On 17/02/2023 23:16 EET Jeff Rogers <dvrsn@diphi.com> wrote:
 
 
Hi all,
 
I recently discovered a configuration issue on my system where a system
user account had a blank rather than invalid or disabled password in the
passwd/shadow database.   The user could not be logged into through
login/telnet/ssh because it was marked as a system account (uid < 100). 
Dovecot also would not authenticate the user for the same reason. 
However, I'm using exim using dovecot_login for authentication, and that
would authenticate the user with a blank and allow me to be used as an
open relay.
 
This is clearly a config issue on my part (since fixed), but should
dovecot_login guard against blank passwords or system users just as a
normal login does?
 
I'm running dovecot 2.2.36 (1f10bfa63)
Exim version 4.96
 
I don't know which software supplies the dovecot_login connenector.
 
The SMTP session would include
 
AUTH LOGIN
334 VXNlcm5hbWU6
cG9zdGZpeA==
334 UGFzc3dvcmQ6
             <--  nothing, just a return here
235 Authentication succeeded
DONE
 
Hi!
 
Can you provide logs about this with auth_debug=yes and doveconf -n output?
---
Aki