On Wed, Oct 30, 2013 at 5:35 AM, nick <xelp@???> wrote:
> It allows any user the LDAP tree do do smtp-auth and I am suffering from
> spam-by-smtpauth as many of the user passwords
> are insufficiently robust and/or the users have their password stolen by
> malware.
> I would very much like to fix this.
>
> The current authenticator:
>
> plain:
> driver= plaintext
> public_name = PLAIN
> server_condition = ${if ldapauth \
> {user="cn=${quote_ldap_dn:$2},o=southover,c=uk" \
> pass=${quote:$3} \
> ldap://ldap.southover.net/}{yes}{no}}
> server_set_id=$2
>
> In the LDAP tree there is to be an attribute 'smtpauth' which is set TRUE or
> FALSE by our control panel.
> But I am unable to figure out the correct syntax required in the plaintext
> authenticator - exim just barfs with my every feeble attempt.
>
> I would like to do something like this:
>
> server_condition = if
> #check the smtpauth flag for TRUE
> lookup
> ldap{ldap:///o=southover,c=uk?mail?sub? (&
> (cn=${quote_ldap_dn:$1})(smtpauth=${quote_ldap:TRUE}))}
> and
> #can this user do ldapauth:
> ldapauth{user="cn=${quote_ldap_dn:$1},o=southover,c=uk" pass=${quote:$2}
> ldap://ldap.southover.net/}
Be mindful of which variables you are using in which authenticator.
In the top one, $2 is the email address and $3 is the submitted
password. In your attempts to check the smtpauth flag, you're using
$1 and $2. For the PLAIN authenticator, you use $2 and $3. For the
LOGIN authenticator, you use $1 and $2.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine