Mailing List Archive

On 29/12/2020 00:05, Yves Goergen via Exim-users wrote:
> I see a lot of lines like this in the mainlog:
>
>> 2020-12-27 20:04:00 login authenticator failed for (USER) [199.192.16.253]: 435 Unable to authenticate at present (set_id=scanner@mydomain.de): Permission denied
>
> So it returns the temporary code 435 instead of the permanent code 535. Why's that? I'm using the suggested config from the Exim manual. Should there be a "fail" or "false" somewhere in the expansion?

Depending on your OS, you may have a permissions issue. Note the last para.
in the docs for the pam expansion condition, and also

http://wiki.wlug.org.nz/EximSmtpAuth

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Strange, then why does authentication work fine with correct data? It's
only the incorrect data (decided by a separate server which is contacted
by my PAM module) that causes a temporary error code in Exim instead of
a permanent. I don't understand the rest of the message Exim writes, I
have no idea where it all comes from. Do I need to know that?

-Yves


-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@exim.org>
Gesendet: Dienstag, 29. Dezember 2020, 01:26 MEZ
Betreff: [exim] Authentication returns code 435 instead of 535

On 29/12/2020 00:05, Yves Goergen via Exim-users wrote:
I see a lot of lines like this in the mainlog:

2020-12-27 20:04:00 login authenticator failed for (USER)
[199.192.16.253]: 435 Unable to authenticate at present
(set_id=scanner@mydomain.de): Permission denied

So it returns the temporary code 435 instead of the permanent code 535.
Why's that? I'm using the suggested config from the Exim manual. Should
there be a "fail" or "false" somewhere in the expansion?

Depending on your OS, you may have a permissions issue. Note the last para.
in the docs for the pam expansion condition, and also

http://wiki.wlug.org.nz/EximSmtpAuth



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi,

Sounds like you have two auth methodes and methode2 is only used when methode1 fails.

This happens i.e. if mysql and pam are used together.


Best regards,
Marius

Am December 29, 2020 4:11:23 PM UTC schrieb Yves Goergen via Exim-users <exim-users@exim.org>:
>Strange, then why does authentication work fine with correct data? It's
>
>only the incorrect data (decided by a separate server which is
>contacted
>by my PAM module) that causes a temporary error code in Exim instead of
>
>a permanent. I don't understand the rest of the message Exim writes, I
>have no idea where it all comes from. Do I need to know that?
>
>-Yves
>
>
>-------- Ursprüngliche Nachricht --------
>Von: Jeremy Harris via Exim-users <exim-users@exim.org>
>Gesendet: Dienstag, 29. Dezember 2020, 01:26 MEZ
>Betreff: [exim] Authentication returns code 435 instead of 535
>
>On 29/12/2020 00:05, Yves Goergen via Exim-users wrote:
>I see a lot of lines like this in the mainlog:
>
>2020-12-27 20:04:00 login authenticator failed for (USER)
>[199.192.16.253]: 435 Unable to authenticate at present
>(set_id=scanner@mydomain.de): Permission denied
>
>So it returns the temporary code 435 instead of the permanent code 535.
>
>Why's that? I'm using the suggested config from the Exim manual. Should
>
>there be a "fail" or "false" somewhere in the expansion?
>
>Depending on your OS, you may have a permissions issue. Note the last
>para.
>in the docs for the pam expansion condition, and also
>
> http://wiki.wlug.org.nz/EximSmtpAuth
>
>
>
>--
>## List details at https://lists.exim.org/mailman/listinfo/exim-users
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://wiki.exim.org/

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 29/12/2020 16:11, Yves Goergen via Exim-users wrote:
> Strange, then why does authentication work fine with correct data? It's only the incorrect data (decided by a separate server which is contacted by my PAM module) that causes a temporary error code in Exim

Ah. I didn't understand that from what you said.
Try enabling debug in exim; it may give more insight.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

The authenticators you saw in my first message are all there is. Only
PAM, for the PLAIN and LOGIN variants, nothing else. And I'm not aware
that my PAM module fails here. According to its syslog output, it
actually returns PAM_AUTH_ERR in a recent case that resulted in 435.

I think I found the relevant source code here:
https://github.com/Exim/exim/blob/master/src/src/auths/call_pam.c

The last few lines (from 194) seem to do this. I have no chance to
change it, all my negative return values result in the return value
FAIL. This function can only return OK, FAIL or ERROR. When happens then
is up to the calling code inside Exim, I couldn't trace that. Maybe it
always considers an authentication failure temporary and my expectations
are wrong? I just wouldn't assume that credentials would change anytime
soon so a permanent return code would be more appropriate here.

-Yves


-------- Ursprüngliche Nachricht --------
Von: Marius Schwarz via Exim-users <exim-users@exim.org>
Gesendet: Dienstag, 29. Dezember 2020, 17:21 MEZ
Betreff: [exim] Authentication returns code 435 instead of 535

Hi,

Sounds like you have two auth methodes and methode2 is only used when
methode1 fails.

This happens i.e. if mysql and pam are used together.


Best regards,
Marius

Am December 29, 2020 4:11:23 PM UTC schrieb Yves Goergen via Exim-users
<exim-users@exim.org>:
Strange, then why does authentication work fine with correct data? It's

only the incorrect data (decided by a separate server which is
contacted
by my PAM module) that causes a temporary error code in Exim instead of

a permanent. I don't understand the rest of the message Exim writes, I
have no idea where it all comes from. Do I need to know that?

-Yves


-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@exim.org>
Gesendet: Dienstag, 29. Dezember 2020, 01:26 MEZ
Betreff: [exim] Authentication returns code 435 instead of 535

On 29/12/2020 00:05, Yves Goergen via Exim-users wrote:
I see a lot of lines like this in the mainlog:

2020-12-27 20:04:00 login authenticator failed for (USER)
[199.192.16.253]: 435 Unable to authenticate at present
(set_id=scanner@mydomain.de): Permission denied

So it returns the temporary code 435 instead of the permanent code 535.

Why's that? I'm using the suggested config from the Exim manual. Should

there be a "fail" or "false" somewhere in the expansion?

Depending on your OS, you may have a permissions issue. Note the last
para.
in the docs for the pam expansion condition, and also

http://wiki.wlug.org.nz/EximSmtpAuth



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

How can I get debug logs from Exim in daemon configuration? The Exim
daemon/service is already set up and required for production use. I can
change its logging, but not take it down.

-Yves


-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@exim.org>
Gesendet: Dienstag, 29. Dezember 2020, 17:31 MEZ
Betreff: [exim] Authentication returns code 435 instead of 535

On 29/12/2020 16:11, Yves Goergen via Exim-users wrote:
Strange, then why does authentication work fine with correct data? It's
only the incorrect data (decided by a separate server which is contacted
by my PAM module) that causes a temporary error code in Exim

Ah. I didn't understand that from what you said.
Try enabling debug in exim; it may give more insight.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 18/01/2021 20:32, Yves Goergen via Exim-users wrote:
> How can I get debug logs from Exim in daemon configuration? The Exim daemon/service is already set up and required for production use. I can change its logging, but not take it down.

Either add a commandline option at the place your daemon is started, and restart it,
or add an ACL clause in your config, and reload it.

Both methods are documented.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Here's the debug log, starting at the AUTH ACL:

> 00:36:48 2557469 accept: condition test succeeded in ACL "acl_check_auth"
> 00:36:48 2557469 end of ACL "acl_check_auth": ACCEPT
> 00:36:48 2557469 auth input decode: '' 'myusername' 'wrongpassword'
> 00:36:48 2557469 plain authenticator server_condition:
> 00:36:48 2557469 $auth1 =
> 00:36:48 2557469 $auth2 = myusername
> 00:36:48 2557469 $auth3 = wrongpassword
> 00:36:48 2557469 $1 =
> 00:36:48 2557469 $2 = myusername
> 00:36:48 2557469 $3 = wrongpassword
> 00:36:48 2557469 ?considering: ${if pam{${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ?considering: ${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ?considering: $auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ???expanding: $auth2
> 00:36:48 2557469 ??????result: myusername
> 00:36:48 2557469 ???(tainted)
> 00:36:48 2557469 ?considering: :}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ???expanding: :
> 00:36:48 2557469 ??????result: :
> 00:36:48 2557469 ?considering: ::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ???expanding: ::
> 00:36:48 2557469 ??????result: ::
> 00:36:48 2557469 ?considering: $auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ???expanding: $auth3
> 00:36:48 2557469 ??????result: wrongpassword
> 00:36:48 2557469 ???(tainted)
> 00:36:48 2557469 ?considering: :}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ???expanding: :
> 00:36:48 2557469 ??????result: :
> 00:36:48 2557469 ?considering: ::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ???expanding: ::
> 00:36:48 2557469 ??????result: ::
> 00:36:48 2557469 ?considering: $sender_host_address}{:}{::}}}}
> 00:36:48 2557469 ???expanding: $sender_host_address
> 00:36:48 2557469 ??????result: 2003:d5:735:f800:a819:4f90:c9a5:18d6
> 00:36:48 2557469 ?considering: :}{::}}}}
> 00:36:48 2557469 ???expanding: :
> 00:36:48 2557469 ??????result: :
> 00:36:48 2557469 ?considering: ::}}}}
> 00:36:48 2557469 ???expanding: ::
> 00:36:48 2557469 ??????result: ::
> 00:36:48 2557469 ???expanding: ${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}
> 00:36:48 2557469 ??????result: myusername : wrongpassword : 2003::d5::735::f800::a819::4f90::c9a5::18d6
> 00:36:48 2557469 ???(tainted)
> 00:36:48 2557469 Running PAM authentication for user "myusername"
> 00:36:51 2557469 PAM error: Permission denied
> 00:36:51 2557469 ?failed to expand: ${if pam{${sg{$auth2}{:}{::}} : ${sg{$auth3}{:}{::}} : ${sg{$sender_host_address}{:}{::}}}}
> 00:36:51 2557469 ????error message: Permission denied
> 00:36:51 2557469 expansion failed: Permission denied
> 00:36:51 2557469 ?considering: $auth2
> 00:36:51 2557469 ???expanding: $auth2
> 00:36:51 2557469 ??????result: myusername
> 00:36:51 2557469 ???(tainted)
> 00:36:51 2557469 SMTP>> 435 Unable to authenticate at present

Looks like the pam expansion "fails". Actually, it simply returns the
defined error code for an invalid password. I wouldn't consider that a
"failure", PAM has worked properly and decided that the password is not
accepted. This is a final and correct result. Exim seems to think otherwise.

BTW, when providing the correct password, everything works just fine. I
would generally rule out any permission issues here. If there was a
permission issue, it would never work, no matter what credentials were
provided.

-Yves



-------- Ursprüngliche Nachricht --------
Von: Jeremy Harris via Exim-users <exim-users@exim.org>
Gesendet: Montag, 18. Januar 2021, 21:49 MEZ
Betreff: [exim] Authentication returns code 435 instead of 535

On 18/01/2021 20:32, Yves Goergen via Exim-users wrote:
How can I get debug logs from Exim in daemon configuration? The Exim
daemon/service is already set up and required for production use. I can
change its logging, but not take it down.

Either add a commandline option at the place your daemon is started, and
restart it,
or add an ACL clause in your config, and reload it.

Both methods are documented.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/