Am 04.12.2010 19:49, schrieb Jeremy Harris:
> On 2010-12-04 10:06, Alexander Nagel wrote:
>> The logfile section of one mail which looks quite normal except the
>> A=cram authenticator:
>>
>> 2010-12-03 23:11:36 1POdqq-0005Dd-Lg<= notmylocale1@notmydomain1
>> H=static-mum-XX.XXX.XXX.XX.YYYY.net.in (ZZZZ.com) [XX.XXX.XXX.XX]
>> P=esmtpa A=cram: S=1541
>> id=bffc0c4db7014b5f85f70fd3366406e2@5596f1f9ac9a4e95972a770a95afed48
>> from<notmylocale1@notmydomain1> for notmylocale3@notmydomain3
>> 2010-12-03 23:11:40 1POdqt-0005Dd-Lp<= notmylocale2@notmydomain2
>> H=static-mum-XX.XXX.XXX.XX.YYY.net.in (ZZZZ.com) [XX.XXX.XX.XX] P=esmtpa
>> A=cram: S=1420
>> id=66f95d560e354a95905d29ba7a939ae3@266eba13b7e640dca0c0f1f0b0044aff
>> from<notmylocale2@notmydomain2> for notmylocale3@notmydomain3
>> 2010-12-03 23:11:40 1POdqq-0005Dd-Lg Completed QT=4s
> [...]
>> cram:
>> driver = cram_md5
>> public_name = CRAM-MD5
>> server_secret = ${lookup pgsql{PG_Q_AUTH_CRAMMD5}}
>> server_set_id = $auth1
>
> You should make the lookup return fail explicitly when pgsql returns no rows,
> otherwise it just returns an empty string. server_secret needs an explicit fail
> in order to fail the attempt at authorisation. See (e.g..)
>
> http://exim.org/exim-html-4.69/doc/html/spec_html/ch35.html#SECID176
>
> http://exim.org/exim-html-4.69/doc/html/spec_html/ch11.html#SECTexpop
> ( for ${lookup )
>
>
> Something along the lines of
> server_secret = ${lookup pgsql{PG_Q_AUTH_CRAMMD5} {$value} fail}
>
> What's happened is that your spammer has guessed, probably, a user name
> which does not exist in your database - and then tried to AUTH with it
> and any random password. Not hard, even for a really dumb spammer.
>
> Cheers,
> Jeremy
>
> PS: You're correct to be using the server config for the authenticator.
> Client would be when you want to use AUTH when initiating SMTP
> sessions to other servers.
>
Hi Jeremy,
thank you for your answer. It was very helpful. I have changed the line
"server_secret ..." like in your example and the example in chapter
35.1. I will check if I can add a test for empty passwords as well.
Perhaps it is possible somewhere in the ACL.
Cheers,
Alexander
