________________________________
From: John Jetmore <jj33@???>
To: Brian Spraker <spraker@???>
Cc: "exim-users@???" <exim-users@???>
Sent: Tuesday, September 27, 2011 8:02 PM
Subject: Re: [exim] Plain Authentication Failures
On Tue, Sep 27, 2011 at 6:29 PM, Brian Spraker <spraker@???> wrote:
> Hello all,
>
> Been struggling with a problem here. I am getting "535 incorrect authentication data" errors when folks attempt to use plain authentication.
>
> The odd thing is - I have users using Outlook and none of them appear to have the problems.
Outlook is likely using LOGIN while the others are using PLAIN. Just
guessing, but see below
> Here is my authenticators config:
>
> begin authenticators
>
> plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_set_id = $auth2
> server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE user_uid ='${quote_mysql:$1}' AND user_pass ='${quote_mysql:$2}'}{1}fail}
> server_advertise_condition = true
>
> login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = ${lookup mysql{SELECT user_uid FROM horde_users WHERE user_uid="$1" AND user_pass="$2"}{1}fail}
> server_set_id = $1
> server_advertise_condition = false
PLAIN and LOGIN both use the same plaintext driver, but the vars are
different. In LOGIN the login creds are in $1 and $2 (although $auth1
and $auth2 are preferred now). In PLAIN, the creds are in $2 and $3
($auth2 and $auth3).
So, your LOGIN authenticator is correctly using $1 and $2. Your PLAIN
authenticator is incorrectly using $1 and $2. Try, in PLAIN, changing
the user_uid condition to $2 ($auth2) and the user_pass condition to
$3 ($auth3).
> Here is the error in the log:
>
> 2011-09-27 17:10:19 plain authenticator failed for android_5efb516d7ad14990.domain.com (localhost) [192.168.254.33]: 535 Incorrect authentication data (set_id=user@???)
Note that the error correctly references the user credential as
user@???, which you set to $auth2 in the PLAIN authenticator,
but in your query you're using $1.
Also, I don't have a ton of mysql/exim experience, but it sure looks
like your LOGIN authenticator is a potential attack vector. You
should look into wrapping the user inputs ($1 and $2) in ${quote_mysql
like PLAIN.
---------------------------------
Thank you for the help John. You hit the nail on the head and that completely took care of the problem. I had read something online about using $1 and then choosing $2 or $3 as the password, but that didn't work either.
I had a friend of mine assist with troubleshooting. The "server_advertise_condition" for "login:" was changed to false - and he could no longer authenticate via Outlook. So as you pointed out, Outlook uses the "login:" method.
After changing the $1 to a $2 and the $2 to a $3 in the "plain:" mechanism, the Android device worked perfect.
As for the SQL injections - I was in the process of updating the "login:" authentication just before I sent this to the board so that is why the "plain:" has that fixed and the "login:" didn't - but it is all done now.
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
