Re: [Exim] Tracking authentications

Góra strony
Delete this message
Reply to this message
Autor: Wakko Warner
Data:  
Dla: Dan Egli
CC: exim-users
Temat: Re: [Exim] Tracking authentications
> Specifically I watched as the spammer connected with username webmaster
> and no password. I was puzzled so I tried it myself with exim -bs. auth
> login accepted webmaster and no password as a valid login. But webmaster
> is not even in the authorized list. Here's the list (passwords munged
> for security)
>
> +----------+---------------+
> | userid   | pass          |
> +----------+---------------+
> | mark     | <pass gone>   |
> | kevin    | <pass gone>   |
> | dwight   | <pass gone>   |
> | amber    | <pass gone>   |
> | belinda  | <pass gone>   |
> |          | <pass gone>   |
> +----------+---------------+

>
> The blank is so people could not do a blank username and password and
> get in.


That's not a good idea either.

> My authenticator config for the login auth method is:
>
> login:
> driver=plaintext
> ~ public_name=LOGIN
> ~ server_condition = "${if eq{$2} \
> ~ {${lookup mysql{SELECT pass FROM mail \
> ~ WHERE userid='${local_part:$1}'}}}{1}{0}}"
> ~ server_prompts= "Username:: : Password:: "
> ~ server_set_id=$1
>
>
>
> How can I adapt this so that only people on the list can send mail, if
> you're not on the list you cann't authenticate?
>
> Help!?


Something like:
server_condition = "${if eq{$2}{${lookup \
    mysql{<sqlstatement>}{$value}fail}}{1}{0}}"


would be better. If the lookup fails to find the value, it forces failure
and is false. Having a blank username and password set means a blank
username can be used.

--
Lab tests show that use of micro$oft causes cancer in lab animals