[exim] Re: SMTP AUTH with passwords starting with <

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Frank Richter
Dátum:  
Címzett: exim-users
Tárgy: [exim] Re: SMTP AUTH with passwords starting with <
Am 25.10.24 um 13:32 schrieb Jeremy Harris via Exim-users:
> On 25/10/2024 11:22, Frank Richter via Exim-users wrote:
>> Oh well … now how to avoid this? Is this a workaround:
>>
>> server_condition = "${if pam{$auth2:<:${sg{$auth3}{:}{::}}}{yes}{no}}"
>
> Almost.  You need
>
>    pam{<: $auth2:${sg{$auth3}{:}{::}}
>
> since the list-sep specification has to lead the list content
> (per the documentation.  Do not rely on current behaviour,
> where setting it part-way through a list happens to work; the
> implementation could change in a future release.)
>
> Note that this also changes the interpretation of usernames
> that start with a "<".  I hope you have none such...
>
> Also, the docs suggest a "listquote" rather than the "sg"
> you have for dealing with colons embedded in the string,
> giving
>
>     pam{<: $auth2:${listquote{:}{$auth3}}
>
>
> It could be argued that the "listquote" expansion item should
> itself handle a leading "<" - but that would not work for cases
> like this where we're dealing with a non-first list member.
>
> Maybe we need another way of building lists; eg.
>
>    pam{ ${listmake {:}{$auth2}{$auth3}{third_element}{last_element}} }


Thanks.

This works:
server_condition = ${if pam{$auth2:<:${listquote{:}{$auth3}}}}

1:36:53 1940682  ╭considering: ${if pam{$auth2:<:${listquote{:}{$auth3}}}}
11:36:53 1940682   ╭considering: $auth2:<:${listquote{:}{$auth3}}}}
11:36:53 1940682    ╭considering: :}{$auth3}}}}
11:36:53 1940682    ├──expanding: :
11:36:53 1940682    ╰─────result: :
11:36:53 1940682    ╭considering: $auth3}}}}
11:36:53 1940682    ├──expanding: $auth3
11:36:53 1940682    ╰─────result: <#My
11:36:53 1940682               ╰──(tainted)
11:36:53 1940682   ├──expanding: $auth2:<:${listquote{:}{$auth3}}
11:36:53 1940682   ╰─────result: fri-test2:<:<#My
11:36:53 1940682              ╰──(tainted)
11:36:53 1940682 Running PAM authentication for user "fri-test2"
11:36:53 1940682 PAM success

But this doesn't work:

server_condition = ${if pam{<: $auth2:${listquote{:}{$auth3}}}}

11:41:22 1940842  ╭considering: ${if pam{<: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842   ╭considering: <: $auth2:${listquote{:}{$auth3}}}}
11:41:22 1940842    ╭considering: :}{$auth3}}}}
11:41:22 1940842    ├──expanding: :
11:41:22 1940842    ╰─────result: :
11:41:22 1940842    ╭considering: $auth3}}}}
11:41:22 1940842    ├──expanding: $auth3
11:41:22 1940842    ╰─────result: <#My
11:41:22 1940842               ╰──(tainted)
11:41:22 1940842   ├──expanding: <: $auth2:${listquote{:}{$auth3}}
11:41:22 1940842   ╰─────result: <: fri-test2:<#My
11:41:22 1940842              ╰──(tainted)
11:41:22 1940842 Running PAM authentication for user "fri-test2"
11:41:22 1940842 PAM error: Authentication failure

I think this is a special thing with pam … IMHO it has to do how the PAM
module gets the password (callback function?). I can send some output from gdb …

Frank

--
Frank Richter, Chemnitz University of Technology, Germany


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/