Hi,
The best ones solution I found is as follows:
cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{select plain_password from users
where imap_user = '${quote_mysql:$1}'}} and plain_password !
= '' and imap = 'yes'
server_set_id = $1
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{select count(*) from users where
imap_user = '${quote_mysql:$2}' and plain_password = '${q
uote_mysql:$3}' and plain_password != '' and imap = 'yes'}}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${lookup mysql{select count(*) from users where
imap_user = '${quote_mysql:$1}' and plain_password = '${q
uote_mysql:$2}' and plain_password != '' and imap = 'yes'}}
server_set_id = $1
As you can see from the SQL above no user can have a NULL password! This is
very important as we allow our virtual users to adjust their
passwords as often as they want.
This way if someone accidently sets the password as empty, then at least
there username can't be used to relay mail.
However this is on Exim3, but should work on Exim4
Colin Halbert
NDCG Online
Internet Solution Providers
Tel: 07050802437
----- Original Message -----
From: "John W Baxter" <jwblist@???>
To: <exim-users@???>
Sent: Friday, July 05, 2002 9:14 PM
Subject: Re: [Exim] AUTH + SQL: Thoughts
> At 12:16 +0200 6/25/2002, Johannes M. Posel wrote:
> >Oh, yes, there's something not to forget: You must include a "NULL"
> >username with a bogus password in your SQL database, else anyone can
> >relay through your server by simply sending empty username and
> >password (for example by using AUTH LOGIN and then just pressing enter
> >when the server prompts you).
>
> Thank you! (We're using LDAP, where the same issue is present.)
>
> We've fixed open relay, thanks to your message.
>
> I put the low-risk fix in first*...in the acl stanza which accepts
> authenticated senders I added a condition requiring that $authenticated_id
> not be empty (having set that up in the authentication).
>
> A prober will still THINK they've authenticated...will fix that anon, but
> at least the previously open relay is closed.
>
> *the authenticators are already ugly, since I wanted to assume the domain
> given a "bare" local part (in honor of Eudora, which really doesn't want
to
> authenticate john@???, although it can be forced to). And fixing
> this there will make them uglier.
>
> --John
>
>
> --
> John Baxter jwblist@??? Port Ludlow, WA, USA
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##
>
>
