> I changed my AUTH PLAIN and AUTH LOGIN authenticators to force a failure
> if the lookup doesn't succeed, from
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_set_id = $2
> server_condition = ${if \
> eq{$3}{${lookup{$2}lsearch{/etc/exim/passwd}}}{1}{0}}
What's wrong with this, besides needing to check that $3 does not expand
to an empty string? I use {true} and {false}, which works fine for me.
> to
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_set_id = $2
> server_condition = ${if \
> eq{$3}{${lookup{$2}lsearch{/etc/exim/passwd}{$value}fail}}{1}{0}}
> However, whenever someone presents invalid auth data, they get a temporary
> (4xx series) error, rather than a permanent (5xx series) error. One would
> think that server_condition would fail when the ${if ...} expansion
> returns 0, as the documentation indicates.
AFAIK, there are three exits to "${if ...}": true, false and defer.
If the lookup returned no data, you enforce a failure. If that was
within a router, it would defer the message. With authentication, you
get a temporary error. Your first version would simply compare $3 to
an empty string, which never matches (assuming you make sure that $3 is
never empty), so the authenticator does not authenticate the connection.
You would get a temporary error only if the lookup fails, e.g. because
accessing /etc/exim/passwd generates an I/O error.
Michael
