[wplug] IMAP / SMTP AUTH: success!

Brandon Kuczenski brandon at 301south.net
Fri Dec 10 14:08:49 EST 2004 

After extensive research, much stomach churning, and as it happens, very
little actual struggle, I've successfully deployed IMAP and SMTP AUTH on
my system in a secure way!  My system has the following taxonomy:

IMAP server is dovecot, running over ssl (port 993) with plaintext
passwords in a protected file (these passwords are different from login
passwords).

SMTP software is postfix, the latest version, with the SASL libraries
compiled in and using sasldb (SASL calls the mechanism "auxprop") to
authenticate.  The AUTH option is only offered once a TLS connection is
established, ensuring that passwords are only sent encrypted.

The crucial moment came when I realized that SASL wasn't a *program* --
merely a library.  For some reason I had never really grasped what that
meant before, but now I do -- postfix needs to have access to the library
in order to offer the option to use SASL, but once compiled with SASL
support, postfix can perform the authentication by itself.

The only inadequacy of the system for now is the fact that SASL and
Dovecot do not use compatible authentication mechanisms, which means there
are two places the user's password must be updated (or the user has to use
two different passwords).

To fix this I am planning to just write a script that updates both
concurrently.

The trick is to enable the users to update their passwords securely
without giving them shell access, and my scheme to fix that is as follows,
and tell me what you think:
  - create a mail alias "password at 301south.net" which is actually a script
  - when it gets a message from a local account it replies with a hash of
    some kind (something simple, like "echo `date`$RANDOM | openssl sha1"
  - the user gets the hash message and sends a new message to password,
    which includes the hash along with his desired new password
     * this will guarantee that the user CURRENTLY has access to IMAP
  - Presumably, the user will only send this from his authenticated,
    secure connection (the script won't reply to external addresses)
  - The script checks the hash, and if it's correct, updates the password.

I believe this scheme will work (though it may not be the best way to
solve the problem...)

Advice welcome.
-Brandon

More information about the wplug mailing list