Re: [exim] Make auth unsuccessful with some conditions

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Dzmitry Shykuts at <-
MMJeremy Harris at ->
Delete this message
Reply to this message
Author: Evgeniy Berdnikov
Date:  
To: exim-users
Subject: Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote:
> I found where the problem was!
>
> It turns out that the Thunderbird mail client uses two types of
> authentication with an unencrypted password at the same time: PLAIN and
> LOGIN. First it tries PLAIN (and my condition just worked correctly and
> there was a standard entry about "Incorrect authentication data" in the
> log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a
> condition) and the mail was successfully sent. Yesterday I did not pay
> attention to the authenticator of the second (successful) authentication
> attempt in the log, where instead of PLAIN there was already LOGIN.

This is one of at least two bugs in your configuration. I think your PLAIN
authenticator should always fail, because you use $auth1 as name and $auth2
as password, while $auth1 should always be null string for PLAIN.
For PLAIN, $auth2 is username and $auth3 is password (in difference with
parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details.

Running Exim with -d+auth+expand option would make it visible.

> Here is the resulting auth config (suddenly it will come in handy for
> someone):
>
> dovecot_cram_md5:
>   driver = dovecot
>   public_name = CRAM-MD5
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_login:
>   driver = dovecot
>   public_name = LOGIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_plain:
>   driver = dovecot
>   public_name = PLAIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
--
Eugene Berdnikov

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.Re: [exim] Make auth unsuccessful with some conditions->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)