Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised
tags 323565 pending # fixed in SVN thanks On 2005-08-19 Andreas Metzler [EMAIL PROTECTED] wrote: [...] Ah, beloved LOGIN. This patch fixes this, by forcing failure early enough if the lookup for $host either fails or returns an empty string. [...] a similar change will go into the .else clause, but I am too lazy for that now. I've been able to kick myself to change the else-clause too and have commited the fix to SVN. cu andreas -- See, I told you they'd listen to Reason, [SPOILER] Svfurlr fnlf, fuhggvat qbja gur juveyvat tha. Neal Stephenson in Snow Crash http://downhill.aus.cc/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised
On 2005-08-18 Marc Haber [EMAIL PROTECTED] wrote: On Thu, Aug 18, 2005 at 07:34:16PM +0200, Andreas Metzler wrote: Well. Depends on what you consider try to authenticate to be. exim4 will walk through the common set of remotely advertised and locally defined authenticators. - When running the authenticators it will try to lookup first the key hostname of smarthost and after that fails * in CONFDIR/passwd.client. With the default CONFDIR/passwd.client both lookups will fail, and the authenticators will stop being executed. And exim4 will not send any AUTH command but will simply try sending unauthenticated. [...] Have $remote offer LOGIN and run the connection over TLS. Ah, beloved LOGIN. This patch fixes this, by forcing failure early enough if the lookup for $host either fails or returns an empty string. It works for me, i.e. AUTH LOGIN still works afterwards and the useless AUTH is not sent anymore. --- --- /etc/exim4/exim4.conf.template 2005-06-28 20:06:51.0 +0200 +++ exim4.conf.template 2005-08-19 20:10:57.650453912 +0200 @@ -1692,7 +1692,11 @@ driver = plaintext public_name = LOGIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS - client_send = ${if !eq{$tls_cipher}{}{}fail}\ + client_send = ${if and{\ + {!eq{$tls_cipher}{}}\ + {!eq{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}{}}\ + }\ + {}fail}\ : ${extract{1}{::}\ {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \ : ${extract{2}{::}\ --- a similar change will go into the .else clause, but I am too lazy for that now. cu andreas -- See, I told you they'd listen to Reason, [SPOILER] Svfurlr fnlf, fuhggvat qbja gur juveyvat tha. Neal Stephenson in Snow Crash http://downhill.aus.cc/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised
On 2005-08-17 Marc Haber [EMAIL PROTECTED] wrote: Package: exim4-config Version: 4.52-1 Severity: normal 30_exim4-config_remote_smtp_smarthost says hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}} Since exim4 shows a CONFDIR/passwd.clinent file, an exim client will always try to authenticate to the smarthost if the smarthost advertises AUTH. This is a bug, because exim should only try to authenticate when actual authentication data is present. [...] Hello, Well. Depends on what you consider try to authenticate to be. exim4 will walk through the common set of remotely advertised and locally defined authenticators. - When running the authenticators it will try to lookup first the key hostname of smarthost and after that fails * in CONFDIR/passwd.client. With the default CONFDIR/passwd.client both lookups will fail, and the authenticators will stop being executed. And exim4 will not send any AUTH command but will simply try sending unauthenticated. See the example below, which is rather short as $remote only offers CRAM-MD5. To repeat: Remote will not see us trying to authenticate, the only price payed is a little bit of wasted CPU-time and two file lookups. cu andreas -- 250-AUTH CRAM-MD5 250 HELP 83.151.30.59 in hosts_require_tls? no (option unset) using PIPELINING 83.151.30.59 in hosts_require_auth? no (option unset) gethostbyname2(af=inet6) returned 4 (NO_DATA) gethostbyname2 looked up these IP addresses: name=downhill.aus.cc address=83.151.30.59 83.151.30.59 in hosts_try_auth? yes (matched downhill.aus.cc) scanning authentication mechanisms search_open: lsearch /etc/exim4/passwd.client search_find: file=/etc/exim4/passwd.client key=downhill.aus.cc partial=-1 affix=NULL starflags=1 LRU list: :/etc/exim4/passwd.client End internal_search_find: file=/etc/exim4/passwd.client type=lsearch key=downhill.aus.cc file lookup required for downhill.aus.cc in /etc/exim4/passwd.client lookup failed trying to match * internal_search_find: file=/etc/exim4/passwd.client type=lsearch key=* file lookup required for * in /etc/exim4/passwd.client lookup failed search_open: lsearch /etc/exim4/passwd.client cached open search_find: file=/etc/exim4/passwd.client key=downhill.aus.cc partial=-1 affix=NULL starflags=1 LRU list: :/etc/exim4/passwd.client End internal_search_find: file=/etc/exim4/passwd.client type=lsearch key=downhill.aus.cc cached data used for lookup of downhill.aus.cc in /etc/exim4/passwd.client lookup failed trying to match * internal_search_find: file=/etc/exim4/passwd.client type=lsearch key=* cached data used for lookup of * in /etc/exim4/passwd.client lookup failed cram_md5 authenticator yielded 13 SMTP MAIL FROM:[EMAIL PROTECTED] SIZE=1381 [...] -- -- See, I told you they'd listen to Reason, [SPOILER] Svfurlr fnlf, fuhggvat qbja gur juveyvat tha. Neal Stephenson in Snow Crash http://downhill.aus.cc/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised
On Thu, Aug 18, 2005 at 07:34:16PM +0200, Andreas Metzler wrote: Well. Depends on what you consider try to authenticate to be. exim4 will walk through the common set of remotely advertised and locally defined authenticators. - When running the authenticators it will try to lookup first the key hostname of smarthost and after that fails * in CONFDIR/passwd.client. With the default CONFDIR/passwd.client both lookups will fail, and the authenticators will stop being executed. And exim4 will not send any AUTH command but will simply try sending unauthenticated. NACK. It sends an AUTH command, and the other side sees that. If the other side is an exim, the log says login_server authentication failed for 501 Authentication cancelled. Greetings Marc See the example below, which is rather short as $remote only offers CRAM-MD5. Have $remote offer LOGIN and run the connection over TLS. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#323565: exim4-config: smarthost always tries to authenticate if AUTH is advertised
Package: exim4-config Version: 4.52-1 Severity: normal 30_exim4-config_remote_smtp_smarthost says hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}} Since exim4 shows a CONFDIR/passwd.clinent file, an exim client will always try to authenticate to the smarthost if the smarthost advertises AUTH. This is a bug, because exim should only try to authenticate when actual authentication data is present. Greetings Marc -- Package-specific info: Exim version 4.52 #1 built 02-Jul-2005 06:12:03 Copyright (c) University of Cambridge 2005 Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Support for: iconv() IPv6 GnuTLS Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12.2-zgsrv Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Versions of packages exim4-config depends on: ii adduser 3.67 Add and remove users and groups ii debconf [debconf-2.0] 1.4.57 Debian configuration management sy ii passwd1:4.0.3-39 change and administer password and exim4-config recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]