On Tue, Feb 4, 2014 at 5:42 AM, <Lena@???> wrote:
>> router gets blocked when one device tries to use our mail servers as a
>> relay without a username defined.
>
> Authentication with empty username?
> Or without authentication?
>
> Did you encounter athentication with empty username in practice?
> If without authentication then the MUA gets "5xx relaying denied",
> and the code isn't triggered.
> I'd think that if username isn't defined then the MUA shouldn't try
> to authenticate.
After analyzing and digging a little bit, I now know where these blank
usernames come from. Part of my auth configuration checks if the
email address being logged in with actually exists:
server_condition = ${if and { \
{!eq{$auth1}{}} \
{!eq{$auth2}{}} \
{ crypteq{$auth2}{\{crypt\}${lookup mysql{SELECT u.password
FROM user u JOIN email e ON u.email_id=e.id JOIN domain d ON
e.domain_id=d.id JOIN website AS w ON w.user_id=d.user_id WHERE
e.name=substring_index('${quote_mysql:$auth1}','@',1) AND
d.name=substring_index('${quote_mysql:$auth1}','@',-1) AND e.active=1
and d.active=1 AND w.status_id<=4;}{$value}fail}} } \
}}${acl{hash}{$auth1,$auth2}}
So when someone attempts a login with a bare username or an email
address that is invalid, the server condition fails, so various things
don't get set, so the quit/not_quit acl's don't have all the data.
*BUT THAT IS OK* Your current incarnation detects it and still blocks
things properly. It works fantastically.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
