Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
AUTH + SQL: Thoughts
jmp at its-toasted
Jun 25, 2002, 3:16 AM
Post #1 of 4 (596 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----

Dear list,

don't worry, I'm not going to bug you with any additional questions
to the topic ;) I just wanted to sum up with what now works fine, and
share a few last thoughts towards it.

The task was to enable SMTP AUTH on Exim v3.36 using a MySQL database.
The authenticators used are appended below[1].

Oh, yes, there's something not to forget: You must include a "NULL"
username with a bogus password in your SQL database, else anyone can
relay through your server by simply sending empty username and
password (for example by using AUTH LOGIN and then just pressing enter
when the server prompts you).

I hope this helps anyone facing the same troubles I had at the
beginning :)

Best regards,
Johannes mailto:jmp@its-toasted.org

[1]

login:
driver=plaintext
public_name=LOGIN
server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM
accounts WHERE username='${local_part:$1}'}}}{1}{0}}
server_prompts="Username:: : Password::"
server_set_id=$1

login:
driver=plaintext
public_name= PLAIN
server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM
accounts WHERE username='${local_part:$1}'}}}{1}{0}}
server_prompts= "Login::"
server_set_id=$1

cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{select password from accounts \
where username = '${quote_mysql:$1}'}}
server_set_id = $1

-----BEGIN PGP SIGNATURE-----
Version: PGP Cyber-Knights Templar build 6.5.8ckt07
Comment: Freiheit stirbt in kleinen Stuecken...
Comment: KeyID: 0x73D62D41
Comment: Fingerprint: 69C0 50A1 C96A FF3F 3F09 6E91 F9B8 B727

iQEVAwUBPRg1Cwt4MvNz1i1BAQGMZQgAt/f7u4xfPnL6pjSh4NTLc+0psev3OdLz
77ijnbSfzvG5LJ5Zy7ovZUnXAvXGc1uOTbsCtmkK5p5l346cCVNmo8yARgL0oHNX
A4pfRMynBG+G+4T+PNB0znwwv5VmF95UqwZux3uL77k3ipCfo1O1q2at90R5ix2w
flWSkuy/QwhZ8TnbgxBRGTUVxo9cAM54pZLTWMRSKmUT2+Vg+Kq5Fh35Fe1uY3iP
9Fdnv9hndPR6SiCjjwHolWevYhekUnOXiasiL7vYOFOvFfekk8f1zH3z/KEGTviS
wdwpdenCDF9IiCtmWXYuNhTMI+dPZYnjHB9Q3G7zQWH4bNSRMQSa5w==
=RarC
-----END PGP SIGNATURE-----
Re: AUTH + SQL: Thoughts [ In reply to ]
jwblist at olympus
Jul 5, 2002, 1:14 PM
Post #2 of 4 (590 views)
Permalink
At 12:16 +0200 6/25/2002, Johannes M. Posel wrote:
>Oh, yes, there's something not to forget: You must include a "NULL"
>username with a bogus password in your SQL database, else anyone can
>relay through your server by simply sending empty username and
>password (for example by using AUTH LOGIN and then just pressing enter
>when the server prompts you).

Thank you! (We're using LDAP, where the same issue is present.)

We've fixed open relay, thanks to your message.

I put the low-risk fix in first*...in the acl stanza which accepts
authenticated senders I added a condition requiring that $authenticated_id
not be empty (having set that up in the authentication).

A prober will still THINK they've authenticated...will fix that anon, but
at least the previously open relay is closed.

*the authenticators are already ugly, since I wanted to assume the domain
given a "bare" local part (in honor of Eudora, which really doesn't want to
authenticate john@doe.example, although it can be forced to). And fixing
this there will make them uglier.

--John


--
John Baxter jwblist@olympus.net Port Ludlow, WA, USA
Re: AUTH + SQL: Thoughts (SOLUTION) [ In reply to ]
colin.halbert at ndcg
Jul 5, 2002, 6:50 PM
Post #3 of 4 (588 views)
Permalink
Hi,

The best ones solution I found is as follows:

cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{select plain_password from users
where imap_user = '${quote_mysql:$1}'}} and plain_password !
= '' and imap = 'yes'
server_set_id = $1

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{select count(*) from users where
imap_user = '${quote_mysql:$2}' and plain_password = '${q
uote_mysql:$3}' and plain_password != '' and imap = 'yes'}}
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${lookup mysql{select count(*) from users where
imap_user = '${quote_mysql:$1}' and plain_password = '${q
uote_mysql:$2}' and plain_password != '' and imap = 'yes'}}
server_set_id = $1

As you can see from the SQL above no user can have a NULL password! This is
very important as we allow our virtual users to adjust their
passwords as often as they want.
This way if someone accidently sets the password as empty, then at least
there username can't be used to relay mail.

However this is on Exim3, but should work on Exim4

Colin Halbert
NDCG Online
Internet Solution Providers
Tel: 07050802437

----- Original Message -----
From: "John W Baxter" <jwblist@olympus.net>
To: <exim-users@exim.org>
Sent: Friday, July 05, 2002 9:14 PM
Subject: Re: [Exim] AUTH + SQL: Thoughts


> At 12:16 +0200 6/25/2002, Johannes M. Posel wrote:
> >Oh, yes, there's something not to forget: You must include a "NULL"
> >username with a bogus password in your SQL database, else anyone can
> >relay through your server by simply sending empty username and
> >password (for example by using AUTH LOGIN and then just pressing enter
> >when the server prompts you).
>
> Thank you! (We're using LDAP, where the same issue is present.)
>
> We've fixed open relay, thanks to your message.
>
> I put the low-risk fix in first*...in the acl stanza which accepts
> authenticated senders I added a condition requiring that $authenticated_id
> not be empty (having set that up in the authentication).
>
> A prober will still THINK they've authenticated...will fix that anon, but
> at least the previously open relay is closed.
>
> *the authenticators are already ugly, since I wanted to assume the domain
> given a "bare" local part (in honor of Eudora, which really doesn't want
to
> authenticate john@doe.example, although it can be forced to). And fixing
> this there will make them uglier.
>
> --John
>
>
> --
> John Baxter jwblist@olympus.net Port Ludlow, WA, USA
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##
>
>
Re: AUTH + SQL: Thoughts (SOLUTION) [ In reply to ]
colin.halbert at ndcg
Jul 5, 2002, 6:50 PM
Post #4 of 4 (588 views)
Permalink
Hi,

The best ones solution I found is as follows:

cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{select plain_password from users
where imap_user = '${quote_mysql:$1}'}} and plain_password !
= '' and imap = 'yes'
server_set_id = $1

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{select count(*) from users where
imap_user = '${quote_mysql:$2}' and plain_password = '${q
uote_mysql:$3}' and plain_password != '' and imap = 'yes'}}
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${lookup mysql{select count(*) from users where
imap_user = '${quote_mysql:$1}' and plain_password = '${q
uote_mysql:$2}' and plain_password != '' and imap = 'yes'}}
server_set_id = $1

As you can see from the SQL above no user can have a NULL password! This is
very important as we allow our virtual users to adjust their
passwords as often as they want.
This way if someone accidently sets the password as empty, then at least
there username can't be used to relay mail.

However this is on Exim3, but should work on Exim4

Colin Halbert
NDCG Online
Internet Solution Providers
Tel: 07050802437

----- Original Message -----
From: "John W Baxter" <jwblist@olympus.net>
To: <exim-users@exim.org>
Sent: Friday, July 05, 2002 9:14 PM
Subject: Re: [Exim] AUTH + SQL: Thoughts


> At 12:16 +0200 6/25/2002, Johannes M. Posel wrote:
> >Oh, yes, there's something not to forget: You must include a "NULL"
> >username with a bogus password in your SQL database, else anyone can
> >relay through your server by simply sending empty username and
> >password (for example by using AUTH LOGIN and then just pressing enter
> >when the server prompts you).
>
> Thank you! (We're using LDAP, where the same issue is present.)
>
> We've fixed open relay, thanks to your message.
>
> I put the low-risk fix in first*...in the acl stanza which accepts
> authenticated senders I added a condition requiring that $authenticated_id
> not be empty (having set that up in the authentication).
>
> A prober will still THINK they've authenticated...will fix that anon, but
> at least the previously open relay is closed.
>
> *the authenticators are already ugly, since I wanted to assume the domain
> given a "bare" local part (in honor of Eudora, which really doesn't want
to
> authenticate john@doe.example, although it can be forced to). And fixing
> this there will make them uglier.
>
> --John
>
>
> --
> John Baxter jwblist@olympus.net Port Ludlow, WA, USA
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal