Author: Phil Pennock Date: To: Todd Lyons CC: exim-dev Subject: Re: [exim-dev] Remembering failed login id
On 2013-09-12 at 09:46 -0700, Todd Lyons wrote: > The (very small) patch is attached. It builds without error for me.
> Look towards the end of this message for session captures illustrating
> its function.
If I try 2000 AUTH commands in one session, this will only capture the
last one, right?
I think the core code change is probably right, but I'd look at adding a
failure_log option to the generic authenticator support so that logs can
be written as each auth attempt fails.
I'd also check to see if it's safest to string-escape the failed auth id
immediately, so that it can't contain newlines etc, so it's always safe
for logging. The protection against this is normally that _valid_ auth
ids are centrally allocated and trusted to not be malicious. But it
might be that the string handling will always handle this safely. Easy
test: send an authid to your patched install which has embedded
newlines and colons, etc. After all, the only character that can't be
inside a PLAIN authid is the ASCII NUL.
Then for the examples, based only on the code you already have, I'd look
to applying this check into the AUTH ACL too, by the rate-limits. Heck,
if it were me, I'd have a bounded exponential back-off timer, so that
each evaluation of AUTH doubles a delay timer, as well as being
otherwise rate-limited.
