Firstly, Happy Retirement Phil, and thank you for a
great piece of software. And despite my flounderings
(nis problems) I *do* read your excellent docs :).
My current headache is this:
I'm testing authorisation using exim -bh on a system which
uses /etc/shadow for its passwd source. That file is owned
by group 'shadowgroup' of which exim is a member, and is
group-readable.
auth_advertise_hosts is set such that non-lab ip addresses
will get AUTH PLAIN LOGIN advertised.
If I telnet into port 25 on the exim server from a non-lab host,
I can authenticate with a mimencoded string as expected.
If I run 'exim -bh ipaddr' (where ipaddr is that if the external
host above) and go through the same SMTP steps, the authentication
fails, and logs 'permission denied' for /etc/shadow. It doesnt matter
whether I run it as root or as a user (and presumably it shouldnt,
as it's suid-root anyway)
This is part of my attempt to investigate another problem, which may
be relevant. The check on /etc/shadow is done in the authenticators
section by:
fixed_plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if crypteq{$3}\
{${extract{1}{:}{${lookup{$2}lsearch{/etc/shadow}{$value}}}}\
}{yes}{no}}
Although this works (people successfully authenticate from offsite),
looking closely, I see that the 'extract' function is actually extracting
the wrong field, field-1, which is the userid field of /etc/shadow.
The docs say field numbering starts at 1, so this should be failing...
Any suggestions please?
Cheers,
Terry
