Re: [exim] mysql authentication problem...

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mike Cardwell
Date:  
À: exim-users
Sujet: Re: [exim] mysql authentication problem...
John Doe wrote:

>> You're open to SQL injection attacks as you haven't escaped apostrophes
>> in the login name or password. For example:
>>
>> login = '$2'
>>
>> Should be:
>>
>> login = '${quote_mysql:$2}'
>
> Thx for the fix! So:
>
> AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' \
> AND password = MD5('${quote_mysql:$3}')
> AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' \
> AND password = MD5('${quote_mysql:$2}')
>
> I have another question: how can I allow only encrypted/authenticated connections?


By specifying this in your authenticator you're saying "Only advertise
authentication as an available option if the connection is already
encrypted" :

server_advertise_condition = ${if def:tls_cipher }

If the client tries to use a feature that hasn't been advertised,
they'll get an error. So as it stands, you shouldn't be able to
authenticate unless the connection is encrypted... Is that not what
you're seeing?

--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/