[exim] CRAM-MD5 and NTLM suddenly stopped working

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MJakob Hirsch at ->
Delete this message
Reply to this message
Author: Noah Meyerhans
Date:  
To: exim-users
Subject: [exim] CRAM-MD5 and NTLM suddenly stopped working
Hi all. I've got a strange problem on a production mail server running
Exim 4.50. It seems that CRAM-MD5 and NTLM authentication just stopped
working. The strange bit is that they used to work, and PLAIN
authentication (available on encrypted sessions) still works fine. It
uses the same dbmnz lookup as the other authenticators. The
authenticators section in my config file looks like: 

begin authenticators
  lookup_cram:
    driver = cram_md5
    public_name = CRAM-MD5
    server_secret = ${lookup{$1}dbmnz{/etc/exim/passwd}{$value}fail}
    server_set_id = $1


  spa:
    driver = spa
    public_name = NTLM
    server_password = ${lookup{$1}dbmnz{/etc/exim/passwd}}


  plaintext:
    driver = plaintext
    server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
    public_name = PLAIN
    server_condition = ${lookup{$2}dbmnz{/etc/exim/passwd}\
      {${if eq{$value}{$3}{yes}{no}}}{no}}


Is there anything obviously wrong here? The /etc/exim/passwd file is,
according to file(1):
/etc/exim/passwd: Berkeley DB (Hash, version 7, native byte-order)

Exim logs the following when trying to authenticate:
Aug 1 17:39:08 cosmo exim[4201]: 2005-08-01 17:39:08 lookup_cram authenticator failed for lore.csail.mit.edu [128.30.29.36]: 535 Incorrect authentication data(set_id=noahm)

If I switch to PLAIN auth, I get the following in the logs and the
message is delivered as expected:
Aug 1 17:49:43 cosmo exim[4209]: 2005-08-01 17:49:43 1DziAI-00015t-Nh <= noahm@??? H=lore.csail.mit.edu [128.30.29.36] P=esmtpsa X=TLSv1:RC4-MD5:128A=plaintext S=676 id=200508011709.08276.noahm@??? 

When auth debugging is enabled, things all seem to look correct.  He's a
chunk of the ouput, substituting "<my_password>" for the cases where my
actual password shows up in the clear:
 4253 SMTP>> 250-cosmo.csail.mit.edu Hello lore.csail.mit.edu
[128.30.29.36]
 4253 250-SIZE 104857600
 4253 250-PIPELINING
 4253 250-AUTH CRAM-MD5 NTLM
 4253 250-STARTTLS
 4253 250 HELP
 4253 SMTP<< AUTH CRAM-MD5
 4253 SMTP>> 334 PDQyNTMuMTEyMjkzNjQ2MEBjb3Ntby5jc2FpbC5taXQuZWR1Pg==
 4253 search_open: dbmnz "/etc/exim/passwd"
 4253 search_find: file="/etc/exim/passwd"
 4253   key="noahm" partial=-1 affix=NULL starflags=0
 4253 LRU list:
 4253   2/etc/exim/passwd
 4253   End
 4253 internal_search_find: file="/etc/exim/passwd"
 4253   type=dbmnz key="noahm"
 4253 file lookup required for noahm
 4253   in /etc/exim/passwd
 4253 lookup yielded: <my_password>
 4253 CRAM-MD5: user name = noahm
 4253           challenge = <4253.1122936460@???>
 4253           received  = a2f19773f6bed6fd8fb93cca29b12c30
 4253           digest    = f4dadcdd3b8b41c8ebe7553f047a1889
 4253 SMTP>> 535 Incorrect authentication data
 4253 LOG: MAIN REJECT
 4253   lookup_cram authenticator failed for lore.csail.mit.edu [128.30.29.36]:535 Incorrect authentication data (set_id=noahm)


This problem has been demonstrated on Apple Mail/MacOSX, KMail/Linux,
and (I believe) Eudora/WinXP, so it's highly unlikely to be a client
issue.

Thanks, and please feel free to ask for more details...

noah 

-- 
Noah Meyerhans                         System Administrator
MIT Computer Science and Artificial Intelligence Laboratory


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Why doesn't Exim authenticate against IMAP directly?[exim] which approach for: exiscan, clamav & spamassassin ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)