On 2009-10-09 at 08:40 -0700, John Doe wrote: > From: Mike Cardwell <[email protected]> > > You're open to SQL injection attacks as you haven't escaped apostrophes > > in the login name or password. For example: > > > > login = '$2' > > > > Should be: > > > > login = '${quote_mysql:$2}' > > Thx for the fix! So: > > AUTH_PLAIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$2}' > \ > AND password = MD5('${quote_mysql:$3}') > AUTH_LOGIN_QUERY = SELECT login FROM emails WHERE login = '${quote_mysql:$1}' > \ > AND password = MD5('${quote_mysql:$2}')
Since you're on 4.63, you can also use $auth2 instead of $2, for clarity (just double-checked, the clearer names were introduced in 4.61). > I have another question: how can I allow only encrypted/authenticated > connections? In the ACL logic for the MAIL or RCPT commands, you write rules which state that if not on port 25, then you "require" an encrypted connection and you require that $authenticated_id be set; that's part of what your using server_set_id buys you. RCPT probably better, some clients allegedly get confused if the MAIL command fails. The cleanest way of doing it is likely to be to have a sub-ACL for doing the check, which returns accept for port 25, or for both authenticated and encrypted, else returns reject, and then use "require acl = ..." in the RCPT logic. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
