On 31/10/13 12:27, Todd Lyons wrote:
On Wed, Oct 30, 2013 at 5:35 AM, nick <[email protected]> wrote:
It allows any user the LDAP tree do do smtp-auth and I am suffering from
spam-by-smtpauth as many of the user passwords
are insufficiently robust and/or the users have their password stolen by
malware.
I would very much like to fix this.
The current authenticator:
plain:
driver= plaintext
public_name = PLAIN
server_condition = ${if ldapauth \
{user="cn=${quote_ldap_dn:$2},o=southover,c=uk" \
pass=${quote:$3} \
ldap://ldap.southover.net/}{yes}{no}}
server_set_id=$2
In the LDAP tree there is to be an attribute 'smtpauth' which is set TRUE or
FALSE by our control panel.
But I am unable to figure out the correct syntax required in the plaintext
authenticator - exim just barfs with my every feeble attempt.
I would like to do something like this:
server_condition = if
#check the smtpauth flag for TRUE
lookup
ldap{ldap:///o=southover,c=uk?mail?sub? (&
(cn=${quote_ldap_dn:$1})(smtpauth=${quote_ldap:TRUE}))}
and
#can this user do ldapauth:
ldapauth{user="cn=${quote_ldap_dn:$1},o=southover,c=uk" pass=${quote:$2}
ldap://ldap.southover.net/}
Be mindful of which variables you are using in which authenticator.
In the top one, $2 is the email address and $3 is the submitted
password. In your attempts to check the smtpauth flag, you're using
$1 and $2. For the PLAIN authenticator, you use $2 and $3. For the
LOGIN authenticator, you use $1 and $2.
...Todd
Thanks for spotting my mistake Todd - I must have cut'n'pasted from the
wrong authenticator.
You have probably saved me an afternoon of head scratching..
n.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
