Re: [Exim] Empty password/CDB lookup gotcha

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: Paul Makepeace
CC: exim-users
Subject: Re: [Exim] Empty password/CDB lookup gotcha
Paul Makepeace wrote:
> Spot the bug in the following line, and how to exploit it:
>
> server_condition = ${if eq{$3}{${lookup {$2} cdb {/etc/mail/smtpauth.cdb}{$value}}}{yes}{no}}
>
> The exploit is that empty passwords given during the AUTH phase match
> nicely with non-existent users in the CDB file.
>
> Instead,
>
> server_condition = ${if and { {!eq {$2}{}} {eq{$2}{${lookup {$1} cdb {/etc/mail/smtpauth.cdb}{$value}}}} } {yes}{no}}
>
> which ensures there's a password in there. I wonder how many other
> checks let an empty password slip by? Seems an easy mistake to make.
>
> Unfortunately this error was spotted by a spammer who AUTH LOGIN'ed as
> webmaster with no password, and effectively turned one of my MTAs into
> an open relay. Fortunately I caught it as spamassassin tripped a load
> meter but it was still an ugly scene. I haven't fully analyzed it yet
> but the spamming seemed distributed - all sorts of IPs "realized" the
> situation at once.


This is a known missconfiguration, there was a thread today about it.
I suggest to use:

server_condition = ${if eq{$3}{${lookup {$2} cdb \
{/etc/mail/smtpauth.cdb}{$value}fail}}{yes}{no}}

So the lookup fails if no value is returned.

It looks like some spammers are starting to exploit this
missconfiguration :-/

Nico