[exim-dev] [Bug 1556] New: Exim incorrectly checks for ident…

Top Page
Delete this message
Reply to this message
Author: Don
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1556] New: Exim incorrectly checks for ident (rfc1413) thus making is useless
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1556
           Summary: Exim incorrectly checks for ident (rfc1413) thus making
                    is useless
           Product: Exim
           Version: N/A
          Platform: Other
        OS/Version: Windows
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Delivery in general
        AssignedTo: nigel@???
        ReportedBy: do1@???
                CC: exim-dev@???



* Background:

Ident _is_ actually useful when target server is trusted. Which is certainly
valid for local connections. I want to identify users sending mail locally
directly via 25 port (as opposed via sendmail program). So I install
identd/authd and close it with firewall from external connections, allowing
local connections.

In ident/rfc1413 connections are identified with "local address, local port,
remote address, remote port", where ports are sent as a text, but addresses are
signalled to remote rfc1413 daemon by connection itself.

This is reasonable, because, there can be many different connections having
same "local port, remote address, remote port" but different "local address" on
multi-homed boxes. And any box is multi-homed in regard of local connections -
having local address (127.0.0.1) and external Internet address.

Thus, it's important when identifying connection to make it back from exactly
same IP address to which it come to us.

* Problem:

Exim don't care to bind local part of ident request connections to actual
incoming connection address, thus, issuing wrong requests to remote rfc1413
servers. As a consequence, its getting frequently ERROR:NO-USER where user is
actually identifiable. (Collateral problem, is that remote servers frequently
time-out wrong requests (to non-existing connections) to fight brute force
attacks, forcing Exim to wait full rfc1413_query_timeout, instead of instant
answer.)

Problem is most prominent for local connections, where Exim ident requests
always come from 127.0.0.1 when local user is connected to external address of
server. Additional concern is server with multiple IPs (frequent for web
hosting), then ident requests just going from default external IP instead of
actual IP of incoming connection that need to identified.

I see that ident request performed in src/verify.c with plain ip_connect()
without any care to the properly binding source address.

Please fix!


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email