-
Notifications
You must be signed in to change notification settings - Fork 179
Q0726
Nigel Metheringham edited this page Nov 29, 2012
·
2 revisions
My SMTP authentication can be bypassed by sending an unknown user name and an empty password. What is wrong with this condition in a PLAIN authenticator?
server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
accounts WHERE username='${local_part:$1}'} } }{1}{0}}
Your lookup item returns an empty string when the user does not exist. You should instead arrange for the lookup to fail:
server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
accounts WHERE username='${local_part:$1}'}{$value}fail}}{1}{0}}
- How do I block unwanted messages from outside my host?
- I don't want to block spam entirely; how can I inspect each message
- How can I test that my spam blocks are working?
- How can I test that Exim is correctly configured to use a DNS black list
- How can I use tcpwrappers in conjunction with Exim?
- How can I get POP-auth-before-relay (aka POP-before-SMTP) support in
- I have one or two cases where my host correctly rejects messages, but
- How can I run customized verification checks on incoming addresses?
- Does Exim apply RBL checks to error messages, those with an envelope
- I want to reject certain sender-recipient combinations, with a specific
- Will Exim allow me to create a file of regexs and match incoming
- I've hacked sendmail to make an ioctl call at the time of the SMTP RCPT
- I'd like to pass all messages through a virus-scanning system before
- Is there a way to configure Exim to reject mail to a certain local host?
- How can I get Exim to remove attachments from messages?
- How can I arrange for each user to have a file listing the only sender
- When using Nessus on a system that runs Exim, a number of security
- Could anyone points me to right rules to prevent sending/receiving
- I would like to have a per-user limit for the maximum size of messages
- I set
accept hosts=192.168.122.96/32
in order to accept mail for - I have POP-before-SMTP set up on my Exim server, but some clients use
- I installed Amavis and it is working, but bounces are simply vanishing.
- I can't get Pine to work with PLAIN authentication; Exim keeps
- I have used
:fail:
in some aliases; when one of these addresses is refused, I see the message on the log, but the response to the remote user is unknown user > instead of the message from the alias file. How can I change this? - I've set up some specific rejection messages for certain recipients, but
- My SMTP authentication can be bypassed by sending an unknown user name
- When a message has many recipients, how can I stop SpamAssassin_ from
- How do I use Exiscan, SA-Exim, SpamAssassin_, Clam Antivirus, Sophos
- How can I screen out addresses that are neither valid usernames or
- How can I use the same passwords for SMTP authentication as I use for
- Is there any defence I can use against spam sent through an open proxy?
- I would like to either warn or deny when a host uses an underscore in
- Is there any way to tell Exim not to lookup the IP address against any
- How do MailScanner_ and Exiscan compare? What are the pros and cons?
- How can I block non-FQDNs in HELO/EHLOs?
- Is it possible to tell exim to drop the connection after a server
- Is there some way to tell Exim not to consider 127.0.0.1 as a valid MX?
- How can I configure Exim to delay the SMTP connection if more than 10
- Does Exim support SPF?
- How can I change the MAIL FROM address that is used for callouts?
- How can I get Outlook Express to use TLS when authenticating?
- How do I stop Exim being an open relay?
- What should I put in my acl_smtp_rcpt?
- I've got a queue full of "bounce" messages. How do I get rid of them?