Here's the debug log, starting at the AUTH ACL:
> 00:36:48 2557469 accept: condition test succeeded in ACL "acl_check_auth"
> 00:36:48 2557469 end of ACL "acl_check_auth": ACCEPT
> 00:36:48 2557469 auth input decode: '' 'myusername' 'wrongpassword'
> 00:36:48 2557469 plain authenticator server_condition:
> 00:36:48 2557469 $auth1 =
> 00:36:48 2557469 $auth2 = myusername
> 00:36:48 2557469 $auth3 = wrongpassword
> 00:36:48 2557469 $1 =
> 00:36:48 2557469 $2 = myusername
> 00:36:48 2557469 $3 = wrongpassword
> 00:36:48 2557469 ╭considering: ${if pam{${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ╭considering: ${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ╭considering: $auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ├──expanding: $auth2
> 00:36:48 2557469 ╰─────result: myusername
> 00:36:48 2557469 ╰──(tainted)
> 00:36:48 2557469 ╭considering: :}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ├──expanding: :
> 00:36:48 2557469 ╰─────result: :
> 00:36:48 2557469 ╭considering: ::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ├──expanding: ::
> 00:36:48 2557469 ╰─────result: ::
> 00:36:48 2557469 ╭considering: $auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ├──expanding: $auth3
> 00:36:48 2557469 ╰─────result: wrongpassword
> 00:36:48 2557469 ╰──(tainted)
> 00:36:48 2557469 ╭considering: :}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ├──expanding: :
> 00:36:48 2557469 ╰─────result: :
> 00:36:48 2557469 ╭considering: ::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ├──expanding: ::
> 00:36:48 2557469 ╰─────result: ::
> 00:36:48 2557469 ╭considering: $sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ├──expanding: $sender_host_address
> 00:36:48 2557469 ╰─────result: 2003:d5:735:f800:a819:4f90:c9a5:18d6
> 00:36:48 2557469 ╭considering: :}{::}}}}
> 00:36:48 2557469 ├──expanding: :
> 00:36:48 2557469 ╰─────result: :
> 00:36:48 2557469 ╭considering: ::}}}}
> 00:36:48 2557469 ├──expanding: ::
> 00:36:48 2557469 ╰─────result: ::
> 00:36:48 2557469 ├──expanding: ${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}
> 00:36:48 2557469 ╰─────result: myusername : wrongpassword : 2003::d5::735::f800::a819::4f90::c9a5::18d6
> 00:36:48 2557469 ╰──(tainted)
> 00:36:48 2557469 Running PAM authentication for user "myusername"
> 00:36:51 2557469 PAM error: Permission denied
> 00:36:51 2557469 ├failed to expand: ${if pam{${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:51 2557469 ╰───error message: Permission denied
> 00:36:51 2557469 expansion failed: Permission denied
> 00:36:51 2557469 ╭considering: $auth2
> 00:36:51 2557469 ├──expanding: $auth2
> 00:36:51 2557469 ╰─────result: myusername
> 00:36:51 2557469 ╰──(tainted)
> 00:36:51 2557469 SMTP>> 435 Unable to authenticate at present
Looks like the pam expansion "fails". Actually, it simply returns the
defined error code for an invalid password. I wouldn't consider that a
"failure", PAM has worked properly and decided that the password is not
accepted. This is a final and correct result. Exim seems to think otherwise.
BTW, when providing the correct password, everything works just fine. I
would generally rule out any permission issues here. If there was a
permission issue, it would never work, no matter what credentials were
provided.
-Yves
-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@???>
Gesendet: Montag, 18. Januar 2021, 21:49 MEZ
Betreff: [exim] Authentication returns code 435 instead of 535
On 18/01/2021 20:32, Yves Goergen via Exim-users wrote:
How can I get debug logs from Exim in daemon configuration? The Exim
daemon/service is already set up and required for production use. I can
change its logging, but not take it down.
Either add a commandline option at the place your daemon is started, and
restart it,
or add an ACL clause in your config, and reload it.
Both methods are documented.