Re: [exim] Unstoppable spam

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Cyborg
Datum:  
To: exim-users
Betreff: Re: [exim] Unstoppable spam
Am 24.09.19 um 11:07 schrieb Odhiambo Washington via Exim-users:
> 2019-09-23 19:05:01 1iCQpf-0002zI-7B <= benson.kuria@???
> H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa
> X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
> A=plain:benson.kuria@??? S=153471 id=4d95a1b3-5c91-471
> e-5b9e-f8fe7aa1cd9b@??? T="Your order ?5634 is ready for the
> transporting" from <benson.kuria@???> for
> daniel.owino@???


To answere you question, yes, it uses plaintext auth and yes, it looks
like you auth is broken.

I think you wanne have "POPbeforeSMTP" , which is a old mechanism to
authenticate someone for SMTP.

Better activate SMTP-AUTH.

Any client will support it, even OUTLOOK will do.

The exim default config (for Fedora) has this to offer:


# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

LOGIN:
  driver                     = plaintext
  server_set_id              = $auth1
  server_prompts             = <| Username: | Password:
  server_condition           = ${if saslauthd{{$1}{$2}{smtp}} {1}}
  server_advertise_condition = *


Depending where you dovecot auths against, it may work directly.

If it's a dabase, you may wanne use this:

LOGIN:
 driver                     = plaintext
 server_set_id = $1
 server_prompts             = <| Username: | Password: 
 server_condition = "${if and { \
                      {!eq{$2}{}} \
                      {eq{1}{${lookup mysql{SELECT '1' FROM users WHERE 
user = '${quote_mysql:${local_part:$1}}' and passwort =
password('${quote_mysql:$2}') }{$value}fail}} }} {yes}{no}}"
 server_advertise_condition = *

(dont forget to enable a database connection first)

Check you dovecot for the used auth mechanism, it seems to be faulty or
your attacker has access to you mailboxes and get the password anythime
you set a new one.

best regards,
Marius