------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1556 Summary: Exim incorrectly checks for ident (rfc1413) thus making is useless Product: Exim Version: N/A Platform: Other OS/Version: Windows Status: NEW Severity: bug Priority: medium Component: Delivery in general AssignedTo: [email protected] ReportedBy: [email protected] CC: [email protected] * Background: Ident _is_ actually useful when target server is trusted. Which is certainly valid for local connections. I want to identify users sending mail locally directly via 25 port (as opposed via sendmail program). So I install identd/authd and close it with firewall from external connections, allowing local connections. In ident/rfc1413 connections are identified with "local address, local port, remote address, remote port", where ports are sent as a text, but addresses are signalled to remote rfc1413 daemon by connection itself. This is reasonable, because, there can be many different connections having same "local port, remote address, remote port" but different "local address" on multi-homed boxes. And any box is multi-homed in regard of local connections - having local address (127.0.0.1) and external Internet address. Thus, it's important when identifying connection to make it back from exactly same IP address to which it come to us. * Problem: Exim don't care to bind local part of ident request connections to actual incoming connection address, thus, issuing wrong requests to remote rfc1413 servers. As a consequence, its getting frequently ERROR:NO-USER where user is actually identifiable. (Collateral problem, is that remote servers frequently time-out wrong requests (to non-existing connections) to fight brute force attacks, forcing Exim to wait full rfc1413_query_timeout, instead of instant answer.) Problem is most prominent for local connections, where Exim ident requests always come from 127.0.0.1 when local user is connected to external address of server. Additional concern is server with multiple IPs (frequent for web hosting), then ident requests just going from default external IP instead of actual IP of incoming connection that need to identified. I see that ident request performed in src/verify.c with plain ip_connect() without any care to the properly binding source address. Please fix! -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
