I found this in the archives and it seems to work for what I'm looking
for atm
Yet when I try and use swaks to test I get this in the logs
2006-07-24 22:50:49 plain authenticator failed for
(milenko.at.home) [124.161.112.193]:
435 Unable to authenticate at present (set_id=bcook): failed to open
/etc/master.passwd for linear search: Permission denied (euid=26 egid=6)
inside "and{}" condition
I could use a file for auth but is this still possible?
Using the stock configure I am not sure this can be overcome as
no_deliver_drop_privilege is already (default)
fwiw here are my authenticators:
begin authenticators
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}} \
{crypteq{$3}{${extract{1}{:} \
{${lookup{$2}lsearch{/etc/master.passwd}{$value}{*:*}}}}}}}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
{crypteq{$2}{${extract{1}{:} \
{${lookup{$1}lsearch{/etc/master.passwd}{$value}{*:*}}}}}}}{1}{0}}"
server_set_id = $1
Thanks in advance

Brian wrote:
I found this in the archives and it seems to work for what I'm looking
for atm

Yet when I try and use swaks to test I get this in the logs

2006-07-24 22:50:49 plain authenticator failed for
(milenko.at.home) [124.161.112.193]:
435 Unable to authenticate at present (set_id=bcook): failed to open
/etc/master.passwd for linear search: Permission denied (euid=26 egid=6)
inside "and{}" condition

The problem is that Exim can't read the master.passwd file. The
quick-and-dirty (but not completely filthy) fix is to add the exim user
to the group that owns the master.passwd file (and restart exim).
the top of my head, I don't remember what that group would be on BSD.
Hopefully it's not wheel

I could use a file for auth but is this still possible?

Depending on your needs, a separate file may be preferrable. I always
prefer to use a different password for my e-mail than I do for system
logins.

Using the stock configure I am not sure this can be overcome as
no_deliver_drop_privilege is already (default)

I've never used that particular knob, but I don't think it's applicable
here since it isn't at the delivery stage.
- Wayne

Mon, 24 Jul 2006, Wayne Tucker wrote:

The problem is that Exim can't read the master.passwd file. The
quick-and-dirty (but not completely filthy) fix is to add the exim user
to the group that owns the master.passwd file (and restart exim).
the top of my head, I don't remember what that group would be on BSD.
Hopefully it's not wheel

You also have to change the permissions on /etc/master.password to permit
group read access. You should probably change the group from wheel to a
new group for this purpose.

Tony.

Tuesday 25 July 2006 05:09, Brian took the opportunity to write:
I found this in the archives and it seems to work for what I'm looking
for atm

Yet when I try and use swaks to test I get this in the logs

2006-07-24 22:50:49 plain authenticator failed for
(milenko.at.home) [124.161.112.193]:
435 Unable to authenticate at present (set_id=bcook): failed to open
/etc/master.passwd for linear search: Permission denied (euid=26 egid=6)
inside "and{}" condition

I could use a file for auth but is this still possible?

Using the stock configure I am not sure this can be overcome as
no_deliver_drop_privilege is already (default)

Exim always runs as the user and group that exim_user and exim_group are set
to (defaults decided at compile time) at this point
(no_deliver_drop_privilege has nothing to do with this, only with
deliveries). You need to give that user and/or group read permission to the
file.

Tony Finch wrote:
Mon, 24 Jul 2006, Wayne Tucker wrote:

>>The problem is that Exim can't read the master.passwd file.

It neither needs to do so, nor ordinarily attempts to do so on a FreeBSD install.

/etc/master.passwd is owned by root:wheel, but is rw to root only.

Exim works fine even if this file is removed or relocated elsewhere.

What Exim reads is /etc/pwd.db, which already has root, wheel, *and world*
readability.

ls -lf /etc/pwd.db
-rw-r 1 root wheel 40960 May 27 07:12 /etc/pwd.db

>The
>>quick-and-dirty (but not completely filthy) fix is to add the exim user
>>to the group that owns the master.passwd file (and restart exim).
>>the top of my head, I don't remember what that group would be on BSD.
>>Hopefully it's not wheel

Sorry- that *is* both 'filthy' and unnecessary.

Correct the problem at the source.

You also have to change the permissions on /etc/master.password to permit
group read access. You should probably change the group from wheel to a
new group for this purpose.

Tony.

should not casually recommend needlessly breaking a proven security model to
fix something that isn't broken where the P thinks it is.

Fix Exim so it asks for what is already available instead of downgrading the
security model.

ELSE use a stand-alone flat file that has nothing to do with /etc/master.passwd.

No need to compromise the entire box just to do an improper Exim install.

Bill

Tue, 25 Jul 2006, W B Hacker wrote:

What Exim reads is /etc/pwd.db, which already has root, wheel, *and world*
readability.

And no passwords. The database containing the passwords is /etc/spwd.db
and if you want non-root access to passwords via getpwent then you need to
change the perms on that.

Tony.

PGP SIGNED MESSAGE
Hash: SHA1

Magnus Holmgren wrote:
| Tuesday 25 July 2006 05:09, Brian took the opportunity to write:
|I found this in the archives and it seems to work for what I'm looking
|for atm
|>
|
|>
|Yet when I try and use swaks to test I get this in the logs
|>
|2006-07-24 22:50:49 plain authenticator failed for
|(milenko.at.home) [124.161.112.193]:
|435 Unable to authenticate at present (set_id=bcook): failed to open
|/etc/master.passwd for linear search: Permission denied (euid=26 egid=6)
|inside "and{}" condition
|>
|I could use a file for auth but is this still possible?
|>
|Using the stock configure I am not sure this can be overcome as
|no_deliver_drop_privilege is already (default)
|
I just use cyrus-sasl (saslauthd) with the pam option and then I don't
have to muck with permissions.
- --
Louis KowolowskiKE7BAX louisk (AT) cryptomonkeys (DOT) com
Cryptomonkeys: http://www.cryptomonkeys.com/~louisk

Irrigation of the land with seawater desalinated by fusion power is
ancient. It's called rain.
PGP SIGNATURE
Version: GnuPG v1.4.4 (FreeBSD)

Zgr1BFv1eupXGdwZs=
=n13m
PGP SIGNATURE