On Tue, 24 Sep 2019 at 14:43, Cyborg via Exim-users <[email protected]> wrote:
> Am 24.09.19 um 11:07 schrieb Odhiambo Washington via Exim-users: > > 2019-09-23 19:05:01 1iCQpf-0002zI-7B <= [email protected] > > H=([127.0.0.1]) [5.61.42.174] I=[41.57.X.X]:587 P=esmtpsa > > X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no > > A=plain:[email protected] S=153471 id=4d95a1b3-5c91-471 > > [email protected] T="Your order ?5634 is ready for the > > transporting" from <[email protected]> for > > [email protected] > > To answere you question, yes, it uses plaintext auth and yes, it looks > like you auth is broken. > > I think you wanne have "POPbeforeSMTP" , which is a old mechanism to > authenticate someone for SMTP. > > Better activate SMTP-AUTH. > I have ASMTP active, as you might have seen from the headers. > Any client will support it, even OUTLOOK will do. > > The exim default config (for Fedora) has this to offer: > > > # LOGIN authentication has traditional prompts and responses. There is no > # authorization ID in this mechanism, so unlike PLAIN the username and > # password are $auth1 and $auth2. Apart from that you can use the same > # server_condition setting for both authenticators. > > LOGIN: > driver = plaintext > server_set_id = $auth1 > server_prompts = <| Username: | Password: > server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} > server_advertise_condition = * > > > Depending where you dovecot auths against, it may work directly. > > If it's a dabase, you may wanne use this: > > LOGIN: > driver = plaintext > server_set_id = $1 > server_prompts = <| Username: | Password: > server_condition = "${if and { \ > {!eq{$2}{}} \ > {eq{1}{${lookup mysql{SELECT '1' FROM users WHERE > user = '${quote_mysql:${local_part:$1}}' and passwort = > password('${quote_mysql:$2}') }{$value}fail}} }} {yes}{no}}" > server_advertise_condition = * > > (dont forget to enable a database connection first) > > Check you dovecot for the used auth mechanism, it seems to be faulty I am using the dovecot authentication as spelt here: https://wiki.dovecot.org/HowTo/EximAndDovecotSASL And I don't think it is broken. > or > your attacker has access to you mailboxes and get the password anythime > you set a new one. > No possible because my passwords are encrypted, not plaintext. Thanks for helping me think it out. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
