Re: [Exim] Exim rejects authenticated users?!?

Pàgina inicial
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
A: Jonathan Vanasco
CC: exim-users
Assumpte: Re: [Exim] Exim rejects authenticated users?!?
On Thu, 3 Jul 2003, Jonathan Vanasco wrote:

> anyone know of a workaround or something to beat exim into submission
> on this? i know its entourage's fault for breaking rfc -- but i can't
> not-support it.


I haven't really followed this thread (owing to the Exim course earlier
this week). But IIRC, the problem is that Entourage isn't resetting
after STARTTLS, and it authenticates first. Is that right?

In the current development code (available in the current snapshot) I
added an option to get round YAEB (Yet Another Exchange Bug):

 9. Added tls_remember_esmtp to cope with YAEB. This allows AUTH and other
    ESMTP extensions after STARTTLS without a new EHLO, in contravention of the
    RFC.


This doesn't do what you want, because it still "wipes out" the fact
that the session was authenticated before STARTTLS. However, by moving a
couple of lines of code you could use this option to remember the
authenticated state as well. Around line 2889 in the smtp.c code module,
you'll see this

    if ((rc = tls_server_start()) == OK)
      {
      if (!tls_remember_esmtp)
        helo_seen = esmtp = auth_advertised = FALSE;
      cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
      cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
      if (sender_helo_name != NULL)
        {
        store_free(sender_helo_name);
        sender_helo_name = NULL;
        host_build_sender_fullhost();  /* Rebuild */
        set_process_info("handling incoming TLS connection from %s",
          host_and_ident(FALSE));
        }
      received_protocol =
        protocols[pnormal] + ((sender_host_address != NULL)? pnlocal : 0);
      sender_host_authenticated = NULL;
      authenticated_id = NULL;
      sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
      DEBUG(D_tls) debug_printf("TLS active\n");
      break;     /* Successful STARTTLS */
      }


If you take the two lines

      sender_host_authenticated = NULL;
      authenticated_id = NULL;


and move them to be under the !tls_remember_esmtp test, i.e.

      if (!tls_remember_esmtp)
        {
        helo_seen = esmtp = auth_advertised = FALSE;
        sender_host_authenticated = NULL;
        authenticated_id = NULL;
        }


then setting tls_remember_esmtp should preserve the authentication state.
This is entirely untested. It is also something that I don't think I
want to make standard, because it is somewhat of a security exposure.

Philip

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book