Re: [exim] Authentication returns code 435 instead of 535

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJeremy Harris at <-
M 
Delete this message
Reply to this message
Author: Yves Goergen
Date:  
To: Jeremy Harris, exim-users
Subject: Re: [exim] Authentication returns code 435 instead of 535
Here's the debug log, starting at the AUTH ACL: 

> 00:36:48 2557469 accept: condition test succeeded in ACL "acl_check_auth"
> 00:36:48 2557469 end of ACL "acl_check_auth": ACCEPT
> 00:36:48 2557469 auth input decode: '' 'myusername' 'wrongpassword'
> 00:36:48 2557469 plain authenticator server_condition:
> 00:36:48 2557469   $auth1 =
> 00:36:48 2557469   $auth2 = myusername
> 00:36:48 2557469   $auth3 = wrongpassword
> 00:36:48 2557469   $1 =
> 00:36:48 2557469   $2 = myusername
> 00:36:48 2557469   $3 = wrongpassword
> 00:36:48 2557469  ╭considering: ${if pam{${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469   ╭considering: ${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ╭considering: $auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ├──expanding: $auth2
> 00:36:48 2557469    ╰─────result: myusername
> 00:36:48 2557469               ╰──(tainted)
> 00:36:48 2557469    ╭considering: :}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ├──expanding: :
> 00:36:48 2557469    ╰─────result: :
> 00:36:48 2557469    ╭considering: ::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ├──expanding: ::
> 00:36:48 2557469    ╰─────result: ::
> 00:36:48 2557469    ╭considering: $auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ├──expanding: $auth3
> 00:36:48 2557469    ╰─────result: wrongpassword
> 00:36:48 2557469               ╰──(tainted)
> 00:36:48 2557469    ╭considering: :}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ├──expanding: :
> 00:36:48 2557469    ╰─────result: :
> 00:36:48 2557469    ╭considering: ::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ├──expanding: ::
> 00:36:48 2557469    ╰─────result: ::
> 00:36:48 2557469    ╭considering: $sender_host_address}{:}{::}}}}
> 00:36:48 2557469    ├──expanding: $sender_host_address
> 00:36:48 2557469    ╰─────result: 2003:d5:735:f800:a819:4f90:c9a5:18d6
> 00:36:48 2557469    ╭considering: :}{::}}}}
> 00:36:48 2557469    ├──expanding: :
> 00:36:48 2557469    ╰─────result: :
> 00:36:48 2557469    ╭considering: ::}}}}
> 00:36:48 2557469    ├──expanding: ::
> 00:36:48 2557469    ╰─────result: ::
> 00:36:48 2557469   ├──expanding: ${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}
> 00:36:48 2557469   ╰─────result: myusername : wrongpassword : 2003::d5::735::f800::a819::4f90::c9a5::18d6
> 00:36:48 2557469              ╰──(tainted)
> 00:36:48 2557469 Running PAM authentication for user "myusername"
> 00:36:51 2557469 PAM error: Permission denied
> 00:36:51 2557469  ├failed to expand: ${if pam{${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:51 2557469  ╰───error message: Permission denied
> 00:36:51 2557469 expansion failed: Permission denied
> 00:36:51 2557469  ╭considering: $auth2
> 00:36:51 2557469  ├──expanding: $auth2
> 00:36:51 2557469  ╰─────result: myusername
> 00:36:51 2557469             ╰──(tainted)
> 00:36:51 2557469 SMTP>> 435 Unable to authenticate at present

Looks like the pam expansion "fails". Actually, it simply returns the
defined error code for an invalid password. I wouldn't consider that a
"failure", PAM has worked properly and decided that the password is not
accepted. This is a final and correct result. Exim seems to think otherwise.

BTW, when providing the correct password, everything works just fine. I
would generally rule out any permission issues here. If there was a
permission issue, it would never work, no matter what credentials were
provided.

-Yves



-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@???>
Gesendet: Montag, 18. Januar 2021, 21:49 MEZ
Betreff: [exim] Authentication returns code 435 instead of 535

On 18/01/2021 20:32, Yves Goergen via Exim-users wrote:
How can I get debug logs from Exim in daemon configuration? The Exim
daemon/service is already set up and required for production use. I can
change its logging, but not take it down.

Either add a commandline option at the place your daemon is started, and
restart it,
or add an ACL clause in your config, and reload it.

Both methods are documented.



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Authentication returns code 435 instead of 535[exim] Virus/Malware errors->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)