On 31/10/13 12:27, Todd Lyons wrote:
> On Wed, Oct 30, 2013 at 5:35 AM, nick <xelp@???> wrote:
>> It allows any user the LDAP tree do do smtp-auth and I am suffering from
>> spam-by-smtpauth as many of the user passwords
>> are insufficiently robust and/or the users have their password stolen by
>> malware.
>> I would very much like to fix this.
>>
>> The current authenticator:
>>
>> plain:
>> driver= plaintext
>> public_name = PLAIN
>> server_condition = ${if ldapauth \
>> {user="cn=${quote_ldap_dn:$2},o=southover,c=uk" \
>> pass=${quote:$3} \
>> ldap://ldap.southover.net/}{yes}{no}}
>> server_set_id=$2
>>
>> In the LDAP tree there is to be an attribute 'smtpauth' which is set TRUE or
>> FALSE by our control panel.
>> But I am unable to figure out the correct syntax required in the plaintext
>> authenticator - exim just barfs with my every feeble attempt.
>>
>> I would like to do something like this:
>>
>> server_condition = if
>> #check the smtpauth flag for TRUE
>> lookup
>> ldap{ldap:///o=southover,c=uk?mail?sub? (&
>> (cn=${quote_ldap_dn:$1})(smtpauth=${quote_ldap:TRUE}))}
>> and
>> #can this user do ldapauth:
>> ldapauth{user="cn=${quote_ldap_dn:$1},o=southover,c=uk" pass=${quote:$2}
>> ldap://ldap.southover.net/}
> Be mindful of which variables you are using in which authenticator.
> In the top one, $2 is the email address and $3 is the submitted
> password. In your attempts to check the smtpauth flag, you're using
> $1 and $2. For the PLAIN authenticator, you use $2 and $3. For the
> LOGIN authenticator, you use $1 and $2.
>
> ...Todd
Thanks for spotting my mistake Todd - I must have cut'n'pasted from the
wrong authenticator.
You have probably saved me an afternoon of head scratching..
n.
