On Tue, Aug 02, 2005 at 01:23:06PM +0200, Jakob Hirsch wrote:
> > spa:
> > driver = spa
> > public_name = NTLM
> > server_password = ${lookup{$1}dbmnz{/etc/exim/passwd}}
>
> Anyone with an arbitrary username and empty password can send mails
> through your server (in case you don't believe it, look into your logs).
> This should really be "${lookup{$1}dbmnz{/etc/exim/passwd}{$value}fail}"
> like in the cram-md5 authenticator.This does not seem to be the case. I have just tested sending mail via Outlook with incorrect passwords (using either a valid or invalid username) and exim correctly refuses to relay the message. Please feel free to try and relay through outgoing.csail.mit.edu using NTLM authentication. Let me know if it works, but my experience indicates otherwise. > Besides that, it looks ok and works here that way. I'm using lsearch > instead of dbmnz, though. You are sure you ran exim_dbmbuild with the > -nozero option the last time you updated passwd? > > > 4253 lookup yielded: <my_password> > > 4253 CRAM-MD5: user name = noahm > > 4253 challenge = <[EMAIL PROTECTED]> > > 4253 received = a2f19773f6bed6fd8fb93cca29b12c30 > > 4253 digest = f4dadcdd3b8b41c8ebe7553f047a1889 > > Please put a temporary entry in passwd, try to authenticate and post the > output here, so we can see which one is wrong here. Here it is. The client in this case is KDE's kmail. My password was temporarily changed to "someboguspasswordfortesting" for this testing purpose. 4984 Connection request from 128.30.5.117 port 56793 4984 search_tidyup called 4984 1 SMTP accept process running 4984 Listening... 4986 host in rfc1413_hosts? no (end of list) 4986 sender_fullhost = [128.30.5.117] 4986 sender_rcvhost = [128.30.5.117] 4986 Process 4986 is handling incoming connection from [128.30.5.117] 4986 checking for IP options 4986 no IP options found 4986 host in host_lookup? yes (matched "*") 4986 looking up host name for 128.30.5.117 4986 DNS lookup of 117.5.30.128.in-addr.arpa (PTR) succeeded 4986 IP address lookup yielded 30-5-117.wireless.csail.mit.edu 4986 gethostbyname looked up these IP addresses: 4986 name=30-5-117.wireless.csail.mit.edu address=128.30.5.117 4986 checking addresses for 30-5-117.wireless.csail.mit.edu 4986 128.30.5.117 OK 4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117]) 4986 set_process_info: 4986 handling incoming connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 host in host_reject_connection? no (option unset) 4986 host in sender_unqualified_hosts? no (option unset) 4986 host in recipient_unqualified_hosts? no (option unset) 4986 host in helo_verify_hosts? no (option unset) 4986 host in helo_try_verify_hosts? no (option unset) 4986 host in helo_accept_junk_hosts? no (option unset) 4986 SMTP>> 220 cosmo.csail.mit.edu ESMTP Exim 4.50 Tue, 02 Aug 2005 14:53:54 -0400 4986 Process 4986 is ready for new message 4986 smtp_setup_msg entered 4986 SMTP<< EHLO 30-5-117.wireless.csail.mit.edu 4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117]) 4986 set_process_info: 4986 handling incoming connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 host in pipelining_advertise_hosts? yes (matched "*") 4986 host in auth_advertise_hosts? yes (matched "0.0.0.0/0") 4986 host in tls_advertise_hosts? yes (matched "*") 4986 SMTP>> 250-cosmo.csail.mit.edu Hello 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 250-SIZE 104857600 4986 250-PIPELINING 4986 250-AUTH CRAM-MD5 NTLM 4986 250-STARTTLS 4986 250 HELP 4986 SMTP<< STARTTLS 4986 tls_certificate file /etc/exim/certs/outgoing.server.pem 4986 tls_privatekey file /etc/exim/keys/outgoing.server.key 4986 Initialized TLS 4986 host in tls_verify_hosts? no (option unset) 4986 host in tls_try_verify_hosts? yes (matched "*") 4986 SMTP>> 220 TLS go ahead 4986 Calling SSL_accept 4986 SSL info: before/accept initialization 4986 SSL info: before/accept initialization 4986 SSL info: SSLv3 read client hello A 4986 SSL info: SSLv3 write server hello A 4986 SSL info: SSLv3 write certificate A 4986 SSL info: SSLv3 write certificate request A 4986 SSL info: SSLv3 flush data 4986 SSL info: SSLv3 read client certificate A 4986 SSL info: SSLv3 read client key exchange A 4986 SSL info: SSLv3 read finished A 4986 SSL info: SSLv3 write change cipher spec A 4986 SSL info: SSLv3 write finished A 4986 SSL info: SSLv3 flush data 4986 SSL info: SSL negotiation finished successfully 4986 SSL info: SSL negotiation finished successfully 4986 SSL_accept was successful 4986 Cipher: TLSv1:RC4-MD5:128 4986 Shared ciphers: RC4-MD5:RC4-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA 4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117]) 4986 set_process_info: 4986 handling incoming TLS connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 TLS active 4986 Calling SSL_read(8113bb0, 8122ca8, 4096) 4986 SMTP<< EHLO 30-5-117.wireless.csail.mit.edu 4986 sender_fullhost = 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 sender_rcvhost = 30-5-117.wireless.csail.mit.edu ([128.30.5.117]) 4986 set_process_info: 4986 handling TLS incoming connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 host in pipelining_advertise_hosts? yes (matched "*") 4986 host in auth_advertise_hosts? yes (matched "0.0.0.0/0") 4986 tls_do_write(8104ae0, 154) 4986 SSL_write(SSL, 8104ae0, 154) 4986 outbytes=154 error=0 4986 SMTP>> 250-cosmo.csail.mit.edu Hello 30-5-117.wireless.csail.mit.edu [128.30.5.117] 4986 250-SIZE 104857600 4986 250-PIPELINING 4986 250-AUTH CRAM-MD5 NTLM PLAIN 4986 250 HELP 4986 Calling SSL_read(8113bb0, 8122ca8, 4096) 4986 SMTP<< AUTH CRAM-MD5 4986 SMTP>> 334 PDQ5ODYuMTEyMzAwODg0MkBjb3Ntby5jc2FpbC5taXQuZWR1Pg== 4986 tls_do_write(80fa728, 58) 4986 SSL_write(SSL, 80fa728, 58) 4986 outbytes=58 error=0 4986 Calling SSL_read(8113bb0, 8122ca8, 4096) 4986 search_open: dbmnz "/etc/exim/passwd" 4986 search_find: file="/etc/exim/passwd" 4986 key="noahm" partial=-1 affix=NULL starflags=0 4986 LRU list: 4986 2/etc/exim/passwd 4986 End 4986 internal_search_find: file="/etc/exim/passwd" 4986 type=dbmnz key="noahm" 4986 file lookup required for noahm 4986 in /etc/exim/passwd 4986 lookup yielded: someboguspasswordfortesting 4986 CRAM-MD5: user name = noahm 4986 challenge = <[EMAIL PROTECTED]> 4986 received = 92c7df4232f5ebee8cc2c0a350aa692a 4986 digest = be6d10292874fd3448087355d47597d4 4986 SMTP>> 535 Incorrect authentication data 4986 tls_do_write(80fa728, 35) 4986 SSL_write(SSL, 80fa728, 35) 4986 outbytes=35 error=0 4986 LOG: MAIN REJECT 4986 lookup_cram authenticator failed for 30-5-117.wireless.csail.mit.edu [128.30.5.117]: 535 Incorrect authentication data (set_id=noahm) 4986 Calling SSL_read(8113bb0, 8122ca8, 4096) 4986 SSL info: SSL negotiation finished successfully 4986 Got SSL_ERROR_ZERO_RETURN 4986 SMTP>> 421 cosmo.csail.mit.edu lost input connection 4986 LOG: smtp_connection MAIN 4986 SMTP connection from 30-5-117.wireless.csail.mit.edu [128.30.5.117] lost 4986 search_tidyup called 4984 child 4986 ended: status=0x100 4984 0 SMTP accept processes now running 4984 Listening... -- Noah Meyerhans System Administrator MIT Computer Science and Artificial Intelligence Laboratory
signature.asc
Description: Digital signature
-- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
