Re: [exim] cram config problem

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] cram config problem
Alexander Nagel wrote:
>
>
> Am 04.12.2010 19:49, schrieb Jeremy Harris:
>> On 2010-12-04 10:06, Alexander Nagel wrote:
>>> The logfile section of one mail which looks quite normal except the
>>> A=cram authenticator:
>>>
>>> 2010-12-03 23:11:36 1POdqq-0005Dd-Lg<= notmylocale1@notmydomain1
>>> H=static-mum-XX.XXX.XXX.XX.YYYY.net.in (ZZZZ.com) [XX.XXX.XXX.XX]
>>> P=esmtpa A=cram: S=1541
>>> id=bffc0c4db7014b5f85f70fd3366406e2@5596f1f9ac9a4e95972a770a95afed48
>>> from<notmylocale1@notmydomain1>    for notmylocale3@notmydomain3
>>> 2010-12-03 23:11:40 1POdqt-0005Dd-Lp<= notmylocale2@notmydomain2
>>> H=static-mum-XX.XXX.XXX.XX.YYY.net.in (ZZZZ.com) [XX.XXX.XX.XX] P=esmtpa
>>> A=cram: S=1420
>>> id=66f95d560e354a95905d29ba7a939ae3@266eba13b7e640dca0c0f1f0b0044aff
>>> from<notmylocale2@notmydomain2>    for notmylocale3@notmydomain3
>>> 2010-12-03 23:11:40 1POdqq-0005Dd-Lg Completed QT=4s
>> [...]
>>> cram:
>>>             driver                  = cram_md5
>>>             public_name             = CRAM-MD5
>>>             server_secret           = ${lookup pgsql{PG_Q_AUTH_CRAMMD5}}
>>>             server_set_id           = $auth1

>>
>> You should make the lookup return fail explicitly when pgsql returns no rows,
>> otherwise it just returns an empty string. server_secret needs an explicit fail
>> in order to fail the attempt at authorisation. See (e.g..)
>>
>> http://exim.org/exim-html-4.69/doc/html/spec_html/ch35.html#SECID176
>>
>> http://exim.org/exim-html-4.69/doc/html/spec_html/ch11.html#SECTexpop
>> ( for ${lookup )
>>
>>
>> Something along the lines of
>>       server_secret = ${lookup pgsql{PG_Q_AUTH_CRAMMD5} {$value} fail}

>>
>> What's happened is that your spammer has guessed, probably, a user name
>> which does not exist in your database - and then tried to AUTH with it
>> and any random password. Not hard, even for a really dumb spammer.
>>
>> Cheers,
>>        Jeremy

>>
>> PS: You're correct to be using the server config for the authenticator.
>> Client would be when you want to use AUTH when initiating SMTP
>> sessions to other servers.
>>
>
> Hi Jeremy,
>
> thank you for your answer. It was very helpful. I have changed the line
> "server_secret ..." like in your example and the example in chapter
> 35.1. I will check if I can add a test for empty passwords as well.
> Perhaps it is possible somewhere in the ACL.
>
> Cheers,
> Alexander
>


Might help to simply do a slightly more complex select. As in:

<what you have now> WHERE <an 'active user' flag is true>

There should, of course, BE NO 'active user' flag set true for nonexistent
accounts...

;-)

Bill