The example in the Exim 4.50 documentation (Chap: 37.1) contains the
"Unknown User/Empty Password" security hole.
It should read like this:
> spa:
> driver = spa
> public_name = NTLM
> ${lookup{$1}lsearch{/etc/exim/spa_clearpass}{$value}fail}
Note the addition of "{$value}fail"
As a footnote, Outlook Express 6 now seems to employ SPA with the logged on
user's username and password as a first attempt. With a lot of XP
installations (Username plus an empty pasword), this would go straight
through the hole!
It then goes on to try, using SPA, any other user/passwords it has:
From a cache.
User defined.
From a prompt to the user.
OE6 may well still use the authentication methods in the order offered by
Exim. I haven't checked this. I list the PLAINTEXT authenticators after
encrypted ones.
--
Regards,
Martin Nicholas.
E-mail: reply-2005@???
