Re: [exim] Make auth unsuccessful with some conditions

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Dzmitry Shykuts
Date:  
À: exim-users
Sujet: Re: [exim] Make auth unsuccessful with some conditions
There is no error since I am using dovecot authenticator. I already
checked the config in the case, everything works as it should.

The plaintext authenticator really needs to use $auth2 as the username.

For other authenticators, from the Exim documentation:

"For the other authenticators, server_condition can be used as an
additional authentication or authorization mechanism that is applied
after the other authenticator conditions succeed."

31.03.2023 22:28, Evgeniy Berdnikov via Exim-users write:
> On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote:
>> I found where the problem was!
>>
>> It turns out that the Thunderbird mail client uses two types of
>> authentication with an unencrypted password at the same time: PLAIN and
>> LOGIN. First it tries PLAIN (and my condition just worked correctly and
>> there was a standard entry about "Incorrect authentication data" in the
>> log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a
>> condition) and the mail was successfully sent. Yesterday I did not pay
>> attention to the authenticator of the second (successful) authentication
>> attempt in the log, where instead of PLAIN there was already LOGIN.
> This is one of at least two bugs in your configuration. I think your PLAIN
> authenticator should always fail, because you use $auth1 as name and $auth2
> as password, while $auth1 should always be null string for PLAIN.
> For PLAIN, $auth2 is username and $auth3 is password (in difference with
> parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details.
>
> Running Exim with -d+auth+expand option would make it visible.
>
>> Here is the resulting auth config (suddenly it will come in handy for
>> someone):
>>
>> dovecot_cram_md5:
>>   driver = dovecot
>>   public_name = CRAM-MD5
>>   server_socket = /var/run/dovecot/auth-client
>>   server_set_id = $auth1
>>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>>
>> dovecot_login:
>>   driver = dovecot
>>   public_name = LOGIN
>>   server_socket = /var/run/dovecot/auth-client
>>   server_set_id = $auth1
>>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}
>>
>> dovecot_plain:
>>   driver = dovecot
>>   public_name = PLAIN
>>   server_socket = /var/run/dovecot/auth-client
>>   server_set_id = $auth1
>>   server_advertise_condition = AUTH_ADVERTISE_CONDITION
>>   server_condition = ${if or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}}