This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
I finally got smtp auth working, i have it set up to use the plaintext type logins and check it against /etc/passwd
the problem is if you have ANY users login/pass you can send as any other user, so if im Bob and i try to send an email as Joe, when it asks me my auth i just say Bob(and the pass) and it sends the email thru my server appearing to come from Joe
does anyone know how to prevent this? its like spoofing but even more convincing because it comes from the real server. is there a way to make sure the name they are sending with is the same as the username they authenticated with?
My current auth config is as follows: (i found it on the exim messages archive)
it is at least making sure they are a user on my server
# AUTH!
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}} \
{crypteq{$3}{${extract{1}{:} \
{${lookup{$2}lsearch{/etc/passwd}{$value}{*:*}}}}}}}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
{crypteq{$2}{${extract{1}{:} \
{${lookup{$1}lsearch{/etc/passwd}{$value}{*:*}}}}}}}{1}{0}}"
server_set_id = $1
--
