Re: [Exim] [ Exim 3.36 ] SMTP AUTH hacked ?

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: Georges Arnould
CC: exim-users
Subject: Re: [Exim] [ Exim 3.36 ] SMTP AUTH hacked ?
Georges Arnould wrote:
>>I bet your authenticator config is broken, if it can't lookup the
>>username it will accept anything as password, try it yourself.
>>Show use your auth-config, and we can help you.
>
>
> Here it is ... It has never changed for a year ... And someone managed to
> pass through yesterday. I wonder if my config. is broken ... But I would
> enjoy it is (meaning no recompil, no reinstall, etc.) ...
>
> Thank's for your appreciated help !
>
> Georges
>
>
> fixed_login:
>        driver = plaintext
>        public_name = LOGIN
>        server_condition = "${if eq
> {${lookup{$1}lsearch{/usr/local/exim/etc/trusted_users}{$value}}} {$2} {yes}
> {no}}"
>        server_set_id = $1
>        server_prompts = "Username:: : Password::"


in general you should verify that you lookup SOME password, I used

server_condition = "${if eq\
{${lookup{$1}lsearch{/usr/local/exim/etc/trusted_users}{$value}fail}}\
{$2} {yes}{no}}"

to make sure that the expansion fails if the lookup wasn't successful.

Nico