Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-11 Thread Mike Brudenell via Exim-users 
Dear all,

Just to wind this up and record the outcome for anyone now or in the future
searching for a solution to a similar problem…

Our underlying problem was that when Exim tries to bind using ldapauth to
our LDAP server to verify a username/password combination it's getting
an LDAP_NO_SUCH_OBJECT (32) return code instead of LDAP_INVALID_CREDENTIALS
(49) when the username doesn't exist.

My colleagues here wonder if this might be because we're using the Sun LDAP
server instead of OpenLDAP and its behaviour is different. I confess I'm
disappointed that Exim only returns a FAIL for the LDAP_INVALID_CREDENTIALS
error; when the username doesn't exist in our LDAP server, so its object
isn't present and can't possibly bind successfully, Exim instead gives an
expansion error.

Sadly getting an expansion error from ldapauth in server_condition causes
the authenticator to defer. This means a different SMTP response code and
textual string is returned to the client from the one returned when the
username exists but the password supplied is incorrect. Therefore the
technique suggested in the *Specification* to use ldapauth alone to
validate username/password pairs leaks information to the client with some
LDAP servers/setups about whether the username exists or not. I and others
consider this a security concern so should be avoided.

Thankfully Jeremy suggested I explicitly check for a valid username before
checking the password. At first I thought this was a non-starter as it
would require a service account on our LDAP server to search the username
tree, and the team who manage the service diligently guard such accounts.
Fortunately a colleague reminded me that our usernames are valid on our
mail gateways: their accounts just can't get sessions. This let me use
Exim's passwd lookup to check whether the username exists and then, only if
it does, validate the password using ldapauth. My revised server_condition
for the LOGIN authenticator now looks like this:

server_condition = ${if and{ \
 { def:auth1 } \
 { def:auth2 } \
 { bool{ \
 ${lookup {$auth1} lsearch
{/etc/exim4/cfg.d/passwords-for-auth-smtp} \
{ ${if crypteq {$auth2}
{\{sha1\}$value}} } \
{ ${if and{ \
{ bool_lax{ ${lookup
passwd {${quote_passwd:$auth1}}} } } \
{ ldapauth \

{user="uid=${quote_ldap_dn:$auth1},ou=this,ou=that,ou=other,dc=york,dc=ac,dc=uk"
\

pass=${quote:$auth2} \
nettime=10 \
time=7 \
ldap://
ldap.york.ac.uk/} } \
  }}} \
  } \
   }} \
   }}

As usual, my apologies about the long lines: I'm using a 27 inch screen so
have a big terminal window!

I appreciate the suggestions people made to use BlockCracking
 and it looks wonderful,
although perhaps over complex for our legacy mail gateways. However I'm
also not sure it would be suitable in our current environment. We have some
legitimate users here who are using external service providers who relay
the outgoing messages through our gateways using AuthSMTP. Unfortunately
their data is not very "clean" at the moment and can include syntactically
incorrect, invalid or obsolete addresses. As I understand it this would
trigger the BlockCracking defences because they try to send to more
than *N* bad
addresses within a time period: something that would impact the messages to
the valid addresses. (Yes, they're working on cleaning the data now I've
brought the problem to their attention! :-)

Many thanks to all who contributed their thoughts!
Mike B-)

-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-10 Thread Lena--- via Exim-users 
> From: Mike Brudenell

> I think I'll quit worrying, leave the setup
> as-is with a deferral response to the AUTH, and move on.
> 
> This all came about because I was starting to look at rate limiting failed
> attempts to AUTH along these lines
> .
> (Although I have my suspicions as to whether it will work as the author of
> that post says after a failed authentication attempt Exim will go straight
> to the check_quit or check_not_quit ACLs, whereas I see it happily letting
> the client try to authenticate again down the same connection. I'll keep
> playing.

This catches multiple auth attempts in the same connection too:
https://github.com/Exim/exim/wiki/BlockCracking

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Mike Brudenell via Exim-users 
On 9 August 2017 at 16:15, Jeremy Harris  wrote:

> It's explicitly how it's coded.
>

Agreed: I believe I've tracked down the relevant bit of code,
in src/lookups/ldap.c

  /* Invalid credentials when just checking credentials returns FAIL. This
  stops any further servers being tried. */

  if (search_type == SEARCH_LDAP_AUTH && rc == LDAP_INVALID_CREDENTIALS)
{
DEBUG(D_lookup)
  debug_printf("Invalid credentials: ldapauth returns FAIL\n");
error_yield = FAIL;
goto RETURN_ERROR_NOMSG;
}

  /* Otherwise we have a problem that doesn't stop further servers from
being
  tried. */

  if (rc != LDAP_SUCCESS)
{
*errmsg = string_sprintf("failed to bind the LDAP connection to server "
  "%s%s - LDAP error %d: %s", host, porttext, rc, ldap_err2string(rc));
goto RETURN_ERROR;
}

If you're doing an auth-only to check credentials it only yields a FAIL if
the return code is LDAP_INVALID_CREDENTIALS (49). Any other return code
falls through to put the error string into errmsg and return without
indicating a FAIL. And from the logs I'm getting error code 32 back, which
is LDAP_NO_SUCH_OBJECT.

The weird thing is that the help page for LDAP_INVALID_CREDENTIALS
 (49) at Ldapwiki says:

LDAP_INVALID_CREDENTIALS, which is LDAP Result Code 49, implies an
Authentication Failure. Typically, the Distinguished Name (DN) or the
password is *invalid*.


Whilst the help page for LDAP_NO_SUCH_OBJECT
 (32) at Ldapwiki says:

LDAP_NO_SUCH_OBJECT is *NOT* returned on following operations:


   - Search operations that find the search base but cannot find any
   entries that match the search filter.
   - Bind operations

Together these seem to suggest I should be getting LDAP_INVALID_CREDENTIALS
back from our LDAP server if the DN or password are invalid, and that
should never be returned for a bind operation. I might mention it to the
LDAP guys here, who are in another team, and try to engage their interest.


Possible workaround, then: check explicitly for a valid username
> before checking the password?
>

Unfortunately I don't believe I have a way of doing this, being unable to
search the LDAP repository without first binding/authenticating, and
credentials to do such searches are guarded by leopards.


(It is possible to code a test for a "defer" explicitly in ACLs, but
> it's a trifle complex.  If you prefer that route, ask and I'll look it
> up)
>

Many thanks for the offer but I think I'll quit worrying, leave the setup
as-is with a deferral response to the AUTH, and move on.

This all came about because I was starting to look at rate limiting failed
attempts to AUTH along these lines
.
(Although I have my suspicions as to whether it will work as the author of
that post says after a failed authentication attempt Exim will go straight
to the check_quit or check_not_quit ACLs, whereas I see it happily letting
the client try to authenticate again down the same connection. I'll keep
playing.)

Cheers,
Mike B-)

-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Jeremy Harris 
On 09/08/17 15:19, Mike Brudenell via Exim-users wrote:
>- Supply a valid username and valid password: Authentication succeeds
>- Supply a valid username and invalid password: Authentication fails
>with "535 Incorrect authentication data"
>- Supply an invalid username and a password: Authentication fails with
>"435 Unable to authenticate at present"

> But with the third the log shows
> 
> failed to bind the LDAP connection to server ldap.york.ac.uk:389 - LDAP
> error 32: No such object
> 
> This does cause an expansion error which then, as documented, causes
> server_condition to instead defer with the 435 SMTP response. For this the
> LDAP error is "LDAP error 32: No such object"
> 
> Maybe the latter isn't being handled properly and so causing the expansion
> failure rather than returning a false failure?

It's explicitly how it's coded.

> From a security point of view, surely it's not good to return different
> responses if the username exists/doesn't exist? It gives an attacker a way
> of discovering what usernames actually exist so can then focus on their
> password. (cf. The "Invalid username or password" generic login failure
> messages.)

You could argue that it's a specification, or design, bug.  I'm not sure
we'd want to change how it works though, at least as default.  Possibly
an option for different behaviour.

Possible workaround, then: check explicitly for a valid username
before checking the password?

(It is possible to code a test for a "defer" explicitly in ACLs, but
it's a trifle complex.  If you prefer that route, ask and I'll look it
up)
-- 
Cheers,
  Jeremy


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Mike Brudenell via Exim-users 
Hi, Jeremy and Nigel -

On 9 August 2017 at 13:39, Jeremy Harris  wrote:

> On 09/08/17 12:58, Mike Brudenell via Exim-users wrote:
> > 12:36:39 23140 LDAP parameters: user=uid=baduser,ou=blah,dc=uk
> > pass=badpassword size=0 time=0 connect=0 dereference=0 referrals=on
>
> Does the ou=blah exist?  This might be a factor, presenting an invalid
> query not just an invalid user.
>

Yes, the ou does; I've just double-checked by authenticating with a valid
username/password. (I wasn't sure how sensitive it was revealing the full
ou/dc string as I'm not an LDAP guru so redacted it from the log extracts.)

I've made an interesting discovery which might help identify the problem:

   - Supply a valid username and valid password: Authentication succeeds
   - Supply a valid username and invalid password: Authentication fails
   with "535 Incorrect authentication data"
   - Supply an invalid username and a password: Authentication fails with
   "435 Unable to authenticate at present"

With the second the log shows

Invalid credentials: ldapauth returns FAIL

This doesn't cause an expansion error, so the server_condition ends up
correctly generating the 535 SMTP response. For this the LDAP error is
"LDAP error 49: Invalid credentials"

But with the third the log shows

failed to bind the LDAP connection to server ldap.york.ac.uk:389 - LDAP
error 32: No such object

This does cause an expansion error which then, as documented, causes
server_condition to instead defer with the 435 SMTP response. For this the
LDAP error is "LDAP error 32: No such object"

Maybe the latter isn't being handled properly and so causing the expansion
failure rather than returning a false failure?

>From a security point of view, surely it's not good to return different
responses if the username exists/doesn't exist? It gives an attacker a way
of discovering what usernames actually exist so can then focus on their
password. (cf. The "Invalid username or password" generic login failure
messages.)


(Yeah, I think the book is out-of-date, too)
>

I wasn't accusing the book of being out of date, merely that it explicitly
stated the ldapauth condition should return either true or, for failure
modes, false: something the *Specification* doesn't state explicitly for
false.


On 9 August 2017 at 13:48, Nigel Metheringham  wrote:

> I've not been following this in detail, but are you not asking for
> something analogous to the configuration described in this:-
> https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPamAndPa
> sswords
>
> Also, if there are multiple auth possibilities I think this can also be
> expressed within PAM.
>

Thanks, Nigel, but I'm effectively doing the multiple check described there
within my authenticator. My problem is that when ldapauth is presented with
an invalid username it generates an expansion error that causes
server_condition to generate a 435 SMTP response, but if the username is
valid (and password invalid) it generates a 535 SMTP response.

To me this seems to be a problem with ldapauth incorrectly causing the
expansion error when presented with an invalid username rather than
returning false. This generates the wrong SMTP response, and potentially
gives an attacker a means of identifying whether a username is valid or not.

Cheers,
Mike B-)

-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Nigel Metheringham 
I've not been following this in detail, but are you not asking for
something analogous to the configuration described in this:-
https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPamAndPasswords

Also, if there are multiple auth possibilities I think this can also be
expressed within PAM.

Nigel.


> Mike Brudenell via Exim-users 
> 9 August 2017 at 12:58
> Hi,
>
> I'm debugging this again using our Ubuntu packaged Exim version 4.86_2 #1,
> and trying to work out what's wrong with my configuration by going back to
> a really simple setup that will always fail:
>
> server_condition = ${if eq{0}{1} {true} {false}}
>
> This correctly gives rise to the SMTP response "535 Incorrect
> authentication data".
>
> I now replace the eq condition with an ldapauth condition:
>
> server_condition = ${if ldapauth \
> {user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
> \
> pass=${quote:$auth2} \
> ldap://ldap.york.ac.uk/} \
> {true} {false}}
>
> In the *Specification* the description of the ldapauth expansion condition
> says this:
>
> The condition is true if the password is not empty, and the user name and
> password are accepted by the LDAP server.
>
>
> And the Exim book says this (emphasis mine) when describing LDAP
> authentication in section 20.7.7:
>
> The condition is true if the user name and password are accepted by the
> LDAP server, *and false otherwise*.
>
>
> But when I try to authenticate using a bad username and password I don't
> get the 535 SMTP response but "435 Unable to authenticate at present" and
> the logs show a "failed to expand" error:
>
> 12:36:39 23140 LOGIN authenticator server_condition:
> 12:36:39 23140 $auth1 = baduser
> 12:36:39 23140 $auth2 = badpassword
> 12:36:39 23140 $1 = baduser
> 12:36:39 23140 $2 = badpassword
> 12:36:39 23140 expanding: $auth1
> 12:36:39 23140 result: baduser
> 12:36:39 23140 expanding: $auth2
> 12:36:39 23140 result: badpassword
> 12:36:39 23140 expanding: user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
> pass=${quote:$auth2} ldap://ldap.york.ac.uk/
> 12:36:39 23140 result: user="uid=baduser,ou=blah,dc=uk" pass=badpassword
> ldap://ldap.york.ac.uk/
> 12:36:39 23140 LDAP parameters: user=uid=baduser,ou=blah,dc=uk
> pass=badpassword size=0 time=0 connect=0 dereference=0 referrals=on
> 12:36:39 23140 perform_ldap_search: ldapauth URL =
> "ldap://ldap.york.ac.uk/";
> server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
> 12:36:39 23140 after ldap_url_parse: host=ldap.york.ac.uk port=389
> 12:36:39 23140 ldap_initialize with URL ldap://ldap.york.ac.uk:389/
> 12:36:39 23140 initialized for LDAP (v3) server ldap.york.ac.uk:389
> 12:36:39 23140 LDAP_OPT_X_TLS_TRY set due to ldap:// URI
> 12:36:39 23140 binding with user=uid=baduser,ou=blah,dc=uk
> password=badpassword
> 12:36:39 23140 failed to bind the LDAP connection to server
> ldap.york.ac.uk:389 - LDAP error 32: No such object
> 12:36:39 23140 failed to expand: ${if ldapauth
> {user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
> pass=${quote:$auth2} ldap://ldap.york.ac.uk/} {true} {false}}
> 12:36:39 23140 error message: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object
> 12:36:39 23140 expansion failed: failed to bind the LDAP connection to
> server ldap.york.ac.uk:389 - LDAP error 32: No such object
> 12:36:39 23140 expanding: $auth1
> 12:36:39 23140 result: baduser
> 12:36:39 23140 SMTP>> 435 Unable to authenticate at present
>
> This suggests that ldapauth is not returning false as expected/documented,
> but instead causing an expansion failure that then cascades back and ends
> up triggering the wrong SMTP response.
>
> - Is this a bug in Exim, or am I missing/overlooking something?
> - Is there a way of trapping the expansion error and interpreting it to
> false so the expression works properly?
>
> With many thanks,
> Mike B-)
>
> Mike Brudenell via Exim-users 
> 8 August 2017 at 17:53
> Hi!
>
> I have tried so many ways to get this working and have used Exim 4.86.2 in
> debug mode on Ubuntu until I'm going crackers but am stuck…
>
> I'm trying to write a LOGIN authenticator using the plaintext driver that
> checks two sources for authentication details:
>
> 1. First it checks a file for the username in $auth1. If present in the
> file the password from the entry in the file is checked against the
> supplied password in $auth2. Success/failure of the authentication is
> determined by whether the passwords match.
>
> If the username is not present in the file, then…
>
> 2. The authenticator then checks against LDAP by attempting to bind
> using ldapauth to it. Success/failure of the authentication is determined
> by whether bind succeeds or not.
>
> I have got the "check the file first then LDAP" operating (and have
> done in
> many different ways of writing it!) but am having problems getting the
> correct final SMTP response when LDAP fails. In particular I'm getting
> Exim
> returning
>
>

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Jeremy Harris 
On 09/08/17 12:58, Mike Brudenell via Exim-users wrote:
> 12:36:39 23140 LDAP parameters: user=uid=baduser,ou=blah,dc=uk
> pass=badpassword size=0 time=0 connect=0 dereference=0 referrals=on

Does the ou=blah exist?  This might be a factor, presenting an invalid
query not just an invalid user.

(Yeah, I think the book is out-of-date, too)
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Mike Brudenell via Exim-users 
Hi,

I'm debugging this again using our Ubuntu packaged Exim version 4.86_2 #1,
and trying to work out what's wrong with my configuration by going back to
a really simple setup that will always fail:

  server_condition = ${if eq{0}{1} {true} {false}}

This correctly gives rise to the SMTP response "535 Incorrect
authentication data".

I now replace the eq condition with an ldapauth condition:

  server_condition = ${if ldapauth \
{user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
\
 pass=${quote:$auth2} \
ldap://ldap.york.ac.uk/} \
  {true} {false}}

In the *Specification* the description of the ldapauth expansion condition
says this:

The condition is true if the password is not empty, and the user name and
password are accepted by the LDAP server.


And the Exim book says this (emphasis mine) when describing LDAP
authentication in section 20.7.7:

The condition is true if the user name and password are accepted by the
LDAP server, *and false otherwise*.


But when I try to authenticate using a bad username and password I don't
get the 535 SMTP response but "435 Unable to authenticate at present" and
the logs show a "failed to expand" error:

12:36:39 23140 LOGIN authenticator server_condition:
12:36:39 23140   $auth1 = baduser
12:36:39 23140   $auth2 = badpassword
12:36:39 23140   $1 = baduser
12:36:39 23140   $2 = badpassword
12:36:39 23140 expanding: $auth1
12:36:39 23140result: baduser
12:36:39 23140 expanding: $auth2
12:36:39 23140result: badpassword
12:36:39 23140 expanding: user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
pass=${quote:$auth2} ldap://ldap.york.ac.uk/
12:36:39 23140result: user="uid=baduser,ou=blah,dc=uk" pass=badpassword
ldap://ldap.york.ac.uk/
12:36:39 23140 LDAP parameters: user=uid=baduser,ou=blah,dc=uk
pass=badpassword size=0 time=0 connect=0 dereference=0 referrals=on
12:36:39 23140 perform_ldap_search: ldapauth URL = "ldap://ldap.york.ac.uk/";
server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=0
12:36:39 23140 after ldap_url_parse: host=ldap.york.ac.uk port=389
12:36:39 23140 ldap_initialize with URL ldap://ldap.york.ac.uk:389/
12:36:39 23140 initialized for LDAP (v3) server ldap.york.ac.uk:389
12:36:39 23140 LDAP_OPT_X_TLS_TRY set due to ldap:// URI
12:36:39 23140 binding with user=uid=baduser,ou=blah,dc=uk
password=badpassword
12:36:39 23140 failed to bind the LDAP connection to server
ldap.york.ac.uk:389 - LDAP error 32: No such object
12:36:39 23140 failed to expand: ${if ldapauth
{user="uid=${quote_ldap_dn:$auth1},ou=blah,dc=uk"
pass=${quote:$auth2} ldap://ldap.york.ac.uk/} {true} {false}}
12:36:39 23140error message: failed to bind the LDAP connection to
server ldap.york.ac.uk:389 - LDAP error 32: No such object
12:36:39 23140 expansion failed: failed to bind the LDAP connection to
server ldap.york.ac.uk:389 - LDAP error 32: No such object
12:36:39 23140 expanding: $auth1
12:36:39 23140result: baduser
12:36:39 23140 SMTP>> 435 Unable to authenticate at present

This suggests that ldapauth is not returning false as expected/documented,
but instead causing an expansion failure that then cascades back and ends
up triggering the wrong SMTP response.

   - Is this a bug in Exim, or am I missing/overlooking something?
   - Is there a way of trapping the expansion error and interpreting it to
   false so the expression works properly?

With many thanks,
Mike B-)

-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811 <01904%20323811>

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Jeremy Harris 
On 09/08/17 10:58, Mike Brudenell via Exim-users wrote:
> (I've read and re-read the *Specification* but couldn't spot it saying
> anywhere that only one authenticator mechanism was permitted for a given
> public-name.)

I don't think it does.  But there's code checking for it while reading
the config; see auths_init().
-- 
Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-09 Thread Mike Brudenell via Exim-users 
Thanks, Jeremy… I feared that might be the case but nursed a hope it would
be an easy way out of my problem: having two separate authenticator
mechanisms.

(I've read and re-read the *Specification* but couldn't spot it saying
anywhere that only one authenticator mechanism was permitted for a given
public-name.)

I'm going to do yet more debugging with my two-source check today, but am
still baffled why at one point it seems to correctly generate the 5xx
response but at some point as I tweak the expression it changes to fail
with the string expansion error that leads to a 4xx response.

Has anyone managed to get a two-source check for authentication working
properly, with the second using LDAP?

Cheers,
Mike B-)

On 8 August 2017 at 21:04, Jeremy Harris  wrote:

> On 08/08/17 19:00, Mike Brudenell via Exim-users wrote:
> > PS: Am I right in thinking you can only have one authenticator for each
> > type: LOGIN, PLAIN, etc?
>
> You can only have one authenticator with a given public-name.
> --
> Jeremy
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-08 Thread Jeremy Harris 
On 08/08/17 19:00, Mike Brudenell via Exim-users wrote:
> PS: Am I right in thinking you can only have one authenticator for each
> type: LOGIN, PLAIN, etc?

You can only have one authenticator with a given public-name.
-- 
Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-08 Thread Mike Brudenell via Exim-users 
PS: Am I right in thinking you can only have one authenticator for each
type: LOGIN, PLAIN, etc?

Or is it possible to have two LOGIN authenticators and if the first fails
to authenticate Exim continues on to try the second one?

Cheers,
Mike B-)
-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] PLAIN authenticator that checks against two data sources

2017-08-08 Thread Mike Brudenell via Exim-users 
Hi!

I have tried so many ways to get this working and have used Exim 4.86.2 in
debug mode on Ubuntu until I'm going crackers but am stuck…

I'm trying to write a LOGIN authenticator using the plaintext driver that
checks two sources for authentication details:

   1. First it checks a file for the username in $auth1. If present in the
   file the password from the entry in the file is checked against the
   supplied password in $auth2. Success/failure of the authentication is
   determined by whether the passwords match.

   If the username is not present in the file, then…

   2. The authenticator then checks against LDAP by attempting to bind
   using ldapauth to it. Success/failure of the authentication is determined
   by whether bind succeeds or not.

I have got the "check the file first then LDAP" operating (and have done in
many different ways of writing it!) but am having problems getting the
correct final SMTP response when LDAP fails. In particular I'm getting Exim
returning

435 Unable to authenticate at present

instead of

535 Incorrect authentication data


The problem appears to be that when the username/password pair are wrong
then as expected LDAP fails to bind (obviously!) but in the code I've
written this causes a string expansion failure, which eventually leads back
to the 435 SMTP response.

I'm trying hard to get a forced failure to be generated instead — in this
iteration by putting the ldapauth within an if along with a "fail" in
string2 — which I know (from other tests) will give the 535 SMTP response,
but it's flatly refusing to do so; I keep getting the string expansion
error. (I guess it's because the forced-failure happens if the if's
expression evaluates to false, whereas in this case it's having its own
error.)

Can someone help me either debug this, or come up with a different way of
writing it?

Here's my authenticator with apologies: you might need a wide window to
cope with the wrapped lines:

LOGIN:
  driver   = plaintext
  server_set_id= $auth1
  server_prompts   = <| Username: | Password:

  server_condition = ${if and{ \
   { def:auth1 } \
   { bool_lax{ \
   ${lookup {$auth1} lsearch
{/etc/exim4/cfg.d/passwords-for-auth-smtp} \
  { ${if crypteq {$auth2}
{\{sha1\}$value}} } \
  { ${if ldapauth \

 {user="uid=${quote_ldap_dn:$auth1},ou=people,ou=blah,dc=york,dc=ac,dc=uk" \
   pass=${quote:$auth2}
\
   nettime=10 \
   time=7 \
   ldap://
ldap.york.ac.uk/}  \
 {yes} \
 fail }} \
} \
 }} \
 }}

  server_advertise_condition = ${if and{ \
 {def:tls_in_cipher} \
 {!={$received_port}{25}} \
   } }


And here's the relevant extract from an "exim -bd -v -d+all" run when I
attempt to authenticate using a bad username and password:

17:40:32  4741 LOGIN authenticator server_condition:
17:40:32  4741   $auth1 = badusername
17:40:32  4741   $auth2 = badpassword
17:40:32  4741   $1 = badusername
17:40:32  4741   $2 = badpassword
17:40:32  4741 expanding: $auth1
17:40:32  4741result: badusername
17:40:32  4741 expanding: /etc/exim4/cfg.d/passwords-for-auth-smtp
17:40:32  4741result: /etc/exim4/cfg.d/passwords-for-auth-smtp
17:40:32  4741 search_open: lsearch
"/etc/exim4/cfg.d/passwords-for-auth-smtp"
17:40:32  4741 search_find: file="/etc/exim4/cfg.d/passwords-for-auth-smtp"
17:40:32  4741   key="badusername" partial=-1 affix=NULL starflags=0
17:40:32  4741 LRU list:
17:40:32  4741   :/etc/exim4/cfg.d/passwords-for-auth-smtp
17:40:32  4741   End
17:40:32  4741 internal_search_find:
file="/etc/exim4/cfg.d/passwords-for-auth-smtp"
17:40:32  4741   type=lsearch key="badusername"
17:40:32  4741 file lookup required for badusername
17:40:32  4741   in /etc/exim4/cfg.d/passwords-for-auth-smtp
17:40:32  4741 lookup failed
17:40:32  4741 expanding: $auth2
17:40:32  4741result: badpassword
17:40:32  4741 skipping: result is not used
17:40:32  4741 expanding: \{sha1\}$value
17:40:32  4741result: {sha1}
17:40:32  4741 skipping: result is not used
17:40:32  4741 condition: crypteq {$auth2} {\{sha1\}$value}
17:40:32  4741result: false
17:40:32  4741 expanding:  ${if crypteq {$auth2} {\{sha1\}$value}}
17:40:32  4741result:
17:40:32  4741 skipping: result is not used
17:40:32  4741 expanding: $auth1
17:40:32  4741result: badusername
17:40:32  4741