Re: [Exim] Auth SMTP Relay

Página Inicial
Delete this message
Reply to this message
Autor: Kirill Miazine
Data:  
Para: Shawn P. Garbett
CC: exim-users
Assunto: Re: [Exim] Auth SMTP Relay
Shawn P. Garbett wrote:
> > > I'm pulling my hair out trying to figure out the following. Can
> > > anyone tell me what I'm missing besides a brain and a clue?
> > >
> > > The configuration should allow relaying when authenticated.
> > >
> > > I can authenticate on the local domain.
> >
> > Authenticate and replay or simply relay without authentication?
>
> Authenticate. Relay is disabled outside the localdomain, but I want to
> allow it for authentiated hosts: The server responded: "relaying to
> <listman@???> prohibited by administrator "


Yes. But did the AUTH attempt take place?

> I use the encode perl script for the user/password and do a "AUTH
> PLAIN [encode64 string here]" It returns success.
>
> The only strangeness there is that the encode instructions say do it
> this way encode '\0user=\0password", It then decodes it as $2 & $3. I
> have to do it like encode 'user\0password' to get it to work, which
> decodes as $1 and $2.


Why do you have to do it that way? This is wrong and incorrect.

Your PLAIN authenticator is broken. Username is in $2 and password
is in $3, while $1 is always empty. Period.

Here's the script I use:

#!/usr/bin/perl
use MIME::Base64;
$arg = shift or exit;
$arg =~ s/(\@|\$)/\\$1/g;
print encode_base64(eval qq|"$arg"|);

Running it gives:

km@ns:~$ b64e '\0user\0very_secret'
AHVzZXIAdmVyeV9zZWNyZXQ=

And Exim responds fine to AUTH PLAIN with the produced base64 data:

AUTH PLAIN AHVzZXIAdmVyeV9zZWNyZXQ=
>>> plain authenticator:
>>> $1 =
>>> $2 = user
>>> $3 = very_secret
>>> expanded string: no

535 Incorrect authentication data

> I figure I can fiddle with testing this after I get it to allow
> authentication outside the local domain.


Please send \0user\0password as the AUTH PLAIN argument.

> > No SMTP AUTH mechanism is announced to be supported in reply to
> > EHLO. In Exim 4 you'd set auth_advertise_hosts to something.
>
> In 3 it's auth_always_advertise=true under the main section. I tried
> this with both settings. No use.


So, is AUTH advertised or not? How can you authenticate when no
authenticator is even advertised? Can you show us the entire transaction
when you are able to authenticate?

--
Kirill Miazine, Stud. Jur.
Faculty of Law, University of Oslo