tmda-cgi currently has three possible authentication mechanisms:
tmda-cgi supports authentication by a remote host, using some common
- imaps (secure SSL imap)
- ldap (requires separately obtained python ldap library)
The authentication mechanism is specified as an URI in the regular URI
format: protocol://host.domain.com[:port][/ldap_domain] where
"protocol" must be from the list above, and the rest should be
Although you can get IMAPS working with tmda-cgi (and TMDA in general),
there are a few version restrictions.
- Python 2.1 is not supported.
- If running Python 2.2.x, you need at least TMDA 0.89 for IMAPS.
- Python 2.3.x should work with any version of TMDA.
tmda-cgi supports authentication by a checkpassword-style program
(see a description of
this interface). Typically, this is checkpassword or
When specifying this method of authentication, you may need to supply
additional parameters to your checkpassword program. By default,
configure will append /bin/true or
/usr/bin/true, but any program that eventually returns
"0" will do.
This method authenticates logins against user name & password pairs
stored in a password file (or files). tmda-cgi will look either in the
file specified during compilation, or in the default locations for the
password file, but the file(s) must be readable by the CGI.
If you are running in system-wide mode, the password file can be owned
by root. If you are running in single-user mode, the password file can be
owned by the user who will be running the CGI. If you are running in no-su
mode, the file must either be owned by "nobody" (or whatever
user your web server is configured to run as) or made globally readable.
See the table below for a better breakdown of your options.
By default, tmda-cgi checks the following locations to find a password file.
It reads and processes the first file it finds:
- tmda-cgi in the same directory as the user's configuration file
(if that location has been specified, otherwise it will look in
This allows the user to override their password once it is set by the system
||File owner & permission options
The password file for tmda-cgi is formatted in much the same way as the
password file for tofmipd. In fact, if you are using a password file with
tofmipd and you wish to run tmda-cgi in system-wide mode, feel free to
make a symbolic link between the two:
# ln -s /etc/tofmipd /etc/tmda-cgi
Password files for tmda-cgi look like:
where each item in <> is replaced with text.
The difference between this password file and the one for tofmipd is that
the file does not need to have permissions of 400 or 600. If you, for
example, are running in no-su mode, you will have to make your password file
group or world readable.
To keep the passwords secure, tmda-cgi will
assume all passwords are DES encrypted if the file permissions are anything
other than 400 or 600. Plaintext passwords will not work in
such cases. Encrypted passwords, however, can be used in any tmda-cgi
Additionally, any entry with a blank password field, such as:
will be prohibited from login, regardless of the file permissions.
contrib/cgi/genpass.py is provided for encrypted password
generation. Output from genpass.py can be safely piped with
> or >> into a password file. For example:
# contrib/cgi/genpass.py joe >> /etc/tmda-cgi
$ contrib/cgi/genpass.py joe > /home/joe/.tmda/tmda-cgi
If you encounter difficulties logging in, the problem may be a result of
incorrect permissions on your password file(s). To debug this, append a
?debug=1 onto the end of your CGI URL. This will display some
diagnostic information if the login fails instead of simply saying
"Wrong password. Try again."