Hi all,
I recently discovered a configuration issue on my system where a system user account had a blank rather than invalid or disabled password in the passwd/shadow database. The user could not be logged into through login/telnet/ssh because it was marked as a system account (uid < 100). Dovecot also would not authenticate the user for the same reason. However, I'm using exim using dovecot_login for authentication, and that would authenticate the user with a blank and allow me to be used as an open relay.
This is clearly a config issue on my part (since fixed), but should dovecot_login guard against blank passwords or system users just as a normal login does?
I'm running dovecot 2.2.36 (1f10bfa63) Exim version 4.96
I don't know which software supplies the dovecot_login connenector.
The SMTP session would include
AUTH LOGIN 334 VXNlcm5hbWU6 cG9zdGZpeA== 334 UGFzc3dvcmQ6 <-- nothing, just a return here 235 Authentication succeeded DONE