Re: [exim] CRAM-MD5 and NTLM suddenly stopped working

Pàgina inicial
Delete this message
Reply to this message
Autor: Noah Meyerhans
Data:  
A: exim-users
Assumpte: Re: [exim] CRAM-MD5 and NTLM suddenly stopped working
On Tue, Aug 02, 2005 at 09:52:52PM +0200, Jakob Hirsch wrote:
> >>>    server_password = ${lookup{$1}dbmnz{/etc/exim/passwd}}
> >>Anyone with an arbitrary username and empty password can send mails
> > This does not seem to be the case.  I have just tested sending mail via

>
> But it is. I tried cosmo.csail.mit.edu before (which refuses connections
> now) and now again with outgoing.csail.mit.edu, both worked.


But neither worked for me! The testing, in the most recent case, was
with Outlook Express against cosmo. Exim logs the following when
running in debug mode:
5009 search_open: dbmnz "/etc/exim/passwd"
5009 cached open
5009 search_find: file="/etc/exim/passwd"
5009 key="nonexistant" partial=-1 affix=NULL starflags=0
5009 LRU list:
5009 2/etc/exim/passwd
5009 End
5009 internal_search_find: file="/etc/exim/passwd"
5009 type=dbmnz key="nonexistant"
5009 file lookup required for nonexistant
5009 in /etc/exim/passwd
5009 lookup failed
5009 SMTP>> 535 Incorrect authentication data
5009 LOG: MAIN REJECT
5009 spa authenticator failed for 30-5-117.wireless.csail.mit.edu (thing) [128.30.5.117]: 535 Incorrect authentication data
5009 SMTP<< AUTH NTLM
5009 SMTP>> 334 NTLM supported
5009 SMTP>> 334 TlRMTVNTUAACAAAAAAAAAAAoAAABggAAfgEJRxzObcgAAAAAAAAAAAAAAAAAAAAA

Then again, this could be partly related to the fact that, at least in
some cases, *all* cram-md5 and ntlm authentication is broken...

> >>instead of dbmnz, though. You are sure you ran exim_dbmbuild with the
> >>-nozero option the last time you updated passwd?
>
> so you are?


I do not use exim_dbmbuild to generate the passwd file.  It is generated
using perl's BerkeleyDB module.  I can extract my password using a
command like:
perl -e '
use BerkeleyDB;
tie %hash, "BerkeleyDB::Hash", { -Filename => "/etc/exim/passwd", -Flags => DB_RDONLY } 
    or die "tie failed: $!\n";
print $hash{'noahm'} . "\n";'


So I'm confident that the file is not corrupt.

> >  4986 lookup yielded: someboguspasswordfortesting
> >  4986 CRAM-MD5: user name = noahm
> >  4986           challenge = <4986.1123008842@???>
> >  4986           received  = 92c7df4232f5ebee8cc2c0a350aa692a
> >  4986           digest    = be6d10292874fd3448087355d47597d4

>
> Exim's digest is correct. Strange...
> Have you tested other clients and servers?


cosmo and outgoing are two separete machines, though they're basically
running the same software. I've tested kmail, outlook express, and
thunderbird. During the day I've been testing against cosmo, since it's
not a production server and I can reconfigure it without affecting
users. outgoing permits unauthenticated relaying from on-site, so I
haven't tested through it except from home in the evenings.

noah

-- 
Noah Meyerhans                         System Administrator
MIT Computer Science and Artificial Intelligence Laboratory