Re: [Exim] AUTH + SQL: Thoughts

Page principale
Supprimer ce message
Répondre à ce message
Auteur: John W Baxter
Date:  
À: exim-users
Sujet: Re: [Exim] AUTH + SQL: Thoughts
At 12:16 +0200 6/25/2002, Johannes M. Posel wrote:
>Oh, yes, there's something not to forget: You must include a "NULL"
>username with a bogus password in your SQL database, else anyone can
>relay through your server by simply sending empty username and
>password (for example by using AUTH LOGIN and then just pressing enter
>when the server prompts you).


Thank you! (We're using LDAP, where the same issue is present.)

We've fixed open relay, thanks to your message.

I put the low-risk fix in first*...in the acl stanza which accepts
authenticated senders I added a condition requiring that $authenticated_id
not be empty (having set that up in the authentication).

A prober will still THINK they've authenticated...will fix that anon, but
at least the previously open relay is closed.

*the authenticators are already ugly, since I wanted to assume the domain
given a "bare" local part (in honor of Eudora, which really doesn't want to
authenticate john@???, although it can be forced to). And fixing
this there will make them uglier.

--John


--
John Baxter   jwblist@???      Port Ludlow, WA, USA