Re: [exim] cram config problem

Sun, 05 Dec 2010 06:07:31 -0800 


Am 04.12.2010 19:49, schrieb Jeremy Harris:
> On 2010-12-04 10:06, Alexander Nagel wrote:
>> The logfile section of one mail which looks quite normal except the
>> A=cram  authenticator:
>>
>> 2010-12-03 23:11:36 1POdqq-0005Dd-Lg<= notmyloca...@notmydomain1
>> H=static-mum-XX.XXX.XXX.XX.YYYY.net.in (ZZZZ.com) [XX.XXX.XXX.XX]
>> P=esmtpa A=cram: S=1541
>> id=bffc0c4db7014b5f85f70fd336640...@5596f1f9ac9a4e95972a770a95afed48
>> from<notmyloca...@notmydomain1>   for notmyloca...@notmydomain3
>> 2010-12-03 23:11:40 1POdqt-0005Dd-Lp<= notmyloca...@notmydomain2
>> H=static-mum-XX.XXX.XXX.XX.YYY.net.in (ZZZZ.com) [XX.XXX.XX.XX] P=esmtpa
>> A=cram: S=1420
>> id=66f95d560e354a95905d29ba7a939...@266eba13b7e640dca0c0f1f0b0044aff
>> from<notmyloca...@notmydomain2>   for notmyloca...@notmydomain3
>> 2010-12-03 23:11:40 1POdqq-0005Dd-Lg Completed QT=4s
> [...]
>> cram:
>>            driver                  = cram_md5
>>            public_name             = CRAM-MD5
>>            server_secret           = ${lookup pgsql{PG_Q_AUTH_CRAMMD5}}
>>            server_set_id           = $auth1
>
> You should make the lookup return fail explicitly when pgsql returns no rows,
> otherwise it just returns an empty string.  server_secret needs an explicit 
> fail
> in order to fail the attempt at authorisation.  See (e.g..)
>
> http://exim.org/exim-html-4.69/doc/html/spec_html/ch35.html#SECID176
>
> http://exim.org/exim-html-4.69/doc/html/spec_html/ch11.html#SECTexpop
> ( for ${lookup )
>
>
> Something along the lines of
>      server_secret = ${lookup pgsql{PG_Q_AUTH_CRAMMD5} {$value} fail}
>
> What's happened is that your spammer has guessed, probably, a user name
> which does not exist in your database - and then tried to AUTH with it
> and any random password.  Not hard, even for a really dumb spammer.
>
> Cheers,
>       Jeremy
>
> PS:  You're correct to be using the server config for the authenticator.
> Client would be when you want to use AUTH when initiating SMTP
> sessions to other servers.
>

Hi Jeremy,

thank you for your answer. It was very helpful. I have changed the line 
"server_secret ..." like in your example and the example in chapter 
35.1. I will check if I can add a test for empty passwords as well. 
Perhaps it is possible somewhere in the ACL.

Cheers,
Alexander

-- 
## List details at http://lists.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to