[exim] LDAP password is visible in bounce message.

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Alexander V Alekseev
Date:  
To: exim-users
Subject: [exim] LDAP password is visible in bounce message.
        Hello! 

    Exim 4.34 . There is a router in configure:
---------------------------------------------------------------------
SOME_LDAP_LOOKUP = ${ lookup ldap { user="<username>" pass=<pass> ldap:///<lookup text>}}


my_aliases:
driver = redirect
allow_fail = false
allow_defer = false
allow_filter = false
allow_freeze = false
forbid_blackhole = true
forbid_file = true
hide data = SOME_LDAP_LOOKUP
--------------------------------------------------------------------- 

    Exim generates bounce message to sender:
---------------------------------------------------------------------
Delay reason: failed to expand "${ lookup ldap { user="<username>" pass=<pass> ldap:///<lookup text>}} ": lookup of "user="<username>" pass=<pass> ldap:///<lookup text>" gave DEFER: failed to bind the LDAP connection to server <IP>:<Port> - LDAP error 81: Can't contact LDAP server
---------------------------------------------------------------------
    So, anyone can get username and password to LDAP server.


    It there a way not to send hidden data in bounce messages?


        Bye. Alex.



--


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] New StuffRe: [exim] Possibility of accepting...->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)