Re: [exim] Exim relaying but shouldn't

Inizio della pagina
Delete this message
Reply to this message
Autore: Eric Grammatico
Data:  
To: exim-users
Oggetto: Re: [exim] Exim relaying but shouldn't

Le 28/09/2022 à 14:48, Slavko via Exim-users a écrit :
> Dňa 26. septembra 2022 18:05:32 UTC používateľ Eric Grammatico via Exim-users <exim-users@???> napísal:
>
>> 2022-09-26 16:15:24 [10] 1ocotI-00000A-0g <= #xxxyyyy'uuss+zzz@??? H=(localhost) [45.123.190.53] P=esmtpsa X=TLS1.2:AES256-GCM-SHA384:256 CV=no A=login_server:#xxxyyyy'uuss+zzz S=736
> ...
>
>> login_server:
>>   driver                     = plaintext
>>   public_name                = LOGIN
>>   server_condition = ${run{/bin/sh -c "echo -e '$auth1\n$auth2' | /usr/sbin/pwauth"}{1}{0}}
>>   server_set_id              = $auth1
>>   server_prompts             = <| Username: | Password:
>> Looks like the user #xxxyyyy'uuss+zzz is authenticated, but for sure it doesn't exist in my /etc/passwd, neither /etc/shadow
> Did you try to pass that user to your script with random password?

Yep, and auth is refused.
>
> Did you try to pass that server_condition expansion through exim -be with
> that user?

Nop, I will
>
> Anyway, passing user input to script is not safe, notice that login name
> contains the aphostrophe char, which breaks your quotation, duno how
> it is interpreted... Why you do not use pam{} expansion?

I'm in Docker, I'll investigate in that direction. Thanks.
>
> regards
>
>


Thank you Slavko.


As an immediate fix I added the following in my exim.conf

  drop    message = REJECTED - Sender Verify Failed - error code
\"$sender_verify_failure\"\n\n\
  The return address you are using for this email message
<$sender_address>\
  does not seem to be a working account.
          log_message = REJECTED - Sender Verify Failed - error code
\"$sender_verify_failure\"
          !hosts = +no_verify
          !verify = sender/callout=2m,defer_ok
          condition = ${if eq{recipient}{$sender_verify_failure}}

  deny    message       = Restricted characters in sender address
          domains       = +local_domains
          senders   = ^[#] : ^[.] : ^.*[@%!/|#+]

  deny    message       = Restricted characters in sender address
          domains       = !+local_domains
          senders   = ^[#] : ^[.] : ^.*[@%!/|#+]

Hopefully, that'll provide me with delay awaiting to fix the LOGIN issue.

thx and reg

--
_/) Eric.