[exim] Re: How to tell which authentication is failing when doing authenticated binds

Johnnie Adams via Exim-users Tue, 22 Apr 2025 13:30:39 -0700

I've thinned this configuration down to the minimal failure:

login:


  driver                     = plaintext

  server_set_id              = $auth1

  server_prompts             = <| Username: | Password:

  server_advertise_condition = ${if def:tls_in_cipher }

  server_condition = ${if \

   eq{lookup{$auth1}dbmnz{/etc/exim/allowed_accounts.db}}{quote:$auth2} \

 }

And I'm getting this error message in debug mode, which strikes me as
strange, because I do have two strings in the eq{} clause:

login authenticator failed for (remote) [144.167.8.28]: 435 Unable to
authenticate at present (set_id=account): missing 2nd string in {} after
"eq"

On Tue, Apr 22, 2025 at 9:35 AM Johnnie Adams <jxad...@ualr.edu> wrote:

> On Tue, Apr 22, 2025 at 4:04 AM Jeremy Harris via Exim-users <
> exim-users@lists.exim.org> wrote:
>
>> On 2025/04/21 7:14 PM, Johnnie Adams via Exim-users wrote:
>>
>
>> > The second is, in the meantime, I've got a very small number of users
>> which
>> > need authentication--less than a dozen. I'm thinking about installing
>> some
>> > sort of local authentication--maybe gdbm. Is that a reasonable path to
>> take?
>>
>> Yes, but you'll need to understand your config.
>
>
> That seems reasonable. Here's my current best pass at making a dbm file
> serve as an authentication source:
>
> login:
>
>   driver                     = plaintext
>
>   server_set_id              = $auth1
>
>   server_prompts             = <| Username: | Password:
>
>   server_advertise_condition = ${if def:tls_in_cipher }
>
>   server_condition = ${if and{ \
>
>    { !eq{}{$auth1} } \
>
>    { auth { \
>
>        user="${lookup {$auth1}
> dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}" \
>
>        pass=${quote:$auth2} \
>
>      } } \
>
>  } }
>
>
> There is, sadly, no auth, or dbmauth, keyword. The documentation is a
> little thin on this:
>
>
> 09:23:01 198830 SMTP<< S0VXajNscHM1OWpH
>
> 09:23:01 198830 login authenticator server_condition:
>
> 09:23:01 198830   $auth1 = account
>
> 09:23:01 198830   $auth2 = password
>
> 09:23:01 198830   $1 = account
>
> 09:23:01 198830   $2 = password
>
> 09:23:01 198830  ╭considering: ${if and{ { !eq{}{$auth1} } { auth {
> user="${lookup {$auth1}
> dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
> pass=${quote:$auth2} } } } }
>
> 09:23:01 198830   ╭considering: }{$auth1} } { auth { user="${lookup
> {$auth1} dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
> pass=${quote:$auth2} } } } }
>
> 09:23:01 198830   ├──expanding:
>
> 09:23:01 198830   ╰─────result:
>
> 09:23:01 198830   ╭considering: $auth1} } { auth { user="${lookup
> {$auth1} dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
> pass=${quote:$auth2} } } } }
>
> 09:23:01 198830   ├──────value: account
>
> 09:23:01 198830              ╰──(tainted)
>
> 09:23:01 198830   ├considering: } } { auth { user="${lookup {$auth1}
> dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
> pass=${quote:$auth2} } } } }
>
> 09:23:01 198830   ├──expanding: $auth1
>
> 09:23:01 198830   ╰─────result: account
>
> 09:23:01 198830              ╰──(tainted)
>
> 09:23:01 198830  ├failed to expand: ${if and{ { !eq{}{$auth1} } { auth {
> user="${lookup {$auth1}
> dbm{/etc/exim/allowed_accounts.db(${quote_dbm:$auth1})}}"
> pass=${quote:$auth2} } } } }
>
> 09:23:01 198830  ╰───error message: unknown condition "auth" inside
> "and{...}" condition
>
> 09:23:01 198830 expansion failed: unknown condition "auth" inside
> "and{...}" condition
>
> 09:23:01 198830  ╭considering: $auth1
>
> 09:23:01 198830  ├──────value: account
>
> 09:23:01 198830             ╰──(tainted)
>
> 09:23:01 198830  ├──expanding: $auth1
>
> 09:23:01 198830  ╰─────result: account
>
> 09:23:01 198830             ╰──(tainted)
>
> 09:23:01 198830 SMTP>> 435 Unable to authenticate at present
>
> 09:23:01 198830 tls_write(0x55d46f5df368, 39)
>
> 09:23:01 198830 SSL_write(0x55d46f8f0870, 0x55d46f5df368, 39)
>
> 09:23:01 198830 outbytes=39 error=0
>
> 09:23:01 198830 LOG: MAIN REJECT
>
> 09:23:01 198830   login authenticator failed for (remote) [144.167.8.28]:
> 435 Unable to authenticate at present (set_id=account): unknown condition
> "auth" inside "and{...}" condition
>
> 09:23:01 198830 Calling SSL_read(0x55d46f8f0870, 0x55d46f8f3768, 4096)
>
>
>
>
>


-- 
John Adams
Senior Linux/Middleware Administrator  | Information Technology Services
+1-501-916-3010 | jxad...@ualr.edu | http://ualr.edu/itservices
*UA Little Rock*

Reminder:  IT Services will never ask for your password over the phone or
in an email. Always be suspicious of requests for personal information that
come via email, even from known contacts.  For more information or to
report suspicious email, visit IT Security
<http://ualr.edu/itservices/security/>.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Re: How to tell which authentication is failing when doing authenticated binds

Reply via email to