Re: [exim] Cram authentication and domain-specific password …

Top Page
Delete this message
Reply to this message
Author: Dominic Benson
Date:  
To: exim-users
Subject: Re: [exim] Cram authentication and domain-specific password file
On 01/07/15 09:55, Jonas Meurer wrote:
>
> Ok, got that now. The following statement splits the username on '@'
> and looks up the password for user <LOCALPART> in password file
> /etc/vmail/users/<DOMAIN>:
>
> vmail_auth_cram:
>   server_debug_print = "A: vmail-authenticator cram-md5 for $auth1"
>   driver = cram_md5
>   public_name = CRAM-MD5
>   server_secret = \
>     ${lookup{${extract{1}{@}{$auth1}}} \
>       lsearch{VMAIL_USERS_DOMAINS/${extract{2}{@}{$auth1}}} \
>       {$value} \
>       fail \
>      }
>   server_set_id = ${extract{1}{@}{$auth1}}

>


On the face of it, this looks a bit dangerous - attempting auth with a
contrived domain (e.g. with ../ or suchlike in it) could cause the
lsearch to happen against an unintended file - possibly one in a
location controlled by an attacker.

I think you should look up the domain part first to ensure that it is
one that you have set up.

Dominic