On Tue, 24 Sep 2019 at 11:48, Jasen Betts via Exim-users <
exim-users@???> wrote:
> On 2019-09-24, Odhiambo Washington via Exim-users <exim-users@???>
> wrote:
>
> > Authentication-Results: gw.ourdomain.tld;iprev=fail
> > smtp.remote-ip=5.61.42.174;auth=pass (PLAIN)
> > smtp.auth=benson.kuria@???;dmarc=skipped
> > header.from=ourdomain.tld
>
> Is that a standard header? I've not seen exim adding that.
>
Extracted that from the spam mail.
>
> It seems to say they did "auth plain" and gave an acceptable password.
> (escpecially in combination with "esmtpsa" in the received header.
>
> Could there be some problem with your plain authenticator? What is it
> authenticating against?
>
Not sure if there is a problem with my plain authenticator. Maybe, maybe
not.
I need a 3rd eye.
It authenticates against dovecot:
plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
>
> Can you share the ' <= ' line for this email (1iCQpf-0002zI-7B) in the
> exim logs it should be near Mon, 23 Sep 2019 19:05:01 +0300
>
>
Here is the log extract:
2019-09-23 19:05:01 1iCQpf-0002zI-7B <= benson.kuria@???
H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa
X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
A=plain:benson.kuria@??? S=153471 id=4d95a1b3-5c91-471
e-5b9e-f8fe7aa1cd9b@??? T="Your order ?5634 is ready for the
transporting" from <benson.kuria@???> for
daniel.owino@???
2019-09-23 19:05:01 1iCQpf-0002zI-7B =>
/var/spool/virtual/ourdomain.tld/daniel.owino/Maildir
<daniel.owino@???> R=virtual_domains T=dovecot_virtual_delivery
S=153618
2019-09-23 19:05:01 1iCQpf-0002zI-7B Completed
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
