Author: Phil Pennock Date: To: John Doe CC: exim-users Subject: Re: [exim] mysql authentication problem...
On 2009-10-09 at 08:40 -0700, John Doe wrote: > From: Mike Cardwell <exim-users@???>
> > You're open to SQL injection attacks as you haven't escaped apostrophes
> > in the login name or password. For example:
> >
> > login = '$2'
> >
> > Should be:
> >
> > login = '${quote_mysql:$2}'
>
> Thx for the fix! So:
>
> AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' \
> AND password = MD5('${quote_mysql:$3}')
> AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' \
> AND password = MD5('${quote_mysql:$2}')
Since you're on 4.63, you can also use $auth2 instead of $2, for clarity
(just double-checked, the clearer names were introduced in 4.61).
> I have another question: how can I allow only encrypted/authenticated connections?
In the ACL logic for the MAIL or RCPT commands, you write rules which
state that if not on port 25, then you "require" an encrypted connection
and you require that $authenticated_id be set; that's part of what your
using server_set_id buys you.
RCPT probably better, some clients allegedly get confused if the MAIL
command fails.
The cleanest way of doing it is likely to be to have a sub-ACL for doing
the check, which returns accept for port 25, or for both authenticated
and encrypted, else returns reject, and then use "require acl = ..." in
the RCPT logic.
