> Specifically I watched as the spammer connected with username webmaster
> and no password. I was puzzled so I tried it myself with exim -bs. auth
> login accepted webmaster and no password as a valid login. But webmaster
> is not even in the authorized list. Here's the list (passwords munged
> for security)
>
> +----------+---------------+
> | userid | pass |
> +----------+---------------+
> | mark | <pass gone> |
> | kevin | <pass gone> |
> | dwight | <pass gone> |
> | amber | <pass gone> |
> | belinda | <pass gone> |
> | | <pass gone> |
> +----------+---------------+
>
> The blank is so people could not do a blank username and password and
> get in.
That's not a good idea either.
> My authenticator config for the login auth method is:
>
> login:
> driver=plaintext
> ~ public_name=LOGIN
> ~ server_condition = "${if eq{$2} \
> ~ {${lookup mysql{SELECT pass FROM mail \
> ~ WHERE userid='${local_part:$1}'}}}{1}{0}}"
> ~ server_prompts= "Username:: : Password:: "
> ~ server_set_id=$1
>
>
>
> How can I adapt this so that only people on the list can send mail, if
> you're not on the list you cann't authenticate?
>
> Help!?
Something like:
server_condition = "${if eq{$2}{${lookup \
mysql{<sqlstatement>}{$value}fail}}{1}{0}}"
would be better. If the lookup fails to find the value, it forces failure
and is false. Having a blank username and password set means a blank
username can be used.
--
Lab tests show that use of micro$oft causes cancer in lab animals
