Re: [Exim] Bug in MySQL/SMTP Authentication config code

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Dennis Skinner
Ημερομηνία:  
Προς: The Computer Geek
Υ/ο: exim-users
Αντικείμενο: Re: [Exim] Bug in MySQL/SMTP Authentication config code
On Thu, 2004-04-22 at 05:05, The Computer Geek wrote:
> Hi All
>
> I read a couple of articles a while ago about doing SMTP Authentication
> using Exim/MySQL which I thought would solve my relay issues for my
> users who don't use my company's dial-up/broadband access.
>
> Anyway, I've found quite a serious flaw in all the postings which is
> allowing an open relay.


RTFM: Section 33.2

"Here is a example of this approach, where the passwords are looked up
in a DBM file. Warning: This is an incorrect example:

  server_condition = \
    ${if eq{$3}{${lookup{$2}dbm{/etc/authpwd}}}{yes}{no}}


The expansion uses the user name ($2) as the key to look up a password,
which it then compares to the supplied password ($3). Why is this
example incorrect? It works fine for existing users, but consider what
happens if a non-existent user name is given. The lookup fails, but as
no success/failure strings are given for the lookup, it yields an empty
string. Thus, to defeat the authentication, all a client has to do is to
supply a non-existent user name and an empty password. The correct way
of writing this test is:

  server_condition = ${lookup{$2}dbm{/etc/authpwd}\
    {${if eq{$value}{$3}{yes}{no}}}{no}}


In this case, if the lookup succeeds, the result is checked; if the
lookup fails, authentication fails. If crypteq is being used instead of
eq, the first example is in fact safe, because crypteq always fails if
its second argument is empty. However, the second way of writing the
test makes the logic clearer."

--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com