subject:"Bug#323565\: exim4\-config\: smarthost always tries to authenticate if AUTH is advertised"

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

2005-08-20 Thread Andreas Metzler

tags 323565 pending
# fixed in SVN
thanks
On 2005-08-19 Andreas Metzler [EMAIL PROTECTED] wrote:
[...]
 Ah, beloved LOGIN.

 This patch fixes this, by forcing failure early enough if the
 lookup for $host either fails or returns an empty string.
[...]
 a similar change will go into the .else clause, but I am too lazy for
 that now.

I've been able to kick myself to change the else-clause too and have
commited the fix to SVN.
cu andreas
-- 
See, I told you they'd listen to Reason, [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in Snow Crash
   http://downhill.aus.cc/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

2005-08-19 Thread Andreas Metzler

On 2005-08-18 Marc Haber [EMAIL PROTECTED] wrote:
 On Thu, Aug 18, 2005 at 07:34:16PM +0200, Andreas Metzler wrote:
 Well. Depends on what you consider try to authenticate to be. exim4
 will walk through the common set of remotely advertised and locally
 defined authenticators. - When running the authenticators it will
 try to lookup first the key hostname of smarthost and after that fails
 * in CONFDIR/passwd.client.
 
 With the default CONFDIR/passwd.client both lookups will fail, and the
 authenticators will stop being executed. And exim4 will not send any
 AUTH command but will simply try sending unauthenticated.
[...]
 Have $remote offer LOGIN and run the connection over TLS.

Ah, beloved LOGIN.

This patch fixes this, by forcing failure early enough if the
lookup for $host either fails or returns an empty string.

It works for me, i.e. AUTH LOGIN still works afterwards and the
useless AUTH is not sent anymore.
---
--- /etc/exim4/exim4.conf.template  2005-06-28 20:06:51.0 +0200
+++ exim4.conf.template 2005-08-19 20:10:57.650453912 +0200
@@ -1692,7 +1692,11 @@
   driver = plaintext
   public_name = LOGIN
 .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
-  client_send = ${if !eq{$tls_cipher}{}{}fail}\
+  client_send = ${if and{\
+  {!eq{$tls_cipher}{}}\
+  
{!eq{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}{}}\
+ }\
+  {}fail}\
  : ${extract{1}{::}\

{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
 : ${extract{2}{::}\
---

a similar change will go into the .else clause, but I am too lazy for
that now.
cu andreas
-- 
See, I told you they'd listen to Reason, [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in Snow Crash
   http://downhill.aus.cc/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

2005-08-18 Thread Andreas Metzler

On 2005-08-17 Marc Haber [EMAIL PROTECTED] wrote:
 Package: exim4-config
 Version: 4.52-1
 Severity: normal

 30_exim4-config_remote_smtp_smarthost says

 hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}

 Since exim4 shows a CONFDIR/passwd.clinent file, an exim client will
 always try to authenticate to the smarthost if the smarthost
 advertises AUTH.

 This is a bug, because exim should only try to authenticate when
 actual authentication data is present.
[...]

Hello,
Well. Depends on what you consider try to authenticate to be. exim4
will walk through the common set of remotely advertised and locally
defined authenticators. - When running the authenticators it will
try to lookup first the key hostname of smarthost and after that fails
* in CONFDIR/passwd.client.

With the default CONFDIR/passwd.client both lookups will fail, and the
authenticators will stop being executed. And exim4 will not send any
AUTH command but will simply try sending unauthenticated. See the
example below, which is rather short as $remote only offers CRAM-MD5.

To repeat: Remote will not see us trying to authenticate, the only
price payed is a little bit of wasted CPU-time and two file lookups.
cu andreas

--
 250-AUTH CRAM-MD5
 250 HELP
83.151.30.59 in hosts_require_tls? no (option unset)
using PIPELINING
83.151.30.59 in hosts_require_auth? no (option unset)
gethostbyname2(af=inet6) returned 4 (NO_DATA)
gethostbyname2 looked up these IP addresses:
  name=downhill.aus.cc address=83.151.30.59
83.151.30.59 in hosts_try_auth? yes (matched downhill.aus.cc)
scanning authentication mechanisms
search_open: lsearch /etc/exim4/passwd.client
search_find: file=/etc/exim4/passwd.client
  key=downhill.aus.cc partial=-1 affix=NULL starflags=1
LRU list:
  :/etc/exim4/passwd.client
  End
internal_search_find: file=/etc/exim4/passwd.client
  type=lsearch key=downhill.aus.cc
file lookup required for downhill.aus.cc
  in /etc/exim4/passwd.client
lookup failed
trying to match *
internal_search_find: file=/etc/exim4/passwd.client
  type=lsearch key=*
file lookup required for *
  in /etc/exim4/passwd.client
lookup failed
search_open: lsearch /etc/exim4/passwd.client
  cached open
search_find: file=/etc/exim4/passwd.client
  key=downhill.aus.cc partial=-1 affix=NULL starflags=1
LRU list:
  :/etc/exim4/passwd.client
  End
internal_search_find: file=/etc/exim4/passwd.client
  type=lsearch key=downhill.aus.cc
cached data used for lookup of downhill.aus.cc
  in /etc/exim4/passwd.client
lookup failed
trying to match *
internal_search_find: file=/etc/exim4/passwd.client
  type=lsearch key=*
cached data used for lookup of *
  in /etc/exim4/passwd.client
lookup failed
cram_md5 authenticator yielded 13
  SMTP MAIL FROM:[EMAIL PROTECTED] SIZE=1381
[...]
--

-- 
See, I told you they'd listen to Reason, [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in Snow Crash
   http://downhill.aus.cc/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

2005-08-18 Thread Marc Haber

On Thu, Aug 18, 2005 at 07:34:16PM +0200, Andreas Metzler wrote:
 Well. Depends on what you consider try to authenticate to be. exim4
 will walk through the common set of remotely advertised and locally
 defined authenticators. - When running the authenticators it will
 try to lookup first the key hostname of smarthost and after that fails
 * in CONFDIR/passwd.client.
 
 With the default CONFDIR/passwd.client both lookups will fail, and the
 authenticators will stop being executed. And exim4 will not send any
 AUTH command but will simply try sending unauthenticated.

NACK. It sends an AUTH command, and the other side sees that. If the
other side is an exim, the log says login_server authentication
failed for  501 Authentication cancelled.

Greetings
Marc


 See the
 example below, which is rather short as $remote only offers CRAM-MD5.

Have $remote offer LOGIN and run the connection over TLS.

Greetings
Marc

-- 
-
Marc Haber | I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things.Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

2005-08-17 Thread Marc Haber

Package: exim4-config
Version: 4.52-1
Severity: normal

30_exim4-config_remote_smtp_smarthost says

hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}

Since exim4 shows a CONFDIR/passwd.clinent file, an exim client will
always try to authenticate to the smarthost if the smarthost
advertises AUTH.

This is a bug, because exim should only try to authenticate when
actual authentication data is present.

Greetings
Marc

-- Package-specific info:
Exim version 4.52 #1 built 02-Jul-2005 06:12:03
Copyright (c) University of Cambridge 2005
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis 
nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.2-zgsrv
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages exim4-config depends on:
ii  adduser   3.67   Add and remove users and groups
ii  debconf [debconf-2.0] 1.4.57 Debian configuration management sy
ii  passwd1:4.0.3-39 change and administer password and

exim4-config recommends no packages.

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised

5 matches

Site Navigation

Mail list logo

Footer information