On Tue, Aug 02, 2005 at 01:23:06PM +0200, Jakob Hirsch wrote:
> > spa:
> > driver = spa
> > public_name = NTLM
> > server_password = ${lookup{$1}dbmnz{/etc/exim/passwd}}
>
> Anyone with an arbitrary username and empty password can send mails
> through your server (in case you don't believe it, look into your logs).
> This should really be "${lookup{$1}dbmnz{/etc/exim/passwd}{$value}fail}"
> like in the cram-md5 authenticator.
This does not seem to be the case. I have just tested sending mail via
Outlook with incorrect passwords (using either a valid or invalid
username) and exim correctly refuses to relay the message.
Please feel free to try and relay through outgoing.csail.mit.edu using
NTLM authentication. Let me know if it works, but my experience
indicates otherwise.
> Besides that, it looks ok and works here that way. I'm using lsearch
> instead of dbmnz, though. You are sure you ran exim_dbmbuild with the
> -nozero option the last time you updated passwd?
>
> > 4253 lookup yielded: <my_password>
> > 4253 CRAM-MD5: user name = noahm
> > 4253 challenge = <4253.1122936460@???>
> > 4253 received = a2f19773f6bed6fd8fb93cca29b12c30
> > 4253 digest = f4dadcdd3b8b41c8ebe7553f047a1889
>
> Please put a temporary entry in passwd, try to authenticate and post the
> output here, so we can see which one is wrong here.
Here it is. The client in this case is KDE's kmail. My password was
temporarily changed to "someboguspasswordfortesting" for this testing
purpose.
4984 Connection request from 128.30.5.117 port 56793
4984 search_tidyup called
4984 1 SMTP accept process running
4984 Listening...
4986 host in rfc1413_hosts? no (end of list)
4986 sender_fullhost = [128.30.5.117]
4986 sender_rcvhost = [128.30.5.117]
4986 Process 4986 is handling incoming connection from [128.30.5.117]
4986 checking for IP options
4986 no IP options found
4986 host in host_lookup? yes (matched "*")
4986 looking up host name for 128.30.5.117
4986 DNS lookup of 117.5.30.128.in-addr.arpa (PTR) succeeded
4986 IP address lookup yielded 30-5-117.wireless.csail.mit.edu
4986 gethostbyname looked up these IP addresses:
4986 name=30-5-117.wireless.csail.mit.edu address=128.30.5.117
4986 checking addresses for 30-5-117.wireless.csail.mit.edu
4986 128.30.5.117 OK
4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117])
4986 set_process_info: 4986 handling incoming connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 host in host_reject_connection? no (option unset)
4986 host in sender_unqualified_hosts? no (option unset)
4986 host in recipient_unqualified_hosts? no (option unset)
4986 host in helo_verify_hosts? no (option unset)
4986 host in helo_try_verify_hosts? no (option unset)
4986 host in helo_accept_junk_hosts? no (option unset)
4986 SMTP>> 220 cosmo.csail.mit.edu ESMTP Exim 4.50 Tue, 02 Aug 2005 14:53:54 -0400
4986 Process 4986 is ready for new message
4986 smtp_setup_msg entered
4986 SMTP<< EHLO 30-5-117.wireless.csail.mit.edu
4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117])
4986 set_process_info: 4986 handling incoming connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 host in pipelining_advertise_hosts? yes (matched "*")
4986 host in auth_advertise_hosts? yes (matched "0.0.0.0/0")
4986 host in tls_advertise_hosts? yes (matched "*")
4986 SMTP>> 250-cosmo.csail.mit.edu Hello 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 250-SIZE 104857600
4986 250-PIPELINING
4986 250-AUTH CRAM-MD5 NTLM
4986 250-STARTTLS
4986 250 HELP
4986 SMTP<< STARTTLS
4986 tls_certificate file /etc/exim/certs/outgoing.server.pem
4986 tls_privatekey file /etc/exim/keys/outgoing.server.key
4986 Initialized TLS
4986 host in tls_verify_hosts? no (option unset)
4986 host in tls_try_verify_hosts? yes (matched "*")
4986 SMTP>> 220 TLS go ahead
4986 Calling SSL_accept
4986 SSL info: before/accept initialization
4986 SSL info: before/accept initialization
4986 SSL info: SSLv3 read client hello A
4986 SSL info: SSLv3 write server hello A
4986 SSL info: SSLv3 write certificate A
4986 SSL info: SSLv3 write certificate request A
4986 SSL info: SSLv3 flush data
4986 SSL info: SSLv3 read client certificate A
4986 SSL info: SSLv3 read client key exchange A
4986 SSL info: SSLv3 read finished A
4986 SSL info: SSLv3 write change cipher spec A
4986 SSL info: SSLv3 write finished A
4986 SSL info: SSLv3 flush data
4986 SSL info: SSL negotiation finished successfully
4986 SSL info: SSL negotiation finished successfully
4986 SSL_accept was successful
4986 Cipher: TLSv1:RC4-MD5:128
4986 Shared ciphers: RC4-MD5:RC4-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA
4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117])
4986 set_process_info: 4986 handling incoming TLS connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 TLS active
4986 Calling SSL_read(8113bb0, 8122ca8, 4096)
4986 SMTP<< EHLO 30-5-117.wireless.csail.mit.edu
4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117])
4986 set_process_info: 4986 handling TLS incoming connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 host in pipelining_advertise_hosts? yes (matched "*")
4986 host in auth_advertise_hosts? yes (matched "0.0.0.0/0")
4986 tls_do_write(8104ae0, 154)
4986 SSL_write(SSL, 8104ae0, 154)
4986 outbytes=154 error=0
4986 SMTP>> 250-cosmo.csail.mit.edu Hello 30-5-117.wireless.csail.mit.edu [128.30.5.117]
4986 250-SIZE 104857600
4986 250-PIPELINING
4986 250-AUTH CRAM-MD5 NTLM PLAIN
4986 250 HELP
4986 Calling SSL_read(8113bb0, 8122ca8, 4096)
4986 SMTP<< AUTH CRAM-MD5
4986 SMTP>> 334 PDQ5ODYuMTEyMzAwODg0MkBjb3Ntby5jc2FpbC5taXQuZWR1Pg==
4986 tls_do_write(80fa728, 58)
4986 SSL_write(SSL, 80fa728, 58)
4986 outbytes=58 error=0
4986 Calling SSL_read(8113bb0, 8122ca8, 4096)
4986 search_open: dbmnz "/etc/exim/passwd"
4986 search_find: file="/etc/exim/passwd"
4986 key="noahm" partial=-1 affix=NULL starflags=0
4986 LRU list:
4986 2/etc/exim/passwd
4986 End
4986 internal_search_find: file="/etc/exim/passwd"
4986 type=dbmnz key="noahm"
4986 file lookup required for noahm
4986 in /etc/exim/passwd
4986 lookup yielded: someboguspasswordfortesting
4986 CRAM-MD5: user name = noahm
4986 challenge = <4986.1123008842@???>
4986 received = 92c7df4232f5ebee8cc2c0a350aa692a
4986 digest = be6d10292874fd3448087355d47597d4
4986 SMTP>> 535 Incorrect authentication data
4986 tls_do_write(80fa728, 35)
4986 SSL_write(SSL, 80fa728, 35)
4986 outbytes=35 error=0
4986 LOG: MAIN REJECT
4986 lookup_cram authenticator failed for 30-5-117.wireless.csail.mit.edu [128.30.5.117]: 535 Incorrect authentication data (set_id=noahm)
4986 Calling SSL_read(8113bb0, 8122ca8, 4096)
4986 SSL info: SSL negotiation finished successfully
4986 Got SSL_ERROR_ZERO_RETURN
4986 SMTP>> 421 cosmo.csail.mit.edu lost input connection
4986 LOG: smtp_connection MAIN
4986 SMTP connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117] lost
4986 search_tidyup called
4984 child 4986 ended: status=0x100
4984 0 SMTP accept processes now running
4984 Listening...
--
Noah Meyerhans System Administrator
MIT Computer Science and Artificial Intelligence Laboratory
