[exim] Re: How to tell which authentication is failing when doing authenticated binds

[Johnnie Adams via Exim-users]

On Tue, Apr 22, 2025 at 4:04 AM Jeremy Harris via Exim-users <
exim-users@lists.exim.org> wrote:

> On 2025/04/21 7:14 PM, Johnnie Adams via Exim-users wrote:
>

> > The second is, in the meantime, I've got a very small number of users
> which
> > need authentication--less than a dozen. I'm thinking about installing
> some
> > sort of local authentication--maybe gdbm. Is that a reasonable path to
> take?
>
> Yes, but you'll need to understand your config.


That seems reasonable. Here's my current best pass at making a dbm file
serve as an authentication source:

login:

  driver                     = plaintext

  server_set_id              = $auth1

  server_prompts             = <| Username: | Password:

  server_advertise_condition = ${if def:tls_in_cipher }

  server_condition = ${if and{ \

   { !eq{}{$auth1} } \

   { auth { \

       user="${lookup {$auth1}
dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}" \

       pass=${quote:$auth2} \

     } } \

 } }


There is, sadly, no auth, or dbmauth, keyword. The documentation is a
little thin on this:


09:23:01 198830 SMTP<< S0VXajNscHM1OWpH

09:23:01 198830 login authenticator server_condition:

09:23:01 198830   $auth1 = account

09:23:01 198830   $auth2 = password

09:23:01 198830   $1 = account

09:23:01 198830   $2 = password

09:23:01 198830  ╭considering: ${if and{ { !eq{}{$auth1} } { auth {
user="${lookup {$auth1}
dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
pass=${quote:$auth2} } } } }

09:23:01 198830   ╭considering: }{$auth1} } { auth { user="${lookup
{$auth1} dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
pass=${quote:$auth2} } } } }

09:23:01 198830   ├──expanding:

09:23:01 198830   ╰─────result:

09:23:01 198830   ╭considering: $auth1} } { auth { user="${lookup {$auth1}
dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
pass=${quote:$auth2} } } } }

09:23:01 198830   ├──────value: account

09:23:01 198830              ╰──(tainted)

09:23:01 198830   ├considering: } } { auth { user="${lookup {$auth1}
dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
pass=${quote:$auth2} } } } }

09:23:01 198830   ├──expanding: $auth1

09:23:01 198830   ╰─────result: account

09:23:01 198830              ╰──(tainted)

09:23:01 198830  ├failed to expand: ${if and{ { !eq{}{$auth1} } { auth {
user="${lookup {$auth1}
dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
pass=${quote:$auth2} } } } }

09:23:01 198830  ╰───error message: unknown condition "auth" inside
"and{...}" condition

09:23:01 198830 expansion failed: unknown condition "auth" inside
"and{...}" condition

09:23:01 198830  ╭considering: $auth1

09:23:01 198830  ├──────value: account

09:23:01 198830             ╰──(tainted)

09:23:01 198830  ├──expanding: $auth1

09:23:01 198830  ╰─────result: account

09:23:01 198830             ╰──(tainted)

09:23:01 198830 SMTP>> 435 Unable to authenticate at present

09:23:01 198830 tls_write(0x55d46f5df368, 39)

09:23:01 198830 SSL_write(0x55d46f8f0870, 0x55d46f5df368, 39)

09:23:01 198830 outbytes=39 error=0

09:23:01 198830 LOG: MAIN REJECT

09:23:01 198830   login authenticator failed for (remote) [144.167.8.28]:
435 Unable to authenticate at present (set_id=account): unknown condition
"auth" inside "and{...}" condition

09:23:01 198830 Calling SSL_read(0x55d46f8f0870, 0x55d46f8f3768, 4096)

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/