Mailing List Archive: auth disclosure on auth rejects in logfiles

auth disclosure on auth rejects in logfiles

Jan 25, 2021, 2:36 AM

Post #1 of 4 (359 views)

Exim: 4.94-1 Fedora 32 Build

Hi,

I just found out that exim logs the authcredentials in case they get
rejected due to bruteforce rules:

2021-01-25 10:15:47 H=<HOSTNAME> (EHLO STRING) [IP ADDRESS]
X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no rejected AUTH PLAIN
BASE64STRING : authentication is allowed only once per message in order
to slow down bruteforce cracking

This config part:

acl_check_auth:
drop message = authentication is allowed only once per message in
order \
                  to slow down bruteforce cracking
        set acl_m_auth = ${eval10:0$acl_m_auth+1}
        condition = ${if >{$acl_m_auth}{2}}
        delay = 22s

I don't see a good reason to print that info into the log, as in the
case I found, the mailclient just made a mistake and it was not an
attacker.

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: auth disclosure on auth rejects in logfiles [ In reply to ]

exim-users at exim

Jan 25, 2021, 4:04 AM

Post #2 of 4 (359 views)

Permalink

On Mon, 25 Jan 2021, Cyborg via Exim-users wrote:

> Exim: 4.94-1 Fedora 32 Build
>
> I just found out that exim logs the authcredentials in case they get rejected
> due to bruteforce rules:
>
> 2021-01-25 10:15:47 H=<HOSTNAME> (EHLO STRING) [IP ADDRESS]
> X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no rejected AUTH PLAIN BASE64STRING :
> authentication is allowed only once per message in order to slow down
> bruteforce cracking
>
> This config part:
>
> acl_check_auth:
> drop message = authentication is allowed only once per message in order \
>                   to slow down bruteforce cracking
>         set acl_m_auth = ${eval10:0$acl_m_auth+1}
>         condition = ${if >{$acl_m_auth}{2}}
>         delay = 22s
>
> I don't see a good reason to print that info into the log, as in the case I
> found, the mailclient just made a mistake and it was not an attacker.

I don't see that message in the exim source.

Is it something added by Fedora ?

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: auth disclosure on auth rejects in logfiles [ In reply to ]

exim-users at exim

Jan 25, 2021, 4:16 AM

Post #3 of 4 (359 views)

Permalink

On 25/01/2021 10:36, Cyborg via Exim-users wrote:
> 2021-01-25 10:15:47 H=<HOSTNAME> (EHLO STRING) [IP ADDRESS] X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no rejected AUTH PLAIN BASE64STRING : authentication is allowed only once per message in order to slow down bruteforce cracking
>
> This config part:
>
> acl_check_auth:
> drop message = authentication is allowed only once per message in order \
> to slow down bruteforce cracking

> I don't see a good reason to print that info into the log, as in the case I found, the mailclient just made a mistake and it was not an attacker.

We do avoid logging the equivalent on outgoing... I guess that case was more obviously
"our" sensitive info. I agree this could do with attention.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: auth disclosure on auth rejects in logfiles [ In reply to ]

exim-users at exim

Jan 26, 2021, 10:42 AM

Post #4 of 4 (358 views)

Permalink

On 25/01/2021 12:16, Jeremy Harris via Exim-users wrote:
> I agree this could do with attention.

Addressed in 37a81ae731
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/