sending message when authentication fails

[jechilt]

Don't think this is normal. Need some help.

Server: Linux RH9
Exim: 4.24

Scenario: user changed their outgoing mail server to our mail server in order to send email. The user is using Eudora9 and set the smtp server to our mailserver (psuedo name: mailserver.com)

Here is what the logs have to say about the transaction.
In the EXIM reject log:

2004-10-26 04:31:49 login authenticator failed for (AFSUBD100J6D02.myworkstation.com) [62.101.94.100]: 535 Incorrect authentication data ([email protected])

In the EXIM Mail log:

2004-10-26 04:34:52 login authenticator failed for (AFSUBD100J6D02.myworkstation.com) [62.101.94.100]: 535 Incorrect authentication data ([email protected])
2004-10-26 04:34:53 1CMMn7-0007q2-4L <= [email][email protected][/email] H=(AFSUBD100J6D02.myworkstation.com) [62.101.94.100] P=esmtp S=826 [email protected]
2004-10-26 04:38:03 1CMMn7-0007q2-4L antivirus2.scpnetwork.net [66.106.178.192]: Connection timed out

Although this is what is showing in the logs, the user is able to send messages and the messages are being delivered. So...authentication failed but user is still able to relay the message. What do we do to fix this?

 

[toml]

Take a look at http://www.directadmin.com/forum/showthread.php?s=&threadid=3936

 

[jechilt]

thanks for the info. took a look and don't think it addresses my specified problem.
first, our email client is Eudora9 (thought I think that matters little) and more importantly, though the logs show the account failed to authenticate and the reject log shows the message rejected, the messages are being relayed and delivered.
Have been doing it all day long...

 

[nobaloney]

John,

If you're using the standard exim.conf file I wrote, then your system can't relay.

If you've made changes, then you're on your own.

But I just tried to relay email through your system, and it didn't let me.

So I think you're fine.

Jeff

 

[toml]

You must have missed the last post in that thread. The problem was that you are failing to authenticate with the 'plain' authenticator and the 'login' authenticator works. In the last post the poster says that he added an almost duplicate smtpauth function in exim.pl for example in exim.pl :

sub smtpauth
{
        $username       = Exim::expand_string('$1');
        $password       = Exim::expand_string('$2');
---cut---
}
sub smtpplainauth
{
        $username       = Exim::expand_string('$2');
        $password       = Exim::expand_string('$3');
---cut---
}

and exim.conf

begin authenticators

plain:
    driver = plaintext
    public_name = PLAIN
    server_condition = "${perl{smtpplainauth}}"
    server_set_id = $2

login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = "${perl{smtpauth}}"
    server_set_id = $1

Due to the way exim works, when the 'plain' authenticator fails it trys the next one if it exists. In this case it is the 'login' authenticator. The first one always fails because the username and password were being accepted in the wrong order.

 

[jechilt]

Hi guys...

i am hoping i am not just too dumb here but i still am confused here. i noticed in the log that the post made by jlasman was rejected and not sent. what i am trying to understand is the user that is using our mail server does not have an account on our server. therefore, it only makes sense to me that when he sends a message from his email client (configured with IMAP), that the message is being sent even though the logs say that authentication failed. The logs don't say his attempt was rejected, just failed. It is my understanding that message should be rejected.
Can you help understand?

 

[toml]

The failed login as I was saying is due to the plain authenticator not accepting the parameters in the correct order. Exim will try the next authenticator configured and with DA that is the login authenicator. That one is the one working for you, that is why the message actually gets sent. If the user does not exist at all on your system, then they will fail all authentiacators and the message will be rejected.

 

[nobaloney]

John,

A nonuser can only send mail through your server to a user on the server. S/he cannot send email off the server.

That's what my test showed.

I believe my trial was definitive; I did it from the command-line by the way, using:

telnet 12.34.56.78 25

where the mx of your tudads domain was used instead of the 12.34.56.78.

Jeff

 

[jechilt]

The failed login as I was saying is due to the plain authenticator not accepting the parameters in the correct order. Exim will try the next authenticator configured and with DA that is the login authenicator. That one is the one working for you, that is why the message actually gets sent. If the user does not exist at all on your system, then they will fail all authentiacators and the message will be rejected.

note: the capitalization of 'not' is not yelling but making sure it is noticed...hopefully it won't ruffle to many feathers

....and what I am hoping to convey is the user does NOT exist on the system at all and the message was NOT rejected.

I have done my own little test and here are my results:
1. Setup a user email account (that does NOT exist on the server). Configure mailbox to use POP3.
Next, I draft a message with Outlook Express or Eudora9 and send the message. Message is unable to send via SMTP port 25.
EXIM logs in DA show message rejected.
Working just as you say.....

2. Setup a user email account (that does NOT exist on the server). Configure mailbox to use IMAP.
Next, I draft a message with Outlook Express or Eudora9 and send the message. Message is sent and delivered.

I don't know how to express any more clear than the example the problem we see...that is when using IMAP, any tom, dick, or jane can send email simply by using the mail server. The only caveat to the issue with IMAP is the user can NOT see any folders of the mail account because 1) there are no folders because the account does not exist 2) the account exists but proper authentification is not being provided. Nonetheless, the user is still being able to send the message.

 

[toml]

IMAP has nothing to do with sending emails. That is just a method of reading. You need to look at the SMTP parameters for that account. Also, if that computer had checked a valid email account within 30 minutes popb4smtp would have kicked in and you would be able to send, because your IP address is on a temporary allowed list.

 

[jechilt]

maybe the IP address thing is the reason. We run on an internal network that is connected to the internet using a firewall and proxy. All accounts that leave this site are issued the same IP.

this be one scary thought!!!

 

[toml]

You could always disable popb4smtp and require your users to always login.