On 2013-06-07 at 15:42 +0100, Ian Eiloart wrote:
> It might be better to accept only, say, 1% of authentication attempts.
> That would prevent the hacker from trivially detecting your trap (by
> authenticating to the same account with two different passwords). You
> could use the rate limit facility to increase the likelihood of
> success. Exim doesn't have, as far as I know, a random number
> generator, but you could perhaps use a hash of the
> username/password/date string.
As of Exim 4.70 (from 2009):
----------------------------8< cut here >8------------------------------
${randint:<n>}
This operator returns a somewhat random number which is less than the
supplied number and is at least 0. The quality of this randomness depends
on how Exim was built; the values are not suitable for keying material. If
Exim is linked against OpenSSL then RAND_pseudo_bytes() is used.
If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used,
for versions of GnuTLS with that function.
Otherwise, the implementation may be arc4random(), random() seeded by
srandomdev() or srandom(), or a custom implementation even weaker than
random().
----------------------------8< cut here >8------------------------------
The GnuTLS provider only came in with the GnuTLS revamp in 4.80.
-Phil
