[Exim] Bug in MySQL/SMTP Authentication config code

Top Page
Delete this message
Reply to this message
Author: The Computer Geek
Date:  
To: exim-users
Subject: [Exim] Bug in MySQL/SMTP Authentication config code
Hi All

I read a couple of articles a while ago about doing SMTP Authentication
using Exim/MySQL which I thought would solve my relay issues for my
users who don't use my company's dial-up/broadband access.

Anyway, I've found quite a serious flaw in all the postings which is
allowing an open relay.

I was alerted that some of the servers at a company I work for were
being blocked by AOL for spam reasons, having removed all eroneous
FormMail scripts I was rather puzzled by this.

We started to look through the logfiles and didn't at first see anything
strange until yesterday when we noticed that SMTP authentications were
being accepted by any username with no password.

Users should look for "webmaster" in their logfiles as the authenticated
username as the spammers have chosen this to look slightly
inconspicuous.

Below is the original code used in the authenticators section of my
config which is a direct copy of most of the posts on the web with only
the fieldnames changed in my database.

---- SNIP ----
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if eq{$2} \
    {${lookup mysql{SELECT password FROM mailusers WHERE
username='${local_part:$1}' \
    and domain='${domain:$1}'}}}{yes}{no}}"
  server_set_id = $1
---- END ----


This works if you have a username and password with no problems and will
deny anyone with the wrong password, but....

If you supply no password then the eq{} breaks down because if you use a
username that doesn't exist you get nothing back from the query and with
nothing in the supplied password then nothing = nothing which equals
true and the condition passes.

Below is my modified version which I'd like to get to people's attention
which checks to see if the password supplied is empty before doing the
lookup from the database, this effectively prevents a null = null
condition being true.

---- CODE ----

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if and {{!eq{$2}{}}{eq{$2} \
    {${lookup mysql{SELECT password FROM mailusers WHERE
username='${local_part:$1}' \
    and domain='${domain:$1}'}}}}}{yes}{no}}"
  server_set_id = $1


---- END CODE ----

Once again, sorry to send to you direct but I feel that this needs
bringing to people's attention fast as there may be open relays out
there that systems administrators believe are closed.

Thanks for your help in advance.

Look forward to hearing from you.

James Brindle
The Computer Geek