Re: [exim] Make auth unsuccessful with some conditions

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Evgeniy Berdnikov
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote:
> I found where the problem was!
>
> It turns out that the Thunderbird mail client uses two types of
> authentication with an unencrypted password at the same time: PLAIN and
> LOGIN. First it tries PLAIN (and my condition just worked correctly and
> there was a standard entry about "Incorrect authentication data" in the
> log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a
> condition) and the mail was successfully sent. Yesterday I did not pay
> attention to the authenticator of the second (successful) authentication
> attempt in the log, where instead of PLAIN there was already LOGIN.


This is one of at least two bugs in your configuration. I think your PLAIN
authenticator should always fail, because you use $auth1 as name and $auth2
as password, while $auth1 should always be null string for PLAIN.
For PLAIN, $auth2 is username and $auth3 is password (in difference with
parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details.

Running Exim with -d+auth+expand option would make it visible.

> Here is the resulting auth config (suddenly it will come in handy for
> someone):
>
> dovecot_cram_md5:
>   driver = dovecot
>   public_name = CRAM-MD5
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_login:
>   driver = dovecot
>   public_name = LOGIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_plain:
>   driver = dovecot
>   public_name = PLAIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}

--
Eugene Berdnikov