[exim] server_condition not honoured in authenticators?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: persson
Datum:  
To: exim-users
Betreff: [exim] server_condition not honoured in authenticators?
This is probably due to my newbieness, but anyway.

Basically, I want to authenticate some users using a method, and other users
using a different method (both for plain and login authenticators, though I'll
only use login in the examples). I have a list of domains called
special_domains, and for each domain in the list I have a file under
/etc/special, and each file contains lines of the form username:password. So
for example for domain xxx.yyy, I have this in the file /etc/special/xxx.yyy:

someuser:somepassword
user2:blah
anotheruser:anotherpassword

and the same for the other special domains. So my idea is to use those files
to authenticate users whose username is <anuser>@<one of the special domains>,
and use a different mean to authenticate all other users.

I tried two different approaches, both are failing (details later).
special_domains is defined as

domainlist special_domains = dsearch;/etc/special

First try:

server_condition = ${if match_domain{${domain:$auth1}}{+special_domains} \
{${if eq{$auth2}{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:
$auth1}}}}{1}{0}} } \
{${if eq{$auth2}{a}{1}{0}}} \
}

(the alternative authentication for now just checks that the password is "a";
of course that will change when the whole thing is working)

second try:

server_condition = ${if match_domain{${domain:$auth1}}{+special_domains} \
{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:$auth1}} \
    {${if eq {$auth2}{$value}{1}{0}}}{0}} } \
{ ${if  eq{$auth2}{a}{1}{0}} } \
}


The idea in both is: if the username is user2@??? (or another special
domain username), look it up in /etc/special/xxx.yyy and check that the
supplied password matches the password in there (blah in this case); otherwise
(not a special domain user), check that the password is "a" (as I said, this
will change once it's working, but for now it just demonstrates the problem).

This is what I see in the log when the username belongs to a specialdomain and
the password is correct:


  734 login authenticator:
  734   $auth1 = user2@???
  734   $auth2 = blah
  734   $1 = user2@???
  734   $2 = blah
  734 expanding: $auth1
  734    result: user2@???
  734 expanding: $auth1
  734    result: user2@???
  734 expanding: Authenticating $auth1 $auth2 (${domain:$auth1} ${local_part:
$auth1})
  734    result: Authenticating user2@??? blah (xxx.yyy user2)
  734 Authenticating user2@??? blah (xxx.yyy user2)
  734 expanding: $auth1
  734    result: user2@???
  734 expanding: ${domain:$auth1}
  734    result: xxx.yyy
  734 expanding: +special_domains
  734    result: +special_domains
  734 search_open: dsearch "/etc/special"
  734 search_find: file="/etc/special"
  734   key="xxx.yyy" partial=-1 affix=NULL starflags=0
  734 LRU list:
  734   5/etc/special
  734   End
  734 internal_search_find: file="/etc/special"
  734   type=dsearch key="xxx.yyy"
  734 file lookup required for xxx.yyy
  734   in /etc/special
  734 lookup yielded: xxx.yyy
  734 xxx.yyy in "dsearch;/etc/special"? yes (matched "dsearch;/etc/special")
  734 xxx.yyy in "+special_domains"? yes (matched "+special_domains")
  734 condition: match_domain{${domain:$auth1}}{+special_domains}
  734    result: true
  734 expanding: $auth2
  734    result: blah
  734 expanding: $auth1
  734    result: user2@???
  734 expanding: ${local_part:$auth1}
  734    result: user2
  734 expanding: $auth1
  734    result: user2@???
  734 expanding: /etc/special/${domain:$auth1}
  734    result: /etc/special/xxx.yyy
  734 search_open: lsearch "/etc/special/xxx.yyy"
  734 search_find: file="/etc/special/xxx.yyy"
  734   key="user2" partial=-1 affix=NULL starflags=0
  734 LRU list:
  734   ;/etc/special/xxx.yyy
  734   5/etc/special
  734   End
  734 internal_search_find: file="/etc/special/xxx.yyy"
  734   type=lsearch key="user2"
  734 file lookup required for user2
  734   in /etc/special/xxx.yyy
  734 lookup yielded: blah
  734 expanding: ${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:
$auth1}}}
  734    result: blah
  734 condition: eq{$auth2}{${lookup{${local_part:
$auth1}}lsearch{/etc/special/${domain:$auth1}}}}
  734    result: true
  734 expanding: 1
  734    result: 1
  734 expanding: 0
  734    result: 0
  734 skipping: result is not used
  734 expanding: ${if eq{$auth2}{${lookup{${local_part:
$auth1}}lsearch{/etc/special/${domain:$auth1}}}}{1}{0}} 
  734    result: 1 
  734 expanding: $auth2
  734    result: blah
  734 skipping: result is not used
  734 expanding: a
  734    result: a
  734 skipping: result is not used
  734 condition: eq{$auth2}{a}
  734    result: false
  734 expanding: 1
  734    result: 1
  734 skipping: result is not used
  734 expanding: 0
  734    result: 0
  734 skipping: result is not used
  734 expanding: ${if eq{$auth2}{a}{1}{0}}
  734    result: 0
  734 skipping: result is not used
  734 expanding: ${if match_domain{${domain:$auth1}}{+special_domains} {${if 
eq{$auth2}{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:
$auth1}}}}{1}{0}} } {${if eq{$auth2}{a}{1}{0}}} }
  734    result: 1 
  734 expanded string: 1 
  734 expanding: $auth1
  734    result: user2@???
  734 SMTP>> 435 Unable to authenticate at present: 1 
  734 LOG: MAIN REJECT
  734   login authenticator failed for client.xxx.yyy (there) [172.20.0.5]: 
435 Unable to authenticate at present (set_id=user2@???): 1 


With the second form of server_condition above, I similarly get:

...
  743 expanding: ${if match_domain{${domain:$auth1}}{+special_domains} 
{${lookup{${local_part:$auth1}}lsearch{/etc/special/${domain:$auth1}} {${if eq 
{$auth2}{$value}{1}{0}}}{0}} } { ${if  eq{$auth2}{a}{1}{0}} } }
  743    result: 1 
  743 expanded string: 1 
  743 expanding: $auth1
  743    result: user2@???
  743 SMTP>> 435 Unable to authenticate at present: 1 
  743 LOG: MAIN REJECT
  743   login authenticator failed for client.abc.def (there) [172.20.0.5]: 
435 Unable to authenticate at present (set_id=user2@???): 1


I get a similar outcome if I try to authenticate with a non-special_domains
user (where the second branch of the outer if should be evaluated) and
password "a".

So am I reading that correctly? The overall result of the expansion of
server_condition is 1, but authentication fails?

On the client I see: 435 Unable to authenticate at present: 1

I'm sure I'm missing something here. Any help would be greatly appreciated.