The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Courier & Exim: Logging Passwords

Discussion in 'General Discussion' started by interactive, Aug 20, 2006.

  1. interactive

    interactive Registered

    Joined:
    Nov 29, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Souther Arizona
    Hello,
    Kind of an odd request, but we're planning on migrating our mailserver. As part of this process we have to convert all mail user's passwords. We could run L0ptCrack to jam out the roughly 3,100 mailboxes, but this would take quite a while.

    However, after doing some testing I discovered that with Courier & Exim (on a differently configured non-CPanel server), you can turn up the logging levels. So I've changed /etc/syslog.conf from mail.info to mail.debug and it works perfectly. User's passwords are logged in clear text.

    Here's the configuration section that I have working on a non-CPanel server and it logs passwords in clear text perfectly:
    Code:
    cram:
      driver = cram_md5
      public_name = CRAM-MD5       
      server_advertise_condition = *
      server_secret = ${lookup mysql{SELECT userClearPassword FROM mailUsers WHERE userEmailAddress = '${quote_mysql:$1}'}{$value}fail}
      server_set_id = $1      
    
    Obviously we already have the passwords stored in clear text, but there's gotta be a way to where we can get this to work.

    Here's the configuration from our CPanel server:

    Code:
    
    fixed_plain:
    driver = plaintext
    public_name = PLAIN
    server_prompts = :
    server_condition = "${perl{checkuserpass}{$1}{$2}{$3}}"
    server_set_id = $2
    
    fixed_login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = "${perl{checkuserpass}{$1}{$2}}"
    server_set_id = $1
    
    I'm hesitant to modify the configuration for the CPanel server because I obviously don't want to prevent user's from checking their e-mail.

    As a last resort, is there anyway I could modify the $perl{checkuserpass} to get it to possible log all of the converted passwords? Then I could do just a dictionary brute force on our mail users.

    Thanks, any insight would be greatly appreciate.
     
  2. interactive

    interactive Registered

    Joined:
    Nov 29, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Souther Arizona
    Anyone have any suggestions on this?
     
Loading...

Share This Page