On Fri, Mar 31, 2023 at 04:19:05PM +0300, Dzmitry Shykuts via Exim-users wrote: > I found where the problem was! > > It turns out that the Thunderbird mail client uses two types of > authentication with an unencrypted password at the same time: PLAIN and > LOGIN. First it tries PLAIN (and my condition just worked correctly and > there was a standard entry about "Incorrect authentication data" in the > log), and then, since PLAIN failed, Thunderbird used LOGIN (I did not add a > condition) and the mail was successfully sent. Yesterday I did not pay > attention to the authenticator of the second (successful) authentication > attempt in the log, where instead of PLAIN there was already LOGIN.
This is one of at least two bugs in your configuration. I think your PLAIN authenticator should always fail, because you use $auth1 as name and $auth2 as password, while $auth1 should always be null string for PLAIN. For PLAIN, $auth2 is username and $auth3 is password (in difference with parameters of CRAM-MD5 and LOGIN). Look into ch.34 for details. Running Exim with -d+auth+expand option would make it visible. > Here is the resulting auth config (suddenly it will come in handy for > someone): > > dovecot_cram_md5: > driver = dovecot > public_name = CRAM-MD5 > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}} > > dovecot_login: > driver = dovecot > public_name = LOGIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}} > > dovecot_plain: > driver = dovecot > public_name = PLAIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > server_advertise_condition = AUTH_ADVERTISE_CONDITION > server_condition = ${if > or{{match_ip{$sender_host_address}{LAN}}{and{{exists{AUTH_EXCEPTIONS}}{eq{${lookup{$auth1}nwildlsearch{AUTH_EXCEPTIONS}{yes}{no}}}{yes}}}}}} -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/