[Exim] SMTP Auth doesn't prevent users from sending as other…

Góra strony
Delete this message
Reply to this message
Autor: Eric Rutherford
Data:  
Dla: exim-users
Temat: [Exim] SMTP Auth doesn't prevent users from sending as other users
This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
I finally got smtp auth working, i have it set up to use the plaintext type logins and check it against /etc/passwd

the problem is if you have ANY users login/pass you can send as any other user, so if im Bob and i try to send an email as Joe, when it asks me my auth i just say Bob(and the pass) and it sends the email thru my server appearing to come from Joe

does anyone know how to prevent this? its like spoofing but even more convincing because it comes from the real server. is there a way to make sure the name they are sending with is the same as the username they authenticated with?

My current auth config is as follows: (i found it on the exim messages archive)
it is at least making sure they are a user on my server


# AUTH!

plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}} \
                          {crypteq{$3}{${extract{1}{:} \
{${lookup{$2}lsearch{/etc/passwd}{$value}{*:*}}}}}}}{1}{0}}"
server_set_id = $2


login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
                          {crypteq{$2}{${extract{1}{:} \
{${lookup{$1}lsearch{/etc/passwd}{$value}{*:*}}}}}}}{1}{0}}"
server_set_id = $1




--