Re: [exim] Plain Authentication Failures

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: exim-users
Sujet: Re: [exim] Plain Authentication Failures
On 2011-09-27 at 15:29 -0700, Brian Spraker wrote:
>     public_name = PLAIN


This should be used by most things except Outlook.

>     public_name = LOGIN


This is probably being used by Outlook.

>     server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE user_uid="$1" AND user_pass="$2"}{1}fail}


This is a MySQL injection attack vector because you're not using
quote_mysql, as you do in the PLAIN case.

> Just not understanding why it is working for those using Outlook without any troubles - but it isn't working with the Android device and causing issues for one of my providers using PHP to send messages.


SASLprep normalisation by the Android client or Outlook, and not by the
other? Are the users using non-ASCII characters in their passwords?

Or lack of normalisation and non-ASCII characters and different
character sets in use.

-Phil