[exim] SPA Authentication

Top Page
Delete this message
Reply to this message
Author: Martin Nicholas
Date:  
To: exim-users
Subject: [exim] SPA Authentication
The example in the Exim 4.50 documentation (Chap: 37.1) contains the
"Unknown User/Empty Password" security hole.

It should read like this:
>   spa:
>     driver = spa
>     public_name = NTLM
>     ${lookup{$1}lsearch{/etc/exim/spa_clearpass}{$value}fail}


Note the addition of "{$value}fail"

As a footnote, Outlook Express 6 now seems to employ SPA with the logged on 
user's username and password as a first attempt. With a lot of XP 
installations (Username plus an empty pasword), this would go straight 
through the hole!
It then goes on to try, using SPA, any other user/passwords it has:
    From a cache.
    User defined.
    From a prompt to the user.


OE6 may well still use the authentication methods in the order offered by
Exim. I haven't checked this. I list the PLAINTEXT authenticators after
encrypted ones.

--
Regards,

Martin Nicholas.

E-mail: reply-2005@???