On Tue, 24 Sep 2019 at 14:43, Cyborg via Exim-users <exim-users@???>
wrote:
> Am 24.09.19 um 11:07 schrieb Odhiambo Washington via Exim-users:
> > 2019-09-23 19:05:01 1iCQpf-0002zI-7B <= benson.kuria@???
> > H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa
> > X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no
> > A=plain:benson.kuria@??? S=153471 id=4d95a1b3-5c91-471
> > e-5b9e-f8fe7aa1cd9b@??? T="Your order ?5634 is ready for the
> > transporting" from <benson.kuria@???> for
> > daniel.owino@???
>
> To answere you question, yes, it uses plaintext auth and yes, it looks
> like you auth is broken.
>
> I think you wanne have "POPbeforeSMTP" , which is a old mechanism to
> authenticate someone for SMTP.
>
> Better activate SMTP-AUTH.
>
I have ASMTP active, as you might have seen from the headers.
> Any client will support it, even OUTLOOK will do.
>
> The exim default config (for Fedora) has this to offer:
>
>
> # LOGIN authentication has traditional prompts and responses. There is no
> # authorization ID in this mechanism, so unlike PLAIN the username and
> # password are $auth1 and $auth2. Apart from that you can use the same
> # server_condition setting for both authenticators.
>
> LOGIN:
> driver = plaintext
> server_set_id = $auth1
> server_prompts = <| Username: | Password:
> server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
> server_advertise_condition = *
>
>
> Depending where you dovecot auths against, it may work directly.
>
> If it's a dabase, you may wanne use this:
>
> LOGIN:
> driver = plaintext
> server_set_id = $1
> server_prompts = <| Username: | Password:
> server_condition = "${if and { \
> {!eq{$2}{}} \
> {eq{1}{${lookup mysql{SELECT '1' FROM users WHERE
> user = '${quote_mysql:${local_part:$1}}' and passwort =
> password('${quote_mysql:$2}') }{$value}fail}} }} {yes}{no}}"
> server_advertise_condition = *
>
> (dont forget to enable a database connection first)
>
> Check you dovecot for the used auth mechanism, it seems to be faulty
I am using the dovecot authentication as spelt here:
https://wiki.dovecot.org/HowTo/EximAndDovecotSASL
And I don't think it is broken.
> or
> your attacker has access to you mailboxes and get the password anythime
> you set a new one.
>
No possible because my passwords are encrypted, not plaintext.
Thanks for helping me think it out.
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
