Author: Evgeniy Berdnikov Date: To: exim-users Subject: Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote: > I found where the problem was!
>
> It turns out that the Thunderbird mail client uses two types of
> authentication with an unencrypted password at the same time: PLAIN and
> LOGIN. First it tries PLAIN (and my condition just worked correctly and
> there was a standard entry about "Incorrect authentication data" in the
> log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a
> condition) and the mail was successfully sent. Yesterday I did not pay
> attention to the authenticator of the second (successful) authentication
> attempt in the log, where instead of PLAIN there was already LOGIN.
This is one of at least two bugs in your configuration. I think your PLAIN
authenticator should always fail, because you use $auth1 as name and $auth2
as password, while $auth1 should always be null string for PLAIN.
For PLAIN, $auth2 is username and $auth3 is password (in difference with
parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details.
Running Exim with -d+auth+expand option would make it visible.
> Here is the resulting auth config (suddenly it will come in handy for
> someone):
>
> dovecot_cram_md5:
> driver = dovecot
> public_name = CRAM-MD5
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
> server_advertise_condition = AUTH_ADVERTISE_CONDITION
> server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_login:
> driver = dovecot
> public_name = LOGIN
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
> server_advertise_condition = AUTH_ADVERTISE_CONDITION
> server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_plain:
> driver = dovecot
> public_name = PLAIN
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
> server_advertise_condition = AUTH_ADVERTISE_CONDITION
> server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}} --
Eugene Berdnikov