Re: [Exim] Help checking domain name in mysql

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Nico Erfurth
Ημερομηνία:  
Προς: The Jelly Bean Junky
Υ/ο: exim-users@exim.org
Αντικείμενο: Re: [Exim] Help checking domain name in mysql
On Sun, 12 Jan 2003, The Jelly Bean Junky wrote:

> This is a multi-part message in MIME format.
> --
> [ Picked text/plain from multipart/alternative ]
> Okay I have got exim compiled and running nicely. I have got mysql
> support enabled and I'm running multihosting sites and hopefully emails
> with auth on it.
> I have managed to get auth to work to an extent using this auth block:
>
>
> # outlook ms/ex
> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = \
> "${if eq{$2} {${lookup mysql{SELECT password FROM smtpusers WHERE
> username = '$1' AND domain =
> '${lc:$sender_address_domain}'}}}{yes}{no}}"
> server_set_id = $1
>
> This does not seem to work. I want to check their domain name in the
> "mail from: user@???" against a record in the mysql data base
> but '${lc:$sender_address_domain}' always seems to return a null value
> [blank]. Example, user is user@??? I want to check example.com
> in the database. I'm planning to use this to stop an auth'ed user
> sending an email effectively as a spam under any other domain names. It
> just makes sure they stick with the domain name assigned to them in the
> database.


1.) Your condition is a security-hole, the mysql lookup will return an
empty string if the lookup yields no results. All what an attacker needs
to do is using some strange username and an empty password

2.) What you want to do is not possible, at least not in the way you want
to do it, the client will send the AUTH command before it sends the MAIL
FROM, so you don't know who tries to send the mail

Here is an fixed authenticator:
fixed_login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = \
  ${if eq {1} \
     {lookup mysql \
       {select count(*) from smtpusers WHERE \
          username = ${quote_mysql:${local_part:$1}} and \
          domain = ${quote_mysql:$domain:$1}} \
          and password=${quote_mysql:$2} \
       }
       {$value}fail\
     }\
   {yes}{no}}
  server_set_id = $1


You have to declare password as CHAR/VARCHAR BINARY in your mysql-table,
to make the match case sensitive, also your users must authenticate by
their full user@domain address.

To do what you want, add something like this to your rcpt or mail acl.

deny message = You are not allowed to send from another domainname
     authenticated = *
     !senders = *@${domain:$authenticated_id}


If you don't can't make your users authenticate with their full address,
you have to remove the check for domain in the above mysql-statement, and
use a modified ACL:

deny message = You are not allowed to send from another domainname
     authenticated = *
     !senders = *@mysql;select domain from smtpusers where \
                       domain= ${quote_mysql:$sender_address_domain} and \
                       username = ${quote_mysql:$authenticated_id}


Everything is untested, but should work.

NEVER forget to use ${quote_mysql} or your server will be open for abuse.

ciao