if it works for you.
-- Beber - E-Mail / Jabber (+GMail) : beber_AT_meleeweb.net http://www.meleeweb.net
On Fri, 13 Oct 2006, Beber wrote:
My advice for trying to make it work is what I wrote before:
Yep ok, I looked at code, but don't really known what replace which what :(
Maybe you've got a patch ?
Here is an extract from that file:
fprintf(f, "VERSION\t%d\t%d\nCPID\t%d\n"
"AUTH\t%d\t%s\tservice=smtp\trip=%s\tlip=%s\tresp=%s\n",
VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
ablock->public_name, sender_host_address, interface_address,
data ? (char *) data : "");/**************************************************************************** The code below was the original code here. It didn't work. A reading of the file auth-protocol.txt.gz that came with Dovecot 1.0_beta8 indicated that this was not right. Maybe something changed. I changed it to the above, and it seems to be better. PH
fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
"AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
ablock->public_name, sender_host_address, interface_address,
data ? (char *) data : "");****************************************************************************/
Just replace the first fprintf() statement with the second one from inside the comment. You can do that by deleting appropriate lines so that you are left with:
fprintf(f, "VERSION\t%d\t%d\r\nSERVICE\tSMTP\r\nCPID\t%d\r\n"
"AUTH\t%d\t%s\trip=%s\tlip=%s\tresp=%s\r\n",
VERSION_MAJOR, VERSION_MINOR, getpid(), cuid,
ablock->public_name, sender_host_address, interface_address,
data ? (char *) data : "");Of course, keep a copy of the old file, just in case.
-- Philip Hazel University of Cambridge Computing Service Get the Exim 4 book: http://www.uit.co.uk/exim-book
participants (5)
-
Beber
-
Charles Marcus
-
OpenMacNews
-
Philip Hazel
-
Timo Sirainen