Autor: John Jetmore Data: A: Brian Spraker CC: exim-users@exim.org Assumpte: Re: [exim] Plain Authentication Failures
On Tue, Sep 27, 2011 at 6:29 PM, Brian Spraker <spraker@???> wrote: > Hello all,
>
> Been struggling with a problem here. I am getting "535 incorrect authentication data" errors when folks attempt to use plain authentication.
>
> The odd thing is - I have users using Outlook and none of them appear to have the problems.
Outlook is likely using LOGIN while the others are using PLAIN. Just
guessing, but see below
> Here is my authenticators config:
>
> begin authenticators
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_set_id = $auth2
> server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE user_uid ='${quote_mysql:$1}' AND user_pass ='${quote_mysql:$2}'}{1}fail}
> server_advertise_condition = true
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE user_uid="$1" AND user_pass="$2"}{1}fail}
> server_set_id = $1
> server_advertise_condition = false
PLAIN and LOGIN both use the same plaintext driver, but the vars are
different. In LOGIN the login creds are in $1 and $2 (although $auth1
and $auth2 are preferred now). In PLAIN, the creds are in $2 and $3
($auth2 and $auth3).
So, your LOGIN authenticator is correctly using $1 and $2. Your PLAIN
authenticator is incorrectly using $1 and $2. Try, in PLAIN, changing
the user_uid condition to $2 ($auth2) and the user_pass condition to
$3 ($auth3).
> Here is the error in the log:
>
> 2011-09-27 17:10:19 plain authenticator failed for android_5efb516d7ad14990.domain.com (localhost) [192.168.254.33]: 535 Incorrect authentication data (set_id=user@???)
Note that the error correctly references the user credential as
user@???, which you set to $auth2 in the PLAIN authenticator,
but in your query you're using $1.
Also, I don't have a ton of mysql/exim experience, but it sure looks
like your LOGIN authenticator is a potential attack vector. You
should look into wrapping the user inputs ($1 and $2) in ${quote_mysql
like PLAIN.