Re: [exim] Make auth unsuccessful with some conditions

Página superior
Este mensaje es parte del siguiente hilo:
MEl árbol completo de hilos, ordenados por fecha
M\Dzmitry Shykuts, mensaje del <-
MMJeremy Harris, mensaje del ->
Eliminar este mensaje
Responder a este mensaje
Autor: Evgeniy Berdnikov
Fecha:  
A: exim-users
Asunto: Re: [exim] Make auth unsuccessful with some conditions
On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote:
> I found where the problem was!
>
> It turns out that the Thunderbird mail client uses two types of
> authentication with an unencrypted password at the same time: PLAIN and
> LOGIN. First it tries PLAIN (and my condition just worked correctly and
> there was a standard entry about "Incorrect authentication data" in the
> log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a
> condition) and the mail was successfully sent. Yesterday I did not pay
> attention to the authenticator of the second (successful) authentication
> attempt in the log, where instead of PLAIN there was already LOGIN.

This is one of at least two bugs in your configuration. I think your PLAIN
authenticator should always fail, because you use $auth1 as name and $auth2
as password, while $auth1 should always be null string for PLAIN.
For PLAIN, $auth2 is username and $auth3 is password (in difference with
parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details.

Running Exim with -d+auth+expand option would make it visible.

> Here is the resulting auth config (suddenly it will come in handy for
> someone):
>
> dovecot_cram_md5:
>   driver = dovecot
>   public_name = CRAM-MD5
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_login:
>   driver = dovecot
>   public_name = LOGIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>
> dovecot_plain:
>   driver = dovecot
>   public_name = PLAIN
>   server_socket = /var/run/dovecot/auth-client
>   server_set_id = $auth1
>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
--
Eugene Berdnikov

Este mensaje se envió a las siguientes listas de correo:
Exim-users
Información de la lista de correo | Mensajes cercanos		<-Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.Re: [exim] Make auth unsuccessful with some conditions->
Tahini and Hummus and Cumin Development Archives administrado por cumin AdminsLurker (versión 2.3)