On 17/02/2023 23:16 EET Jeff Rogers <dv...@diphi.com> wrote:Hi all,I recently discovered a configuration issue on my system where a systemuser account had a blank rather than invalid or disabled password in thepasswd/shadow database. The user could not be logged into throughlogin/telnet/ssh because it was marked as a system account (uid < 100).Dovecot also would not authenticate the user for the same reason.However, I'm using exim using dovecot_login for authentication, and thatwould authenticate the user with a blank and allow me to be used as anopen relay.This is clearly a config issue on my part (since fixed), but shoulddovecot_login guard against blank passwords or system users just as anormal login does?I'm running dovecot 2.2.36 (1f10bfa63)Exim version 4.96I don't know which software supplies the dovecot_login connenector.The SMTP session would includeAUTH LOGIN334 VXNlcm5hbWU6cG9zdGZpeA==334 UGFzc3dvcmQ6<-- nothing, just a return here235 Authentication succeededDONE
Hi!
Can you provide logs about this with auth_debug=yes and doveconf -n output?
--- Aki
