Hi Dominic, Am 2015-07-01 14:03, schrieb Dominic Benson:
On 01/07/15 09:55, Jonas Meurer wrote:Ok, got that now. The following statement splits the username on '@' and looks up the password for user <LOCALPART> in password file /etc/vmail/users/<DOMAIN>: vmail_auth_cram: server_debug_print = "A: vmail-authenticator cram-md5 for $auth1" driver = cram_md5 public_name = CRAM-MD5 server_secret = \ ${lookup{${extract{1}{@}{$auth1}}} \ lsearch{VMAIL_USERS_DOMAINS/${extract{2}{@}{$auth1}}} \ {$value} \ fail \ } server_set_id = ${extract{1}{@}{$auth1}}On the face of it, this looks a bit dangerous - attempting auth with a contrived domain (e.g. with ../ or suchlike in it) could cause the lsearch to happen against an unintended file - possibly one in a location controlled by an attacker. I think you should look up the domain part first to ensure that it is one that you have set up.
Indeed, good point. I refrained from trying to implement my own SMTP authenticator in Exim though and switched to the Dovecot authenticator in the meantime. That one just works. Nevertheless, hanks for your help. Cheers, jonas -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
