Re: [exim] Make auth unsuccessful with some conditions

Pàgina inicial
Delete this message
Reply to this message
Autor: Dzmitry Shykuts
Data:  
A: exim-users
Assumpte: Re: [exim] Make auth unsuccessful with some conditions
I found where the problem was!

It turns out that the Thunderbird mail client uses two types of
authentication with an unencrypted password at the same time: PLAIN and
LOGIN. First it tries PLAIN (and my condition just worked correctly and
there was a standard entry about "Incorrect authentication data" in the
log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not
add a condition) and the mail was successfully sent. Yesterday I did not
pay attention to the authenticator of the second (successful)
authentication attempt in the log, where instead of PLAIN there was
already LOGIN.

Summarizing everything, it is correct to immediately add conditions to
all authenticators.

Thank you all for your participation and help!

P.S. I love Exim because it allows me to implement all my ideas... :)

Here is the resulting auth config (suddenly it will come in handy for
someone):

dovecot_cram_md5:
  driver = dovecot
  public_name = CRAM-MD5
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  server_advertise_condition = AUTH_ADVERTISE_CONDITION
  server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  server_advertise_condition = AUTH_ADVERTISE_CONDITION
  server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
  server_advertise_condition = AUTH_ADVERTISE_CONDITION
  server_condition = ${if
or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}


31.03.2023 14:39, Jeremy Harris via Exim-users write:
> On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote:
>> I'm trying to deny users successful authentication if they connect
>> not from the internal network but from the Internet. At the same
>> time, I have a file with exception users.
>>
>> server_condition is used to deny authentication. At the same time,
>> this works for CRAM_MD5, but does not work for PLAIN (an error
>> message appears in the log, but the message is sent as coming from an
>> authorized user).
>
> What error message?  In what fashion does it "not work"?
> Show us an example.  Use the debug facilities (quite likely,
> doing that will show you where your issue is).
>
>
>> There are also notes for PLAIN in the documentation: "This option
>> must be set for a plaintext server authenticator, where it is used
>> directly to control authentication. See section 34.3 for details." I
>> don't know how to apply or bypass this in my case.
>
> As it says, for a plaintext authenticator.  You are not using one,
> you are using dovecot authenticators.
>