Re: [exim] Abused as spam relay with A=login:0 ??

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Andreas Metzler
Datum:  
To: exim-users
Betreff: Re: [exim] Abused as spam relay with A=login:0 ??
Heiko Schlittermann <hs@???> wrote:
[...]
>    # login authentication using a clear text password file
>    login:
>      driver = plaintext
>      public_name = LOGIN
>      server_prompts = Username:: : Password::
>      server_condition = ${if eq{$2}{${lookup{$1}lsearch{/etc/exim4/passwd}}}{yes}{no}}
>      server_set_id = $1


> If there's an unknown user and an empty password this authenticator
> *will* succeed! Now I changed it a little bit:


>      server_condition = ${if eq{PLAIN\:$2}{${lookup{$1}lsearch{/etc/exim4/passwd}}}{yes}{no}}


> (and of course my password file as well containing lines like 'user:PLAIN:xxx'


> My question: Is there a more elegant solution? In this case here it
> would be enough if failing lseach could about the complete condition.

[...]

Won't this
${if eq{$2}{${lookup{$1}lsearch{/etc/exim4/passwd}{$value}fail}{yes}{no}}
work or alternatively
${if eq{$2}{${lookup{$1}lsearch{/etc/exim4/passwd}{$value}{supersecretstring}}{yes}{no}

cu andreas
-- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.                                (c) Jasper Ffforde